I made an IRC bot that had a Gelbooru command that would fetch and post the link to a random image of specified tags. Is that fair usage of the API? I will admit that it wasn't the most optimized, making 2 GET every time (the first to check the number of pages and the second to select a random image from a random page). I've adjusted it to cache the result of the first check since then.

Now I get, "Our API is being abused at the moment and is disabled to anonymous users," so does that mean there is a way to authenticate? I'm not too well versed in network authentication but I couldn't find anything about authenticating to Gelbooru.

You can authenticate users and use the API just fine. Check the last few posts on Page 6.

I'm not very familiar with network protocols or how to authenticate. I'm using Python and I thought you just added the login and password (as well as the referer) to the request, but it still doesn't work. I thought it was because the API was still disabled, but I guess not.

The username and password hash must be sent as cookies in the header.

They cannot be sent as part of the GET or in a POST. You also cannot send the raw password; only the hashed version will be accepted.

I'm using this in Python 2.7 to authenticate using a POST request, it also stores the cookie and sends it automatically when making a request:

import urllib, urllib2

username = #YOUR USERNAME GOES HERE
pwd = #PASSWORD GOES HERE

opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
opener.addheaders = [('Referer', 'gelbooru.com')]
urllib2.install_opener(opener)

params = urllib.urlencode([('user', username), ('pass', pwd), ('submit', r'Log+in')])

req = urllib2.Request(r'gelbooru.com/index.php?pa...s=login&code=00')
urllib2.urlopen(req, params)
req = urllib2.Request('gelbooru.com/index.php?page=account&s=home')
urllib2.urlopen(req)

Just to correct you - This isn't a standard setting for webservers. You can tell the webserver to react differently on sent referers, like only allow certain referers or blocking blank. But you have to write your own (simple) code into the vHost config (or .htaccess if one uses Apache).

I dunno, I thing vHost configuration is a pretty standard part of HTTP servers nowadays. Unless you're using one that's intentionally extremely lite, it'd be strange not to see that.

What hash algorithm should we use for the password?

Do not hash the password yourself. Log in to the site and use the hash from the cookie it gives you. You can either do this by looking at the cookies in your web browser when logged in to the site normally (not recommended), or by logging in with your program itself and getting the cookies from the response header.

Alright, I think I have the authentication flow mostly figured out.

The only problem I have now is actually logging in to get the cookie with the password hash. Should I present my user a web view wrapping Gelbooru and then grab the cookie from the response header from there, or can it be done with the API? I was looking at the documentation and there doesn't seem to be any authentication APIs.

EDIT: Also inspecting the cookie it looks like we don't have an actual username but rather a user_id. I'm assuming this (along with the password hash) is what we will have to pass instead of an actual username.