I am developing an API for a social network website. This API will basically get all the requests from the users (get friend list, post a status update etc) and reply back if necessary.
We will implement OAuth 2.0 protocol for authentication. Consumer (our php project) has API id and secret.
Basic scenario:
Client wants to log in
API Consumer (php web project) takes this request, directs user to API
User send his/her user credentials to the api, gets the token.
User comes back to our website, pass token to the consumer.
Consumer goes to the api server, gets the access token.
Now consumer (php project) has access to user's private information.
Since this is a social network website, we want app developers to be able to use our API in the future.
I am not experienced in API-design. Does that flow make sense? I guess the simplest authentication would be accessing user information through php project. But we don't want to access database in php code. We will use ajax in client side and send a request to the API. And I believe there should be a better solution, what would you suggest?
Sure, API design is basically point where you need to choose technology.
Either it can be PHP or .net or Java.
I would prefer either PHP or .Net as we get lot of flexibility in it.
API will return XML or Json depending upon the request.
There are lot of CMS in php which can be helped.
.net we have Service Stack to help you.
API's had to be fully independent from other world as well as within API method as well.
If you are able to achieve this, then you will surely create a good architecture.
Related
I have an outlook addin that I've built using Yeoman. The addin communicates with a server API on my server to combine data from an email with additional data from a database that a user has saved against an email address. This is all working great.
Next I want to store a copy of the email server side, as a file on disk, .msg preferred but I'll take a .eml if thats the only option.
I have 2 options but don't know if either are possible. Either the addin generates the .msg file and posts it to the server API OR the server side API generates the .msg file directly. I have got the server side using the Outlook v2 API and able to pull back the email information when the client passes it the token, id etc. If it could just generate/download a .msg file server side this would be ideal.
As a side note, many of the Microsoft API pages point out the deprecation of the Outlook API in favor of the Graph API, however there are inconsistent links between the pages and it get confusing. I have discovered the token from getCallbackTokenAsync only works with the Outlook API and not Graph, but I cant find out a way to generate a graph compatible token. All the example code from MS uses Office.context.mailbox.restUrl which still gives the Outlook API url and not Graph!
So I guess I'm trying to find out if it's even possible to get/generate a .msg or .eml file either client side using outlook.js or server side using one of the api's. Thank you.
I can get message data both client and server side but cannot get a physical email file.
The Office JavaScript API (OfficeJS) doesn't provide anything for saving messages as msg files (or getting streams). The best what you could do is to use Graph API where you could get the EML file, see Get MIME content of a message for more information.
The server-side code may use the OAuth 2.0 On-Behalf-Of flow (OBO) to request a new access token with permissions to Microsoft Graph. Read more about that in the Authorize to Microsoft Graph with SSO article.
The on-behalf-of (OBO) flow describes the scenario of a web API using an identity other than its own to call another web API. Referred to as delegation in OAuth, the intent is to pass a user's identity and permissions through the request chain.
For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform. It only uses delegated scopes and not application roles. Roles remain attached to the principal (the user) and never to the application operating on the user's behalf. This occurs to prevent the user gaining permission to resources they shouldn't have access to. See Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow for more information.
Eugene's answer is good. If ultimately you need to get that message to your backend service, using Graph as Eugune described would be the recommended approach. If for whatever reason you are still looking for a capability to access it on client using Office.js, it is not a part of the product. We track Outlook add-in feature requests on our Tech Community Page. Please submit your request there and choose the appropriate label(s). Feature requests on Tech Community are considered, when we go through our planning process. Note there is already a couple of similar ideas there, if you search for "eml" keyword, that you may want to upvote.
I have a Laravel back end serving APIs to a React front end for a solution I am developing. I want to integrate SendBird Chat API into the application to allow authenticated users to chat with each other.
My query is, how can I pass authenticated user details to SendGrid? I.e., if user X and user Y both log into the website, how do I allow them to talk to each other?
I am pretty sure I've misunderstood something around sessions but any help is appreciated.
I am not looking for a specific code answer but a general architectural answer.
You send request from your frontend app, Laravel API receives request, builds whole application (all of your code) to process it and returns response. That is one request lifecycle and Auth::user() is going to be the user which sent request.
Request lifecycle explains this in much more detail but I recommend first learning about the basics of Client <-> Server architecture
in my Laravel 5.7/mysql app I need to make external api to read some data from external
app with get request and to write some data to my db with post request.
Which tools/scripts are there for this and how to make these requests safe?
MODIFIED :
Thanks for feedbacks, but looks like I badly put my question
The external app(I do not know what is it written with) need to read data from my app
and write data to my Laravel 5 app.
And how have I to test these requests while on development locally ?
Looks like I have to use Guzzle as in provided link?
Which steps have I to take for safety on my side?
Thanks!
These three libraries are popular for your use-case:
Guzzle
Curl
zttp
If the database is local you can use Eloquent, If not, remote connection to that database may help. otherwise, if you only have API access you should consume eighter of above libraries or any alternative options to make an HTTP request your application might require.
Security-wise, as long as you are only making a request to a remote server, the Suggested way is to store any key or secret string related to authorizing your request (if applicable) in your .env to prevent it from committed to your version control systems. Needless to say to always handle any possible HTTP error your remote API might throw in order to prevent any unwanted error on your application side.
And as Abir Adak mentioned in the comment check this thread for further details.
Updated Answer: On the case of MODIFIED part, generally you have 3 popular options,
REST API
This blog post is a detailed walkthrough written for Laravel
This one from Stack Overflow can help you with designing you API
This last one can help you to develop a widely accepted API response and endpoints by following its specifications.
GraphQL
Can save some time for developing your API, but I suggest to make sure that the consumers of your API are happy to use this option.
GraphQ
Laravel Package for GraphQL
If using Laravel isn't a must, and you are using PostgreSQL, you might want to look at Hasura as well.
SOAP
Have little knowledge on this option for Laravel, just know folks coding using C# and .net are happier to expose their API with this protocol. read more about it on WikiPedia
Postman is a great tool for testing your API or any other API.
We are using BotFramework Composer to create bots. These bots are supposed to get information from a backend REST service, where we need to know, which user is submitting the request for data. We are currently using {turn.activity.from.id} to get the Teams user's id, and sending it in a special http header in the "Send an HTTP request" action. We then perform a mapping of this id to our internal users.
We are, of course, aware, that this is not secure at all, since anyone who knows this, could get the user's id and send it to our service. We are currently thinking along the lines of generating a short-lived jwt token in the Bot to send to our application. However, we see no direct way of implementing this token generation in the Bot Framework Composer itself.
Also, we don't want to use OAuth, because we don't want the user to have to log in via the bot.
Is there a way to implement custom token generation using C# or js and assigning it to a dialog variable to be used in a "Send an HTTP request" action?
This document discusses how to implement an HTTP request in Composer. The first half is focused on creating a login for OAuth, which I know is not your focus, so look at the second half. If you set up a simple server that can generate a token for you, then you can make a request to it from Composer using the method described.
As links can break and docs can change (and Composer is still in Preview), I would recommend saving the doc somewhere and checking back every so often for any updates.
I've used HTTP requests from within Composer, myself, so I know this will work for you.
Hope of help!
You can create a custom Action or a package component and create any c# methods there for JWT generation. This will keep it all local to the bot.
https://learn.microsoft.com/en-us/composer/how-to-create-custom-actions
I've been away from BotFramework development for a while and have now come back to it.
I am using this Bot hosted internally within my company, and talking to it using a relay application using REST. This all worked fine.
However, after updating to V3 of the Bot Framework I came across issues. I see that the changes mean that the Bot now replies asynchronously, sending data to the ServiceURL field. Therefore I have a couple of questions.
Can I still use this architecture for the Bot Framework? (i.e. hosting internally to the company, without using Azure or Connectors)
If I can, I assume that my relay application will need to have an endpoint that the Bot can reply to? Does it just do a http POST to the ServiceUrl I give it? (i.e. http://mybotserver:9000) or is it posting to a URL under that server address? I assume the body of the post is the usual Json you see in the Channel Emulator.
I don't know the specifics of your architecture, but in general, if your bot (via relay) can:
Reach the ServiceURL endpoint with an https post
Receive incoming requests to an endpoint you registered with the Bot Framework
The relay needs to be able to reach our login service to sign requests
Also needs to be able to reach our OpenId endpoint as part of signing/authenticating
That should be it.