I have a Organization API which has more function than customers API (I am using platform from a provider), customers want to have POST method /api/createOrder, however, this API is only available in Organization API. I don't know what I should look for, redirect API or forwarding API? Scenario: I want users to call POST API for example: middleAPI/api/createOrder (users will input data, ex: name of order, productID) and it sends data to POST organizationAPI/api/createOrder.
Can anyone give me an answer and step-by-step instructions (JS or Python is the best, I am not good at Java or .ASP)? (I am new). Thanks lots guys.
I have tried to look for redirect or forwarding API but don't know what is suitable.
Related
Im trying to find the structure of the request url that i can send an http post/get requests to but can't seem to find it anywhere?
Can someone help please, I'm new with using AC?
Many thanks!
In ActiveCollab Cloud accounts, if you would like to query a list of projects, you would GET a /projects resource, and it's available at:
https://app.activecollab.com/#ACCOUNT-ID#/api/v1/projects
#ACCOUNT-ID# is ID of your Cloud account.
Good day everyone. I am stumped at the moment and would appreciate some guidance. I feel like I am a great googler to usually find my answers or resources but for the life of me I can't seem to find any good learning material on JSON requests and responses.
So I took a course that builds a 3 part app. Web app with Django, and 2 mobile apps that make API calls to it. The instructor uses Facebook authentication from the mobile apps and I am trying to set up the apps for username and login and a registration page as well.
I have django models setup and and can make users from the web app but I can't seem to wrap my head around how to make JSON calls from app to Django. When I search for possible terms like authenticate django I get results that talk about only django usage.
Does anyone have some tips or links to resources that would help me understand the login process better. I realize that almost every app has a login which is why I'm surprised that I can't find any good learning material on how its done. Or I'm just searching for wrong keywords.
Any help would be great thanks.
It's really a general question, But i give you a brief on how mobile and django server should interact with each other:
First of all, in your situation I really suggest to use django rest framework, Because of it's rich modules and functionallity like serializers, routers and ...
read more about it from origin documentation here.
For authentication system, You should use a token based system (or session). I suggest use one of django suggested token based solutions for that. In my case i really suggest to use django-restframework-jwt library
(JSON Web Token Authentication support for Django REST Framework).
so whenever you want to send a request to mobile you should provide that token (based on token authentication backend you choose) in your headers of request.
And for login and register you should create APIViews that takes user input, then register or authenticated it with backend and then gives user the generated token for future requests.
And for social auth system like facebook, the main concept is to redirect user from app to facebook oauth links, which if the user authenticate in his facebook will redirect you redirect url of your backend server, then you should capture that request in callback, fetch data and create or get the user and generate the token for that user and return it. so that for furture requests, by sending token to server, server will know that which user is sending this request and handle response properly for that.
And if you want to create a login with mobile, then you need to setup APIs for login, register with django rest which is really easy and you can learn from it here.
Since we can get a user's email address from the Gmail Add-on API, I'm wondering if we need to authenticate users with OAuth before they interact with our external service or whether we can rely on a stored secret to ensure that requests made with the user's email address are actually coming from a user using the Gmail add-on.
Since app scripts run on Google's servers and aren't modifiable by the user, we could just HMAC the request bodies in the requests to our external API with a secret stored in the Code.gs file. This would (maybe?) ensure that it this endpoint was actually being hit by Google and that the person making the request was the owner of the given email address.
For this approach to work though the secret in the code would actually need to stay secret, otherwise anyone could just hit that endpoint with any email address and post data on behalf of other users. So does this approach actually work, or is there another similar solution that might be feasible?
Otherwise we can just implement OAuth, but if there is a simpler approach that's secure then that would be preferable.
Let's say your external API just need an API key(a secret) to authorize users. You can definitely store it using Properties Service .
But the tricky part is that different user might have different API keys. To solve it , we could ask the user to enter the API key in the UI (can't be masked, though).
This is a very simple approach.
However, I would recommend using OAuth , as it is a more cleaner way.
Im trying to validate if the contacts that I have imported to the outlook contacts is been important, I was thinking to use and API call to get an JSON file to see if the contacts have been imported correctly or not.
I am fairly new to using API calls and Im not sure how to use Microsofts outlook APIs to achieve my goal.
any snippet code in Java, C#, Node.js would help
Im also not sure how I can get the auth key
Thanks in advance
First you need to decide what kind of authentication approach you need to use, and then you need to register your application. This article can help you decide: https://developer.microsoft.com/en-us/graph/docs/authorization/auth_overview.
Once you have acquired a token, use the Contacts REST API to work with contacts data. There are examples here:
https://msdn.microsoft.com/office/office365/APi/contacts-rest-operations
You can also use the Graph Explorer to test out various API calls and see the results in JSON: https://developer.microsoft.com/en-us/graph/graph-explorer
How can we prevent a public API to reveal master API keys/credentials and secret tokens?
I am currently working on a webapp with some public API which should use API keys and secret tokens and were looking for a way to create a very secure API and took some look at some of the APIs of the biggest platforms, for example SoundCloud.
I read some guides (like https://github.com/interagent/http-api-design) about good (restful) API design, but they give not much information about the security (API keys and tokens) and how they should be retrieved or created in public APIs.
Take a look at https://a-v2.sndcdn.com/assets/sc-q9dV-e79e4b4a.js and search for b45b1aa10f1ac2941910a7f0d10f8e28
This is the master API key of SoundCloud.
Some of their URLs look like this:
https://api.soundcloud.com/tracks/id/stream?client_id=client_id
https://api.soundcloud.com/tracks/id/stream?secret_token=secret_token&client_id=client_id
https://api.soundcloud.com/playlists/playlist_id/?secret_token=secret_token&client_id=client_id
I know that many tools out there are already using this key for fetching/downloading all the songs from a SoundCloud user.
Also all their private and secret widgets reveal the secret tokens, also in the requests and in the sourcecode. They are hardcoded in the JavaScript code of the embed codes.
The problem consists for some years and the developers seem to have no experience with secure APIs
http://tunelab.com/2011/08/04/this-is-the-problem-with-soundcloud/
How can such APIs using JavaScript and JSON prevent to reveal these tokens and credentials?
My thoughts about this:
the master API key should be only accessible through/from soundcloud.com
there should be some sort of domain/IP blocking/restriction//firewall for all API keys
use OAUTH for all API keys, not just a simple JSON API with no authentication
dynamically generate one-time (secret) tokens, do not reuse the same token all the time dynamically get the API keys and tokens from the SoundCloud server instead of putting them into the embed codes and requests use some sort of steganography
When I read that SoundCloud is the biggest music community and big music labels upload their songs from new or upcoming albums (even as private songs and post them with a widget on websites, the secret tokens are also revealed) it seems, that the team behind SoundCloud does not want to protect their users against piracy/stealing of songs and is not willing to create a secure API.
What do you think about this critical situation on soundcloud.com and how could a JavaScript/JSON API be much more secure/secured the right way without revealing any critical data like tokens and API keys? For example using AJAX and retrieving the API key and token after the website is loaded?
How do Spotify and other streaming platforms protect the data which they are streaming and get the token and API key? Is storing these information in a URL or request URL secure at all?
How can I securely send the API key and secret token to my users over the wire using JavaScript, HTML, AJAX and PHP?
how do I deliver the API keys and secret tokens securely over the wire to the users?
There is only one reliable way: use HTTPs for your web site to allow the users to retrieve the key.
Then during the API calls HTTPS is no longer required. Your users can use HMAC authentication to hash the key with a shared secret.