I have just an idea for now to develop an application based on foursquare API.
I checked in the website that a creation of an application inside the foursquare is needed to access the api functions.
There some form fields in the application creation that cannot be filled by me as I don't have an application yet, like web address home page, privacy police page, etc.
I want to perform some tests for a certain time and then choose if I'll proceed with the application development or not.
For now I just need access for the venue stats function. Do you know if it's possible to have access to this function without have an official application?
Regards,
Rodrigo Lima
You need to create an application in order to get an OAuth token, which you need to call venues/stats. In practice, during testing, the only real field that needs to be accurate is the redirect URI, which you'll need for OAuth. The others can take dummy values for now, so long as you go and change them before you publish.
Related
I'm building a full-stack application with Next-JS. I'm building an API that works with Firebase. I was wondering if there is a way to make this API secure.
Let me elaborate. There is an option to your account called Premium. This variable is stored in the Firestore and will determine if you have purchased a Premium membership. This will determine whether or not you have access to certain features. I will use an API to change this variable.
I had the following in mind:
Have a button on the page to upgrade account.
Button pressed? Call to the API with the following params: email, upgrade to. This is because the same function can also be used to downgrade an account, for example when the user doesn't pay for the upgrade.
That API function changes the variable in the Firestore. It returns a status and a message.
I want to make option 2 more secure because otherwise, it would allow anyone to change the premium variable. That is obviously not what I want. Is there anything I can do about that? For example, a token system, the thing with that is that I have been thinking about that and I don't really know how to implement that and how it would work exactly.
For anyone wondering why I am using an API: I will also be creating an app, probably with react-native. The user will also be able to change their account status and interact with the API to do other stuff in that app.
Thanks for reading and responding! I hope this is at least a bit clear. If you have any questions, please comment them.
I do similar things in my app. I use Cloud Functions (which operate in a secure environment) to both save settings in Security-Rules -protected tables, as well as setting Custom Claims in the users Auth profile. All authorizations are then verified in the Cloud Functions before any changes are made - You may need to "seed" some values in a protected collection/document from the Console to get the process started.
Is it possible in hapi-swagger to hide some APIs from documentation (swagger ui) based on user role.
I mean suppose I have /employee and /admin two APIs so whenever admin login to swagger ui or swagger documentation so both /employee and /admin API should display on page and if employee login to swagger ui then it should display only /employee API.
You can hide routes by omitting the ['tag'] value in the configuration, but you cannot have this on a user based role without considerable reworking. The documentation is generated at server start not on the fly, which is why you need to reload the server to reflect changes.
I had a similar use case, and in the end I decided it made more sense to have a different endpoint for the two difference services (in your case employee and admin). So perhaps something like api.domain.com/internal and api.domain.com/external and if so desired its easy to wrap authentication around either of these. It also leads to advantages should you ever want to grant access to developers to work on one API group rather than open access to both.
I'm building a Windows 8.1 store app and need to incorporate authentication. This is an enterprise app used in house. We load the app onto a tablet and a team may check that tablet out for weeks at a time, go out to the field to collect data and then we put in on a shelf until another team needs to use it. Now different teams may work for difference clients so when we authenticate users not only do they get access to the app but we also check what groups they are in to determine what clients they can work on or what previous records they can search for.
I've followed various ADAL tutorials and am able to setup everything in Azure and in my app I am able to authenticate a user successfully and get their groups. This relies on ADAL handling the username/password. What happens when the app shuts down and the user in a place where there is no internet (or even a reliable cell connection)? Specifically how can I have the user type a username/password to re-authenticate and get the same groups they were in when they can't access Azure services?
It appears they isn't available as the guidance always points to that is a risky proposition to have the app handle username/passwords. I understand that stance and can appreciate the caution behind it. However, in all of the ADAL documentation that I find that says this, none of them tell me how to handle an offline authentication scenario.
I have found links such as ADAL v3: How to authenticate using UserPasswordCredential? that tell me how to bypass the ADAL login page. I may have to move to that route and handle all of the username/passwords securely within the app, but first I would like to reach out and see how others tackle this scenario. Is it really as simple as avoiding best practices and just handle the username/password within the app?
If anyone has some guidance, ADAL (or other oauth providers) documentation, or other articles/advice I can follow up on to help achieve offline authentication I would greatly appreciate it!
Additional Information:
My scenario that I'm trying to cover is what happens when I have 1 device, 1 app, and many different users? These users will be in different groups that will determine how data fields get populated (filter data in combo boxes) and what previously submitted forms they can query for. All users would need to login when online to cache their information (say on Day 0) before they can ever use the app. On Day 1 user 1 uses the app and doesn't log out. I would expect the app to have a timeout timer to log that user out after 2 hours of no activity. On Day 2, user 2 just grabs the device off the shelf and takes it out into the field. He has no internet and needs to log in to determine who they are and what group they are in. I would expect since he has logged in once and verified his credentials already that we can enable this sort of scenario.
What I'm looking for is guidance if ADAL as a library can handle this or is it truly up to me the app developer to handle this sort of scenario. As I see it currently I need to store all user credentials, but at the same time it seems like everyone advises against that. I feel like I'm in a situation where I need to create a custom login screen and store the user data, SECURELY of course, even though its not recommended. It seems like all articles on how to use ADAL are written from a consumer app standpoint (or a BYOD) and don't take into account how a mobile app would be written for the enterprise.
That depends on your app design, if the first time(app online) , user login and app store all groups ,user information .After that user doesn't need to use token to get related information again(send request to server to acquire groups/user info). If app is offline , user doesn't need to re-authenticate(app controls the user session) , just get group/user information from cache . When using resource owner flow , you still need to send authenticate request to Azure AD server which need internet.
I'm making an app that authenticates a coach with KA's API, in order to present statistics and reports on the progress of each student.
How do I see "For whom am I a coach" (inverse of /api/v1/user.coaches)?
or otherwise request user and progress data for all my students?
You can request /api/v1/user/students to get a list of the currently authenticated users' students. Note that this is an undocumented endpoint, not sure if that's on purpose or not, but I suspect just an oversight because IIRC I've seen them reference it on github issues in the past.
I added that endpoint to the khan npm module in this PR: https://github.com/weo-edu/khan/pull/4
An important caveat to note is that as of this writing, you won't be able to request students on behalf of a user who has authenticated your application, only the user who created the app you're currently using.
Put another way: If I create an application called "hello" while logged in as "Jeffrey", I can get all of Jeffrey's students by authenticating with the "hello" app. However, If I log in as Lisa via the "hello" app (via oauth, e.g. passport-khan), I'll have an access token but the Khan API will refuse my request because Lisa did not create the "hello" app.
This behavior is documented (albeit a bit confusingly) in this wiki page, here's the relevant paragraph:
It is recommended that schools have one teacher/coach account that registers for an API key. This enables a situation where the logged-in user is the same as the third-party developer, who then can access their own students' data pursuant to Khan Academy's "coach" relationship. For example, suppose the principal of Riverdale High wished to export data for multiple students via the API. The principal would create a teacher/coach account, perhaps called "RiverdaleHighAPI," and register for an API key. The principal would then ask all students of Riverdale High to add "RiverdaleHighAPI" as a coach, either directly or via several class codes. When accessing the API with "RiverdaleHighAPI" as the logged in user, the principal would be able to access the data for all students that have added "RiverdaleHighAPI" as a coach. The app would not have access to any other coaches' student data, even if another coach logged in through the app. To protect student privacy, we do not allow indirect consent through the coach, and we require each student to explicitly grant permission to access their data. Please note that we are working to improve this functionality; for the time being, this "RiverdaleHighAPI" account should only be used by the school's API client, not by any actual teacher or coach.
Lastly, khan actually encourages public use of their internal API. They recommend opening up your developer console while logged in to khan and looking for the endpoints that return the data you want. (see this note on their authentication document).
This is obviously a fairly non-standard practice and I assume the endpoints would be subject to breaking changes without warning. Also you'll be flying documentation free. That said, this approach may be the most robust option for your purposes. Here's the quote from their wiki for posterity:
The API explorer documents our public API, which has URLs starting with /api/v1, but unfortunately it's not very well-maintained and lacking in a few areas.
If you're feeling adventurous, though, you're welcome to use any internal undocumented API endpoints. For example, if you load a Khan Academy video page and use your browser's developer tools to look at the ajax requests being sent, you'll see that it gets a URL like /api/internal/videos/aubZU0iWtgI/transcript, which contains a JSON response with the video subtitles. That "internal" in the name means that we don't provide documentation, and we may remove the endpoint or change the format in the future, but you're welcome to use any internal endpoints if you keep those caveats in mind.
So I'm trying to add an actual Instagram feed to my wordpress site. I dont want to use a 3rd party site which doesnt drive traffic to the actual IG site. I've been on the IG developers site and to be honest kind of confusing. Any help would be greatly appreciated.
I would recommend using a plugin to do the hard work, since there are many out there, and integrating the instagram yourself could be a challenge. A quick google search gave me this one:
https://wordpress.org/plugins/instagram-feed/
If you don't want to use a plugin, you need to understand how the api works.
The instagram API requires OAuth authentication for most calls.
First, You will need to register an application on the https://instagram.com/developer/ site in order to obtain a client Id.
Once you have a client Id, you need to establish a flow for users who visit your site. There is no way around this for API calls requiring authentication.
First, the user needs to login and allow access from your account using the instagram api request url:
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code
CLIENT-ID is the id you obtained earlier, and REDIRECT-URL should be your wordpress site.
Calling this url will allow you to obtain an access token for the user on your site, and you can then make authenticated calls to the API using that token.
One way around this is to make simple calls that don't require authentication, using tags that are specific to your photos. That is described in this SO question:
Instagram API and importing photos without server side authentication
Cheers,
I agree with Felipe. If you or your client need an Instagram plugin, the easiest way would be to buy it at some marketplace. What’s more important, it is much cheaper than wasting your own time on developing one. Of course, that applies to commercial development, not something that you do for fun.
Here’s a list of plugins that I’ve installed to my clients and was happy about:
https:// wordpress.org/plugins/instashow-lite/ - lite version of the
premium plugin. The functionality is really limited, but it would be
enough to give you a simple display.
https://codecanyon.net/item/instagram-widget-wordpress-plugin-for-instagram/11170758 - a simple commercial widget to display your Instagram
account on a webpage.
https://elfsight.com/help/how-to-embed-instagram-feed-widget-on-html-website/ -
an interesting cloud solution for websites on any CMS. It’s got a demo and a
free plan.