I am developing a crypto portfolio app with Ionic 5 at the moment and I came across following problem:
I created an API with express.js, which communicates with the APIs of coingecko and binance via the npm packages coingecko-api & node-binance-api.
One of the main functionalities of the app is to see recent trades and the profit of those, so you have to connect to your binance account. At the moment the API Code & Secret is stored directly in the api, but I want that the users enters these on the initial start of the app - but now the big question is: Where do I safely store the key and the secret? I do not want to take any risks.
Do I send them once to the API and store them in a database with a userid?
Do I send them to the api every time I want to reload the trades and only store them on the specific device?
Or is there a way I can check the permissions of the api details and if this api key is allowed to place orders and if not, the app accepts it otherwise not (that would be the best way, but i don't know how to check it)
Also I came up with the idea that the app communicates directly with the api of Binance, without my api as a 'middleman' but I don't think that's the way to go.
Thanks in advance for the help :)
Related
I want to build a project where a user will be able to press on a button to authorize my platform to access their data (e.g shopify data). When my platform has access (to their shopify platform) it will send that data to my database.
My questions is:
In order for my rest api to access the data (from e.g shopify platform) i have to give the rest api the api key of the user which is simple if it a single account, but when i have multiple users using the same rest api how should i handle it? How can i give the rest api the access code so it can pull the data (from e.g their shopify platform) for each user? What is the name of the technology that needs to be considered here?
I am a built lost on the terminology of my question which has given me a bit of a headache when trying to google it.
First off, you create an App that Shopify approves, and then your merchant customers would install this App in their store. That approval process by both Shopify and the merchant means you are given permission to access their Shopify data.
Next, you create some value by allowing the merchant to see their data in ways unique to what it is you are doing. So far, your database contains nothing but the name of the store and the access token with permission to access the Shopify API.
How you then proceed in your own App is up to you. Not much else to it really, if you already know what your value add is. Code that part up and you're done!
Throughout my career, I've relied on and used various API services in my project. I saw multiple mechanisms of how these APIs are secured, but most common one seems to be via API Keys.
I am now planning to build out my own API service and being unfamiliar with security part of this I had few questions:
So far, what I gathered is to do the following: Create API key, store it's hash in db, only show api key to user 1 time, check for api key in requests and rate-limit based on it.
But above raises one concern, if someone was to inspect customer website they could easily get this api key (if customer is calling api directly from their front end) and abuse it, correct? This can be done in form of constantly hitting rate-limits or sending bad data to customers dashboard.
I feel like I am missing few key parts here and would appreciate if someone could outline best practices of how this is done nowadays in NodeJS. Thank you.
EDIT: Users of such service would be developers utalizing this API in their product
I'm working on a website that is supposed to offer users to make use of azures cognitive services api. They can play audio or use their microphone to transform speech into text.
I'm currently using azures js sdk and technically it's working fine. However, I noticed a big shortcoming with this approach. The sdk connects through a websocket with the azure server, which exposes the subscription key to the client. So every member could theoretically read it out and sell it or alike.
Furthermore, if the client connects directly with azure, I have no secure way of preventing clients abusing the service. I need a way to measure roughly how much time a customer uses the service to take into account individual billing.
I could not find anything about that in the official documentation. So what are my options?
Should I redirect the clients' audio input to my own server, do some quantitative analysis, and then forward the input from a server side connection to azure? I fear with many concurrent customers, it might get laggy or connections might get dropped...
Is there any way to attach at least client ids or alike to azure websocket connection that I can read out somehow later?
Do you have any advice for me?
Given your additional comment, I would suggest that you switch your implementation from using subscription key to using authentication tokens.
That would:
generate a unique token for each client, based on 1 global subscription key
not expose your subscription key to your clients
restrict the use of the API, as the token is only valid for 10 minutes
Each access token is valid for 10 minutes. You can get a new token at any time, however, to minimize network traffic and latency, we recommend using the same token for nine minutes.
See documentation here for global implementation. In a nutshell, you need to implement this token generation in your backend, and serve the page to your client with this token instead of the key.
Side note 1: be careful about the maximum number of concurrent requests (100 - see here).
Note 2: that will not help you bill clients given their usage as you have just 1 key and there is no way to identify distinct usages in it
I have an application that uses Google Cloud IAP to authenticate users. IAP requires the user to authenticate using their Google account, and then headers are passed to the application afterwards that identify that user (user id, user email, and a token).
I would like to get the user's Google account photo after authentication using the People API (would use the Plus api, but it is being shut down).
NodeJS code examples would help a ton, but either a high level guide or examples in other languages would also be very helpful. Thanks in advance!
For anyone that may come across this, here is the solution I found.
You will need to enable the People API in your GCP console. Then create an API key for it.
Get the 'x-goog-authenticated-user-id' header and strip the 'accounts.google.com:' portion of it to just leave the id.
Pass that id and your api key to a GET request, like so:
https://content-people.googleapis.com/v1/people/${userId}?personFields=photos&key=${apiKey}
Hope this helps someone else, too!
So here is what i am trying to do :
I built a bot with api.ai for my business that is hosted on my webpage and my Facebook page right now. Bot works well.
I want to push it to the next step by allowing my customers to make querys on my calendar, ask to book a specific time, see if available, if not offer other time similar, then make a booking.
I have been reading this thread and the great answer attached to it but i think my case is a bit different.
I was wondering if the bot could always have a token so every guests won't have to Auth to query the calendar ?
Obviously i am new to this, i have been reading the guide of google calendar api and api.ai but i don't really see how to do that yet. I guess there is a way to store a token somewhere and then just trigger the query with some specific intents but not to sure how.
I have also done the node.js quickstart guide of the G-calendar api, and it works fine if that helps.
Thanks for your help !
You will probably want to use a Service Account that is permitted to the calendar in question. Service Accounts are similar to regular accounts, but they are expected to do server-to-server communication only, so the method to create an auth token is a little different to keep it secure.
See https://developers.google.com/identity/protocols/OAuth2ServiceAccount for more information about using Service Accounts.
In general, you'll be using a shared secret to create and sign a JSON Web Token (JWT) you send to Google's servers. You'll get back an access token which you'll then use to call the Calendar API. The access token expires in about an hour, at which point you'll need to repeat the process.
There are libraries available to do much of this for you. For example, if you're using the node.js library https://github.com/google/google-api-nodejs-client, then it will take care of this for you (although you need to modify the key file - see the documentation for details).