I'm using VLine in a custom app with imported users, and am wondering if there's any way to limit the users a specific user is allowed to initiate a call with?
I am assuming you mean the vLine WebClient when you mean custom app with imported users? In that case, there is no way to limit users yet. It will be great if you can file a feature request with exactly what you are looking for at https://vline.uservoice.com/.
If you are using the low-level APIs to build your app, of course you can do anything you want.
Related
I have a script that retrieves a webhook (meaning it has to be deployed as a publicly accessible App), and then uses an API to send a message.
The API requires using a key and secret, which I obviously don't want accessible to the public.
Q1: Is there a way to hide an API key/secret in another script and somehow have it accessible?
(Or any other similar solution - doesn't have to be fancy, just functional/safe).
Alternate Question:
Q2: What can a stranger actually see in my public Apps Script project? The full code? If I hide keys in a functions with an underscore ie. function name_(){}, can they read it?
IMPORTANT INFO: I have not 'shared' the project or spreadsheets with anyone, they're still private. But I've 'deployed' the Web App with permissions for 'anyone'. I assume that means anyone can access?
Everything in the script is visible to whoever has access (script owner, workspace admins, added users). Unless only the url of the webapp is shared and if the script itself is not shared then they are not able to access the script, so technically you can still keep them in your script. It is safe there and only the owner and workspace admins (if it is for Google workspace) can access it.
A way you can store/save the key is by storing it in script properties. Doing this you only need to run the script once to store the API key, moving forward you can remove the API key from the script and it will still run:
https://developers.google.com/apps-script/guides/properties#saving_data
Also refer to this post for more information, in my posted answer I have also provided alternatives and reference links:
Is it safe to put in secrets inside Google App Script code?
My project meet this issue, too. Because the amount of functions is not too much , So i hide my main GAS behind an dummy one .
So far I had 2 GAS
the main GAS with key , and all functions , and I deploy it as Web APP
Of cause u need doGet or doPost to do as entrance of API
The dummy one to share with users.
Then you can call something like below in dummy GAS
var url = 'https://script.google.com/macros/s/xxxxxxxxxxx/exec';
UrlFetchApp.fetch(url,{'method': 'get'});
I hope its useful in your case.
So i want to develop a simple web application, which will basically be a basic form which on submission will allow to make an external api request. So are there any application designers that can allow to do that with minimalistic code. Appian for example has an interface/application designer that lets you drag and drop a UI interface and build a workflow, make api calls externally or to a database. So like that are there any other apps that allow to do something similar (make api calls/build ui easily/store in databse)? Any other suggestions are also welcome!
It heavily depends on the API as well as the kind of task you´re trying to achieve.
Here´s just a few examples and considerations. (All the below supposes that we´re talking about Web-Based APIs).
If the API requires authentication of some sort and the user authenticates himself: A simple HTTP file with JavaScript to send the request will do the job
If the API requires authentication but you authenticate for all the users: You will need a backend application that does the API request since you need something secure where you can put your Auth-Details for the API. Classic PHP or NodeJS in combination with a served HTTP file for the form itself would work without any JavaScript (depends on the API definitions)
If the API does not require authentication maybe a simple HTML form would work
If you want to write to a database you can have a look at something like https://directus.io/. They allow building a database with a UI and they automatically generate a Web-API which you can then feed by your forms. If the end-user is known to you Directus actually allows users to log in and fill the database with forms that you can visually design but this is rather for employees entering data into an internal database than customers submitting their contact data to you
From my personal experience, all the UI-Tools that promise to integrate with REST APIs make it really hard to do so since every API is different and there is no real standard for them.
I'm using Firebase and the SimpleLogin to allow users to login via Google, Twitter etc.
I'd like to use some of the thirdpartyuserdata object to create a user profile for my application which runs on Node.
Currently I'm posting this data to the server so that I can add to it and create the profile object, but I wondered if there's a better way of doing this - is there something I can call server side to get this thirdpartyuserdata without having to post it from the client?
Start by considering that your "server" is actually just another consumer of Firebase data. Since FirebaseSimpleLogin is simply a token generator with some fancy tools for doing OAuth, and because this happens completely client-side, there is nothing to consume about this.
If you want to consume the data at the server, you will either need to POST it, as you have done, or use Firebase to transfer the information. You'll find that a queue approach can save you a large amount of code, as this allows you to use Firebase as the API, and avoid creating RESTful services in Node, and all the baggage that comes with that.
The idea of a queue is simply that you push data into Firebase at one client and read it out (and probably delete it) at the intended recipient (in this case your node worker).
I am developing a website in node.js and I am using Parse.com to handle the user registration and the Facebook users.
To handle the Facebook login with Parse, I have to use the line of code:
Parse.initialize(APP_ID, KEY);
which can be accessed by anybody by just looking at the source code of the website.
So my question is: if somebody has access to this information, can he access the data that I stored in Parse? he would just have to create some simple query, no?
I already initialize on the server side so is there a way to tell the template(jade in my case) that Parse has been initialized by passing some kind of parameters?
Thanks
If you set up ACLs and class permissions correctly in your app, then there should be no concern with handing out your JavaScript key. See this page for more information: https://www.parse.com/questions/javascript-sdk-security
Hey guys is there anyway to circumvent the Twitter rate limit by using a Twitter widget and embedding it in the end users browser? In other words would using Twitter Search widget apart of the user's browser's session (while they are using my app) so that their calls to Twitter are made through their IP address (and not the IP address of my app) - I would do this to avoid getting the IP of my app blacklisted. Is that fine or would that violate Twitter's terms of use?
I would use the Twitter search widget. Would using Twitter stream be a better idea?
Depending on your implementation, you may want to consider the Streaming API for this purpose. It's probably considered more "kosher". You can query for a particular set of phrases and open whats called a firehose, and Twitter will push updates to your application and it's not really bound by rate limits although there is a rate limit system in place here. For my particular use case, this didn't work and I had to do what you described in your question. But if you want to use the Twitter streaming API and are using PHP in conjunction, I would highly recommend looking at the 140 Twitter Server framework at the start. It will make it a lot easier to implement the streaming API at the get go.
This is fine, and this is the solution I'm using. Use jQuery or something similar for the Ajax calls and send the response to the server for processing. The carry will be on each of the IP's that use your application. So, if that user is spamming Twitter with requests - they would get blacklisted, not your application.