Imagine I want to create game "Rock-paper-scissors" for Google Waves. I am thinking to implement it as a Wave Gadget.
The idea is simple: all participants send their decisions to my cloud app (it is an Appengine Java Application), my server part collects this data and does not share to anybody until all participants complete their selection. After this the selection is shared to all participants and the winner is determined.
I can use wave.getViewer().getId() to identify user on the server
during gadgets.io.makeRequest. I works perfectly.
But how can I, on the server side, make sure that the incoming request is
really from this specific wave user? (How can I approve that wave's
participant id is not hacked on the client side? Any wave container
signature allowing determine wave participant id is available?)
What are the best practices for google wave participant authentication on my appengine side? Please provide examples if possible.
My actual gadget is more complicated but the problem is as described above.
I would code against an imagined future solution that is baked directly into the Wave protocol or API and hope that nobody spoofs participant IDs. You could also contact the Wave team to make your need for the feature known and see if anyone else is looking for the same.
It looks like there is some OpenAuth integration already built-in for robots: http://wave-robot-java-client.googlecode.com/svn/trunk/doc/index.html
Would you be able to implement a robot instead of a gadget? Or maybe use a robot for auth and have the gadget interface with your own auth tokens server-side?