From avodonosov at yandex.ru  Mon Aug 15 22:13:29 2011
From: avodonosov at yandex.ru (Anton Vodonosov)
Date: Tue, 16 Aug 2011 02:13:29 +0400
Subject: [cl-openid-devel] cl-openid API changes, preparing to release 1.0.0
Message-ID: <908061313446409@web82.yandex.ru>

Hello.

I finally implemented the API simplifications I wanted since the 
cl-openid Release Candidate we made in the past (it's mostly 
provider API changes).

There is also a security related fix for the ticket #14 - we now 
use secure random numbers, instead of CL:RANDOM function. 
To compile it you will need fresh cl+ssl (available in Quicklisp).

I think it's time for Release 1.0.0.

Below is the list of changes. The adjustments in the user code 
will be quite trivial, but if you need help, you are welcome to ask 
here, in the mailing list.

--------- The changes ---------

Important change:

  Fixed ticket #14 secure random number generation.

API changes:

- The URI returned from INITIATE-AUTHENTICATION is of type string,
  instead of a PURI:URI.
  This saves the user one PRINC-TO-STRING in his code. 

- Provider generic function USER-SETUP-URL is removed from the
  public API. It is a function intended for OpenID 1.1. compatibility. 
  Previously user needed to implement it, but now all the necessary 
  handling is done automatically. (See ticket #14 for the details)
    
- HANDLE-OPENID-PROVIDER-REQUEST always returns the second 
  value, an HTTP code. When the HTTP code is redirect (3xx), the first 
  value URI is returned as a string, instead of a PURI:URI object. This 
  saves user from doing PRINC-TO-STRING for the URI.

- CANCEL-RESPONSE and SUCCESSFUL-RESPONSE are renamed 
  to CANCEL-RESPONSE-URI and SUCCESSFUL-RESPONSE-URI. 
  Both functions return only single value - the URI (no sense to return 
  the HTTP status code as the second value, as this is always recirect). 
  The URI is returned as a string instead of PURI:URI instance (this saves
  the user one PRINC-TO-STRING in his code).

- In result of the above change, you need explicitly provide the second
  return value from the HANDLE-CHECKID-SETUP you implement for 
  you OpenID provider.

- Removed WITH-INDIRECT-ERROR-HANDLER and SIGNAL-INDIRECT-ERROR 
  from the public API.

- Introduced new public function AUTH-REQUEST-REALM with returns 
  the realm of the OpenID authentication request message
  (this function is needed if you implement an OpenID provider).

- The HANDLE-OPENID-PROVIDER-REQUEST keyword parameter SECURE-P 
  is renamed to ALLOW-UNENCRYPTED-ASSOCIATION-P. 

Full list of the tickets closed:

#14 secure random number generation
#16 unit test error: make-auth-proc
#17 signal an error if discovery discovers nothing
#18 LiveJournal error reponse with HTTP status 200
#19 some polishment of the provider API
#20 user_setup_url automatic generation
#21 INITIATE-AUTHENTICATION: return the URI as a string
#22 adjust the exampels to hunchentoot 1.1.

Best regards,
- Anton