The Harder They Fall

July 20th, 2012

MarsEdit has featured support for connecting to Tumblr blogs since February 27th, 2009. Since that time, it has always lacked a few features such as support for editing video and audio posts, but with the exception of some particularly flakey periods in Tumblr’s network availability, the feature has been solid, and appreciated by mutual customers of Tumblr and MarsEdit.

Earlier this week Tumblr quietly, and without warning, changed the behavior of the API that MarsEdit and countless other apps rely upon, removing the ability of clients to authenticate with a user’s username and password. In particular, when asking Tumblr to provide a list of posts stored on the server, authentication fails and an error code is returned in lieu of the requested posts. The result for users of MarsEdit is a never-ending string of requests for the username and password, and posts from the blog never appear in the app.

After learning of and researching the issue, I contacted Tumblr’s engineers with a message to the Tumblr API discussion group. I was heartened to receive a reply within minutes, from John Bunting of the Tumblr team, that they were looking into the issue. A few minutes later, it was clear that they understood the cause to be a policy change within Tumblr that was made on purpose.

The policy change is, in short, that user credentials may no longer be provided as part of the URL scheme in requesting assets for the blog. For example, a request to read draft posts on a Tumblr site might look like this:

http://myblog.tumblr.com/api/read?email=joe&example.com
			&password=123badpass&state=draft

Instead, the same authentication details should be provided in the body of the POST request. The security improvement here is modest: as the connection the API is not over HTTPS, the entire content of the POST request could be intercepted as easily as the URL for the request. However, my friend Mike Ash pointed out that there is some rationale for keeping sensitive data out of request URLs as they are more likely to be logged and kept around longer-term than the content of a request.

In the previously linked Tumblr API discussion, Tumblr proposed that clients such as MarsEdit should switch to providing authentication information in the body of the request, but offered that perhaps they could temporarily restore the “old behavior,” for perhaps two weeks, while developers update client apps to meet the new requirement.

First, two weeks is not a lot of time to adapt to a sudden change like this. Anybody who develops for the Mac or iOS App Stores knows that sometimes an app can sit in review for two weeks before it’s even considered for approval. Still, a grace period would be better than leaving all of my Tumblr-blogging customers in the lurch, so I immediately set out to adapt MarsEdit to work with the new requirements.

Here’s the rub: the new requirements don’t work, either. For the API call in question, the “/read” endpoint, none of the arguments, username and password included, are recognized by Tumblr from the body of the POST. As far as I can tell, parameters must be provided in the URL for the request, except Tumblr has now explicitly stopped respecting the username and password arguments.

In short: clients of the V1 Tumblr API are no longer able to read posts with authentication from the service. Since the early, attentive responses in the discussion group two days ago, there has been no further update. MarsEdit, and other clients of this API, are effectively broken until and unless Tumblr restores functionality of the API.

If you’re familiar with the Tumblr API, you may be wondering why I haven’t yet adopted the newer V2 API. It supports OAuth authentication which is certainly more secure than the scheme being used in V1. But when I looked into supporting it, I hit different hangups that would alter the behavior of MarsEdit and prevent me from supporting current features. For example, it appeared impossible to access “private” posts through the V2 version of the API. I wrote them about that, too, a year and a half ago, and never heard a reply.

As a developer who relies upon Tumblr’s API, there has been no shortage of frustrations over the years. Whether it be the reliability issues, the absence of certain important API calls, or sudden changes in behavior such as this. I’ll come out and say it: it’s damned frustrating to support Tumblr, and sometimes I wonder if I was a fool to ever try to do it.

If you use MarsEdit for Tumblr, you are undoubtedly frustrated by the recent collapse of support for the service. I’m frustrated, too. I’d like to say it’s all in my hands to fix things, but it isn’t that simple. I can make further concessions, removing features to adopt their V2 API. But doing that will take time, testing, and energy. With Tumblr, more energy than it should. It takes two to tango, and Tumblr doesn’t dance.

Update: A very helpful reader who has experience with the Tumblr API suggested that I should be able to adopt the OAuth authentication of the V2 API while continuing to use the V1 API (for features that aren’t supported on V2). This is a promising lead. It doesn’t diminish my frustration with Tumblr for yanking the rug out from under existing clients like this, but if it works as advertised, it does put the situation squarely back into the domain of “something I can solve on my own.”

4 Responses to “The Harder They Fall”

  1. John Tall Says:

    Tumblr, now known as Tumble.

  2. Erin Dalzell Says:

    Well shoot, I just set up a Tumblr for my 6 year old daughter. Was going to teach her MarsEdit. Squarespace doesn’t work with MarsEdit either….what’s a guy to do?

  3. Daniel Jalkut Says:

    Erin – Squarespace 6 doesn’t yet support 3rd-party clients, but as far as I know they are still allowing customers to sign up and create new Squarespace 5 sites:

    http://five.squarespace.com/

    Support for Squarespace 5 should continue working as usual.

    Daniel

  4. Jean-Francois Mayer Says:

    Thank you for the detailed explanations! I just lost a frustrating hour attempting to understand what was happening with Tumblr when attempting to refresh the content in MarsEdit. But now, I understand that my frustration is a small thing compared to yours. Thank you for your fine work, and I hope that a reasonable and workable solution can be found. MarsEdit is the most pleasant tool for working with WP, Tumblr, etc.

Comments are Closed.

Follow the Conversation

Stay up-to-date by subscribing to the Comments RSS Feed for this entry.