With there being rate limits should I ask for an increase when trying to get all access approval? Since my app asks the driver/ rider to sign in using their uber credentials will this help limit the calls to the API?
Thanks in advance.
Probably not, but it depends entirely on your purpose.
Calls to an API are usually done to get or update data on the home servers, in this case Uber's servers. As such, any Uber specific information you require will likely need to be accessed through their API.
Now, I've not reviewed Uber's API so if you can use the return from the login request to resolve all your needs then great. However, if you need to get data from their servers it would only reduce calls to the API if they require data returned on the login which can only otherwise be retrieved by making another call to their API.
Related
So I'm using Jira Rest API, where the user can type their own JQL query and then a table will display tasks. The only problem is my Rest API is very slow, and I think it's due to login before it can access the data. Is there a way to make the Rest API faster?
a simple call which GETs around 20 task results takes up to 17sec, before the user gets the requested information.
the URL can be something like:
https://jirabd.xxx.com/rest/api/latest/search?jql=project%20in%20(BUG%2CFIELDB)%20AND%20component%20in%20(%22Fieldb%20Components%22)%20%22AND%20issuetype%20=%20BUG%20AND%20status%20!=%20%22Closed%22&fields=customfield_10100,customfield_10101,status
I simply just need to know where I might have to look to boost the performance, since I have no clue how/where to start looking.
EDIT
Did some more digging regarding login, and it seems its the way our accounts has been setup in the company. The service account I use for login, takes 17sec to login, where a regular account takes 1-2sec to login, so that's why. Now I just have to figure out why this is the case.
If the issue is login, try keeping the authentication cookie for the next requests:
https://developer.atlassian.com/server/jira/platform/cookie-based-authentication/
or OAuth as they do suggest
Here is my scenario. Imagine there is a Yoga studio that uses a professional booking and reservation system that exposes an API. Through this API an application can make a reservation for a client. The API takes the client's userid and password to make the reservation. The booking API doesn't use OAuth or any social media sign-ins.
My desire is to create an Assistant Action that would retrieve the list of classes and allow the client to make a booking.
My puzzle is what design/architecture to look towards to supply the userid/password pair required by the booking API.
How have others solved this puzzle?
Should I store the userid/password as "user state" associated with the action?
First, you should have a conversation with the API provider about why they don't provide an OAuth-based solution. This is a security vulnerability waiting to happen, if it hasn't already.
Second, you need to think very carefully about your own risk profile in this case:
Google does not allow you to collect credential information (ie - passwords) through your Action.
Because of this, you must use Account Linking to authenticate them.
This means that you will need something (ie - a database or data store) to manage their account on your side.
This database would be a good place to keep the username/password you need to use for them for the API...
...but it now means that you need to take extreme care about protecting this database.
You don't really say how this API allows for accounts to be created and managed. If these accounts are just used for you (ie - the user doesn't necessarily see them), then you can mitigate some of that risk by treating the username/password as an opaque token that you manage and generate and that the user never sees.
If this is something that the user is aware of, then you'll need to approach the account linking in one of two ways:
Have them log into your service via an app or webapp using this credential info that you will need to save (ack!) and then link to the Assistant using OAuth.
Have them log into your service via an app or webapp using Google Sign-In, which will carry over to your Action. Then have them provide the credential info for the API, which you will need to save (ack!).
I work for an ecommerce site and we are looking to expose much of our core functionality via a set of APIs. We plan on re-writing some of our own public facing applications (e.g. the main shop website and our mobile app) to call these new APIs also. We also want to offer some of these APIs out to third-parties who want to integrate with us.
My first question is - what is a suitable authentication method for these APIs? Everything I read is about OAuth, but am I right in saying that this doesn't fit in this case as we're not looking to use another log in system (e.g. Facebook, Google) but rather restrict access to our own API (so maybe an API key or JWT solution would be better?)
Secondly, our current website has it's own user accounts system. How do you offer /user endpoints (like GET user/1235/paymentmethods) in an API like this? Surely the actual user (website customer) needs to authenticate somehow in order for the given API consumer to access their data.
I've spent the last 2 days reading about this but I'm at a loss as to how to go about this! Any help much appreciated.
Actually I have an API called update user data, it is called when the user moves from one page to another page. If the user copy the API from console and post in postman, user should not able to update the user data. How to provide security or implement feature to not to update data through post man.
You really can't.
You can slightly make it harder using some CSRF protection, but that's just it - it will only make it a bit harder, but not stop anyone determined.
If your API is public, you should be ready for your users to have custom client apps.
I am a bit confused by your question. Because PostMan or other applications like Fiddler are created to make the job easier for developers during development. anyhow if you are concern about who makes call to your webpage, you can make your API private and just give access to the user that have the right credentials. You can also read about CSRF or XSS.
I'm trying to use UberAPi to request rides while not requiring an authentication from the end user (rider).
My company should be responsible for the payments from such rides, and would only request that a driver appears at point A at such time, and deliver someone to point B.
Uber business does have all the features needed for such an integration: Usage reports, expense codes, and else, but I see no way of doing this without either an SSO or OAuth.
No, it is not currently possible to use the api for such a use case. You might want to consider using Uber Central.