I've been working on a NodeJs web application that uses APi's and a number of differently branded Front-end's for different sellers. Sellers can list their product by visiting appropriate Front-End. However I've hit a problem where there is no logic preventing sellers accessing other seller accounts.
There are several API's that interact with the product, so an idea was to filter all API's against the seller ID to prevent the wrong seller accessing the wrong product. i.e When Seller A lists a product, an sellerID is recorded against product. So if Seller B tries to access the UpdateProducts API against Seller A product, their Login ID will not match the saved sellerID and it will be denied. I think this will work but checking access against products sounds taxing. Are there any better way to do this ?
Before accessing any data from database every request should be checked if it has token authorization. If token is valid, it is possible to get userId from token and search any data for the given userId.
P.S. This approach I'm using in REST API
Related
I want to build a project where a user will be able to press on a button to authorize my platform to access their data (e.g shopify data). When my platform has access (to their shopify platform) it will send that data to my database.
My questions is:
In order for my rest api to access the data (from e.g shopify platform) i have to give the rest api the api key of the user which is simple if it a single account, but when i have multiple users using the same rest api how should i handle it? How can i give the rest api the access code so it can pull the data (from e.g their shopify platform) for each user? What is the name of the technology that needs to be considered here?
I am a built lost on the terminology of my question which has given me a bit of a headache when trying to google it.
First off, you create an App that Shopify approves, and then your merchant customers would install this App in their store. That approval process by both Shopify and the merchant means you are given permission to access their Shopify data.
Next, you create some value by allowing the merchant to see their data in ways unique to what it is you are doing. So far, your database contains nothing but the name of the store and the access token with permission to access the Shopify API.
How you then proceed in your own App is up to you. Not much else to it really, if you already know what your value add is. Code that part up and you're done!
I am following Intuit's oAuth authentication guide in order to log users in through Quickbooks and get access/refresh tokens in order to make API calls. We make API calls in node through the node-quickbooks SDK.
I can successfully log users in through Quickbooks and exchange codes I receive for access and refresh tokens, and I can even make API calls to create invoices successfully.
The problem is, even when I use the tokens of the user I've authenticated to make API calls, the invoice is created in our Quickbooks company instead of theirs.
Is it possible to create invoices in the Quickbooks account of the other user? If not, what's the point of getting access and refresh tokens for them in the first place? For what it's worth, this is all being done in the Quickbooks developer sandbox (but with two separate accounts).
I'm quite confused as to what the methodology is supposed to be here, and any guidance would be very much appreciated -- or even just a reassurance that this is possible.
Thank you!
The QuickBooks instance that's acted on is determined by the Realm ID parameter. The Realm ID is captured when a QuickBooks Online account is selected during the authorization flow.
If we could call your Quickbooks company "Company A" and the one you're trying to create invoices in "Company B", I'd say it sounds like Company A's Realm ID is being logged and passed in subsequent requests instead of Company B's. This could be caused by things by hard-coding Company A's Realm ID and using that for the create invoices requests, selecting the wrong account during the authorization process, or something trickier like a bug in the SDK you're using.
I'd start by getting Company A and B's Company ID, which is what Intuit calls the Realm ID when you access it from the UI. You can do that while logged into a sandbox or production account by pressing Ctrl + Alt + ? in Windows or Control + Option + ? in macOS. Then you can verify the correct Realm ID is being used in the create invoice requests.
If the requests are using the value captured during authentication (as they should be), then you can —in the SDK code— log the Realm ID that's being captured during authorization and verify it's the right one for the company you selected during the OAuth flow.
How to get Binance User ID using API. I just created a bot and I need unique value to create a bot activation so a user can use my bot only for that account.
That is why I need a User ID by Binance API. How can I get a User ID or get any other unique value like a User ID by API.
Binance does not share any unique ID of each user, most likely for privacy reasons.
You can partially bypass this limitation by querying balances of each API key. If there are two API keys with the same set of balances, chances are it's the same user. Mind that this solution is not easily scalable. With thousands of users you'll have to run thousands of requests to get their balances. And probably cache these results, so that you don't run into rate limits (number of API requests from your server IP), which introduces another inaccuracies.
Like Amazon Seller Central's business report, I would like to acquire sessions and report dates for each product through API.
I've checked Amazon MWS and SP-API, but I can't find a way, so I'm asking you for help.
you can make a chrome extension to get sessions and page view data. i did the same as there is no way with in MWS and SP API to get this information.
You can now get session and page view by product by getting the GET_SALES_AND_TRAFFIC_REPORT report.
You first have to add Brand Analytics role to your application.
Then the seller must authorize your app after you had add this role.
https://developer-docs.amazon.com/sp-api/docs/report-type-values#brand-analytics-reports
https://medium.com/#nassuf/how-to-get-page-views-and-sessions-using-amazon-sp-api-287cc73b727b
I am building an app utilizing the MERN stack (MongoDB, Express.js, React/Redux, Node.js) where there will be three user account types: Client, Company, Admin.
Client account can search and partner with Company accounts where they can submit orders.
Company account will be a paid subscription (via Stripe) where they can complete orders submitted by client accounts.
Admin will be an interface to view all users, orders, etc..
I am trying to determine the best approach for create multiple user account types in Mongo. I assume there will need to be two different registration forms. I'd like a single login form that will determine if an account is client or company and display relevant information based on their role.
Looking for input on the best/most scalable approach for this.