The system I want to model is an application called GetKnowSoft. The example is simple: there is a customer, a manager, and a register customer use case. Who registers the customer in the application is the manager.
I connect the manager to the client. The question is: Do I also tie the customer to the use case, even though the customer has no active role?
If the customer doesn’t directly interact with the app, it should not be an actor.
If the customer would have some interactions (e.g. enters name and address that is validated by the manager, or receives a confirmation email from the app) then it should be an actor.
Related
I am following Intuit's oAuth authentication guide in order to log users in through Quickbooks and get access/refresh tokens in order to make API calls. We make API calls in node through the node-quickbooks SDK.
I can successfully log users in through Quickbooks and exchange codes I receive for access and refresh tokens, and I can even make API calls to create invoices successfully.
The problem is, even when I use the tokens of the user I've authenticated to make API calls, the invoice is created in our Quickbooks company instead of theirs.
Is it possible to create invoices in the Quickbooks account of the other user? If not, what's the point of getting access and refresh tokens for them in the first place? For what it's worth, this is all being done in the Quickbooks developer sandbox (but with two separate accounts).
I'm quite confused as to what the methodology is supposed to be here, and any guidance would be very much appreciated -- or even just a reassurance that this is possible.
Thank you!
The QuickBooks instance that's acted on is determined by the Realm ID parameter. The Realm ID is captured when a QuickBooks Online account is selected during the authorization flow.
If we could call your Quickbooks company "Company A" and the one you're trying to create invoices in "Company B", I'd say it sounds like Company A's Realm ID is being logged and passed in subsequent requests instead of Company B's. This could be caused by things by hard-coding Company A's Realm ID and using that for the create invoices requests, selecting the wrong account during the authorization process, or something trickier like a bug in the SDK you're using.
I'd start by getting Company A and B's Company ID, which is what Intuit calls the Realm ID when you access it from the UI. You can do that while logged into a sandbox or production account by pressing Ctrl + Alt + ? in Windows or Control + Option + ? in macOS. Then you can verify the correct Realm ID is being used in the create invoice requests.
If the requests are using the value captured during authentication (as they should be), then you can —in the SDK code— log the Realm ID that's being captured during authorization and verify it's the right one for the company you selected during the OAuth flow.
I want to create a platform which will provide a digital service where the customers and connected accounts will be from around the world. Clearly Stripe Connect is the Stripe product to use.
Because many of the connected accounts will be overseas this straight away rules out the use of transfers - unless I explored setting up separate platform accounts in the different overseas countries. (https://stripe.com/docs/connect/capabilities-overview#cross-border-transfers)
So I am left with destination charges where I choose the connected account as the settlement merchant via the on_behalf_of parameter. This means the charge goes against the connected account but I can still make money by charging an application fee.
As the connected account will be invisible to the end customer on the platform it seems inappropriate for the connected account's details to show on the customer's bank / credit card statement. Instead I want the platform's details to show.
Stripe support have assured me it is possible to have only the platform's details. Indeed this part of the API suggests I can control the statement descriptor which shows - https://stripe.com/docs/api/checkout/sessions/create#create_checkout_session-payment_intent_data-statement_descriptor
But another article - https://stripe.com/docs/api/checkout/sessions/create#create_checkout_session-payment_intent_data-statement_descriptor - seems to almost contradict this. It explains
Any additional information that’s displayed on a customer’s statement
is also provided by the same account that provides the static
component (business address, phone number).
Can anybody clarify? Many thanks in advance.
Update
This article appears to settle the matter - https://stripe.com/docs/payments/connected-accounts
Guess I will just have to inform users on my website with a connected account that their details will show on the bank statement.
I've built a peer to peer ecommerce website and while it works, I'm getting some feedback from users (which at this point are just a few of my friends) that the Stripe interactions are a little confusing.
I think this is more to do with how I've set up my site than Stripe itself.
Here is the current setup:
All users must add their debit/credit card when completing their profile. I'm using a simple card input, the one that comes from <script src="https://js.stripe.com/v3/"></script>.
Any users who want to sell their items must also create a Stripe Connect account (I'm using Connect Express). This is the one where they are taken to Stripe.com and redirected to my site upon adding their bank account info. This onboarding process is only initiated when a user tries to upload an item to sell.
To complete a transaction, I'm using:
charge = stripe.Charge.create(
amount=amount_to_owner+200,
currency="usd",
customer = stripe_customer_id,
application_fee_amount=200,
transfer_data={
"destination": owner_connect_acct,
}
)
So, I'm charging the user with the customer id, and paying the other user to their connect account.
The fact that there are two separate actions - one where the user simply adds their card info, and the other where they go through Connect, might be confusing to some people.
Is there a way I can do this all in one? I'm open to anything and don't mind changing up things. Thank you in advance for any guidance.
I'm setting up OneSignal on my website.
As far as I can see, there are 2 ways I can associate a push subscription with my user ID:
I can call OneSignal.getUserId(), which returns a UUID, and make an authenticated call to my web server to associate this UUID with my logged in user on my server
I can call setExternalUserId() to send the logged in user ID and associate it with the subscription on OneSignal servers
The first option is perfectly secure, as one could only hijack my client-side code to send an invalid subscription ID (or another valid subscription ID they have created), which is not a big deal.
The second option though, feels totally unsecure: anyone could hijack the client-side code to send any valid user ID and associate it with its subscription, and therefore receive notifications on behalf of another user.
Is there a way to securely use setExternalUserId() while preventing a user from associating their subscription with another user?
The only secure scenario I can think of is if my users had UUIDs as well, instead of sequential IDs, and these UUIDs were kept secret (i.e. never exposed publicly on the website).
Any other scenario I can think of sounds plain insecure.
Did I miss something?
I'm working on an event sourced application following DDD and CQRS principles, which allows the posting of ads to sell goods.
There's one specific invariant that i'm trying to model which would seem to involve a bulk update of AR's, and I don't really know how to go about it.
The invariant is as such:
A Member can post an ad
A Member could be banned by an Admin
If a Member is banned, his ads must be suspended
for the purposes of the discussion, an Ad needs to have a status, as a Member can buy an item by clicking on an ad, so it's important to know if an ad is active.
I have designed my aggregate roots as such:
Member
Ad
Order
A Member can be a buyer or a seller, depending on the context, so I decorate the member object as needed.
When ads are published, they are of course inserted in a read model.
Now, when a Member is banned, there's an event associated that the Member AR triggers.
MemberWasBanned (MemberId)
My question is how do I go about finding every Ad that the member owns, and suspend them?
While I could rely on the member status for a buy transaction, it's important that the Ad tracks its status as there are other similar operations that could trigger the sending of an email for instance to the member indicating that his ads were suspended for such or such reason.
So my best approach after a lot of thinking is to create a long running process, in which I create a handler for MemberWasBanned, then go look for his active ads in the read model, and issue commands to suspend them one by one.
Am I missing something? I thought of using a process manager, but read that you shouldn't access the read side from a PM. In any case a PM in most cases determines the command sent to ONE AR.
Am I missing something?
If you have a messaging mechanism, maybe you can "explode" the MemberWasBanned event.
Publish the MemberWasBanned (or equivalent) event through your messaging pipeline, and subscribe to it from the context that handles ads. When this event is received in your messaging mechanism, you can explode it into multiple DisableAd events that will also be sent through your messaging system, each of them targetting one current ad of the banned member.
Each of these events, then, will only write on a single Aggregate (each ad, disabling it) when they're processed by the messaging mechanism.
Concurrently, the banned user will prevent further ads from being inserted, so you will be safe on that end as well.