How to modify components from api in Strapi? - strapi

I'm building a book library web app using NextJS and Strapi, in which people loan and borrow books.
I have some problems that I don't know how to solve;
How can I fetch data based on the user? What is the best way for authenticating user and fetching data based on their username or sth specific? (each user has specific items in their account)
How can I access and modify content-type component from api?
here I have some sent or received books components, how can I add items to them using API?
I've added some components to user_details content-type and each user that is authenticated here will have received and sent books, is it the right way to implement this?

Related

How to handle authorization for a non-user based Laravel API?

I have a Laravel web application for a restaurant with its own user base.
I have another web application for a bookstore with its own different user base.
I would like to create a third application (mostly API, probably using Lumen) that can create accounting records from both the restaurant and the bookstore on every transaction that is made (i.e. when I sell any food, make a POST request to this API to insert a record, and do the same if I sell a book).
How can I guarantee that only authorized users from my web apps (any user) can make requests to my API, without asking them for any additional password?
This is a typical use case for the client credentials grant tokens oauth flow.
From the laravel passport documentation:
The client credentials grant is suitable for machine-to-machine authentication. For example, you might use this grant in a scheduled job which is performing maintenance tasks over an API. 
You can create an api-key for each user that has to be present in the post request's header. There should be a table in the API that has these keys stored with the corresponding user_id.
As such you can identify each user based on the given api-key.

Using o-auth to authentify users on my API

I've got a project made of two websites:
The front : A Laravel website without database and logic (just showing static pages and my javascript)
The API : A project using Lumen/Dingo API with my endpoints, my database, my logic and my models
I want to allow my front to ask data to my API depending the user.
Ex. I want to log the user, retrieve his friends, add some post to his
account, etc. (from the Javascript)
What is the best solution?
Using an identification per user (using o-auth or JWT)
Allow my front project to ask to my API then each javascript call needs to use my front without knowing my API) (In this solution I need to create routes similars to my API's routes)
Identification per user is always a better solution as the claims can be decided per user, also in future when it is required to provide permissions to access API based on claims or roles, it becomes easy to give information using the claims and amount of access you can give to a specific user.
So the way it will work is:
There will be identity server which will be containing the list of users in the system, and also the clams and scopes per user.
The API project will trust the identity server, that means any token provided by the identity server can get verified.
Based on the token per user your API app can decide how much information you want to give to the user.
That way in future you can have methods based on roles, claims and users will be provided with only the information that they have access to.

Using Plaid Link with Connect and Auth

I am using the Plaid Link javascript library but I am running into an issue. I want to be able to use both the Auth and Connect products but the Link modal only allows me to show either Auth or Connect but not both. The documentation says to use Auth and then upgrade my token to use Connect. Which is fine I can do that. However the Auth modal will not show any credit only institutions like AmEx. Since I want both to allow for Stripe integration and for pulling in all of a user's transactional data across all institutions, what's the best way to do this?
Currently I am considering showing the different modals in two different flows (add a bank account vs add a transaction history account) but that is not very good UX. Also the IDs assigned by Plaid will be different and have different access tokens so deduping is a nightmare.
Or writing a custom modal that will use the Auth product for institutions with bank accounts (Chase) and the Connect product for credit only institutions (AmEx) but that will likely be a lot of work.
You'll only be able to use the Plaid Link + Stripe ACH integration for institutions that support Auth. I'd recommend initializing Link with Auth as the product and then upgrading to Connect once you have exchanged the Link public token for a Plaid API access token.
To answer the UX question you brought up - you can actually bypass using Link's standard "institution select" view and instead display your own list (you can use the /institutions API endpoints to pull information about supported institutions) using Link's custom integration.
That way, you can show your users a single list of supported institutions. If you initialize Link twice (once with Auth and once with Connect) you can jump directly to the Auth-initialized Link or Connect-initialized Link depending on the user's institution.

Best Approach on Social Authentication Providers

Currently I am developing an application with several access methods based on Laravel/Socialite, I want to allow users authenticate with facebook, twitter, google so far or creates it's own account by filling a form with name, email, password.
Routes
login/
login/facebook
login/twitter
login/google
Questions :
¿What is the best approach once the User data has been obtained from the auth provider?
¿How to handle a common data user storage?, I mean, I am storing only person name, email and avatar, but how about the token provided by the auth process.
¿How to handle when user log in with more of 1 providers with a same email address?
And how to handle when a user set password to his account created trough facebook?
I thank your attention .

How do I programmatically determine a Google Account USERID token from a Gmail address without credentials?

I'm developing something with the Google Books API, but I think this can be generalized across many of Google's APIs.
Suppose I have an app that's got a social aspect where I can add friends and see their Google Books collection. From the API docs, it says I can retrieve anybody's collection if I know their userid, but I can't find any way to retrieve it programmatically. The only thing I can expect a user to know is their friend's gmail address (or Google Account Login, which, for these purposes, is the same thing). The only way I can somehow get it is through a URL on their web interface for Google books. Making users do it that way is an obscure form of torture.
Does anyone know if this is possible with any Google service?
Specifically, suppose I had a gmail address: example#gmail.com, could I then query some Google service to get the userid for that user? A userid is a basically a really big number (around 20 digits)
Here's a similar question with a solution/workaround from Nick Johnson:
The current workaround is to create a
User object, store it to the
datastore, and fetch it again. If the
email corresponds to a valid Google
account, the User object in the
returned entity will have its user_id
field populated.

Resources