This is a basic exploration of the Ello API. Completely unofficial, your mileage my vary, don't smash their servers as they are likely very busy.
Methods return HTML for their representation where appropriate which is a nice little pattern. Everything returns application/json.
Like this:
{
"id": <new post ID>,
"content": <encoded HTML for display>
}
Is session and cookie based. Grab the '_ello_session' cookie in an active Ello browser session.
Internally the Noise and Friends bit seem to be called "streams" but I can't see how to obtain them.
GET https://ello.co/api/v1/posts/post_id.json
Failure 404 Not found, obviously.
## Simple
POST https://ello.co/api/v1/posts.json
With a multipart/form-data input. One field must be "unsanitized_body", which should look like this:
[
{
"kind":"text",
"data":"test"
}
]
Links are sent in HTML and Markdown in Markdown.
## Image
Ello automatically uploads images to S3 for display, chucking them to ello-direct-uploads.s3.amazonaws.com - after it knows the image is done, it sends the following.
[
{
"kind":"image",
"data":{
"url":"some url",
"via":"direct",
"alt":"filename.png - though it probably can be a proper alt"
}
}
]
Success 200 Failure 422 - Unprocessable Entity
Clearly one can add more than one post to this array.
PUT https://ello.co/api/v1/posts/[ID of post].json
Success 200 Failure 404 - Not found.
Same format as posting a post above.
DELETE https://ello.co/api/v1/posts/[ID of post]
Success 204 Failure 404 - Not found.
GET /api/v1/followerships
POST https://ello.co/api/v1/comments
Same format as posts, but with the addition of parent_post_id as an additional form field.
PUT https://ello.co/api/v1/comments/
Same format as posts.
GET https://ello.co/api/v1/comments?parent_post_id=parent_id_of_the_post
@cacheflowe I don't think there is anything wrong with posting this here. The code is already public (we all got it from digging through the site), so if someone has it in them to do something harmful, they probably already know how to retrieve this information just as we have.
That being said, I think if anything the existence of this gist helps you out as a developer of Ello. If you tighten things up on your end to help prevent any future harmful attacks through the use of this information, it has done ya good to come across it. To me, having someone post their findings publicly is better than having them hide it all and devise some evil plan. This way you know some of your code's vulnerabilities, and can proceed how you want with a fix. Github is meant for social coding. Think of this as social beta testing by other developers.
Good luck, it's exciting to watch Ello grow.