We are looking at woocommerce Rest API and tried to find any solution to have a restriction on created api for certain user so its only that user tied data that is synced through his api keys.
Ex. User A gets api keys for his user, only products,orders,stock and customer for User A gets synced through his api keys not anything else.
Feels like its just a simple rule that can be added as a function.
Related
I have my public API running on AWS API Gateway, and now I want to add API keys to it, basically to see "who is using which endpoint and how many time per month/week/whatever". My API already has user management logic, with its own users db table.
The part I need help with is the analytics part - say I have this up and running, I need to be able to extract some sort of report saying, for each user (by name), how many calls were made to each endpoint. So far, the closest I've gotten was https://stackoverflow.com/a/52361117/1514576 which gets me the info I need by API key. The part that I'm missing is how I could potentially cross-reference this data with my "users" database table.
I was hoping one of you had faced a similar problem and could share how you handled it.
Here is my scenario. Imagine there is a Yoga studio that uses a professional booking and reservation system that exposes an API. Through this API an application can make a reservation for a client. The API takes the client's userid and password to make the reservation. The booking API doesn't use OAuth or any social media sign-ins.
My desire is to create an Assistant Action that would retrieve the list of classes and allow the client to make a booking.
My puzzle is what design/architecture to look towards to supply the userid/password pair required by the booking API.
How have others solved this puzzle?
Should I store the userid/password as "user state" associated with the action?
First, you should have a conversation with the API provider about why they don't provide an OAuth-based solution. This is a security vulnerability waiting to happen, if it hasn't already.
Second, you need to think very carefully about your own risk profile in this case:
Google does not allow you to collect credential information (ie - passwords) through your Action.
Because of this, you must use Account Linking to authenticate them.
This means that you will need something (ie - a database or data store) to manage their account on your side.
This database would be a good place to keep the username/password you need to use for them for the API...
...but it now means that you need to take extreme care about protecting this database.
You don't really say how this API allows for accounts to be created and managed. If these accounts are just used for you (ie - the user doesn't necessarily see them), then you can mitigate some of that risk by treating the username/password as an opaque token that you manage and generate and that the user never sees.
If this is something that the user is aware of, then you'll need to approach the account linking in one of two ways:
Have them log into your service via an app or webapp using this credential info that you will need to save (ack!) and then link to the Assistant using OAuth.
Have them log into your service via an app or webapp using Google Sign-In, which will carry over to your Action. Then have them provide the credential info for the API, which you will need to save (ack!).
I have been trying to figure out after referring to their official documentation (Google Ads API Document) which is not clear enough
Here is what I have tried till now.
I have created an app where users can log in with their Google Ad words account. I need to fetch their Ad performance reports via REST API.
To make an API request to fetch performance reports, we need the Google Ad Words Account ID of the authenticated user. Currently, as I am testing it with my personal account, I can login to my Ad words Console and get the Ad Words Account ID. But, how do I fetch the Ad Words Account ID dynamically for other users who authenticate via my App?
I tried looking for a way in their official documentation. But I couldn't figure out.
Could someone help me with the REST API URL which needs to be called to fetch the authenticated user's Ad words Account ID.
In addition to previous answer, I guess this is what you are looking for:
https://developers.google.com/adwords/api/docs/guides/first-api-call#create_test_accounts
It explains how to setup Google Ad Words API and get your ID.
According to the documentation here Account overview, you need to list the customers to get the ID. For each user that logs in as long as they do not have access to multiple accounts you should get a single customer and their ID.
CustomerService
CustomerService provides information about your accounts. It has a
getCustomers() method that takes no arguments and returns a list of
Customer objects containing fields such as customerId, currencyCode,
and dateTimeZone. CustomerService also has a mutate() method that can
be used to update various attributes of a customer, including the
autoTaggingEnabled and conversionTrackingSetting fields.
If no clientCustomerId is specified in a request, the response will
contain multiple entries if more than one account is directly
accessible by the authenticated account.
I'm trying to retrieve the status updates of the authenticated user with the REST API. Is there a way to do that? I only can find a way to retrieve the status updates of the companies the user has admin rights of.
It is no longer possible with the standard LinkedIn API (If you look at their REST console, you can see all the public methods: https://apigee.com/console/linkedin?apig_cc=1).
You now need to join their partner program in order to access additional API methods now: https://developer.linkedin.com/partner-programs
I am trying to create a REST API using Java.
Now, for the front end, I am using socialauth, so that facebook/twitter/yahoo/hotmail/gmail users can sign in to the application.
After a user is signed in, he should be able to access the data for his account- I want to create a REST API that enables each user to access his data. I have understood the basics of creating a REST API using Jersey framework, however how do I ensure that only a user who is correctly logged in to the application, can access data via the REST API?
What I thought of is, I will store the user's email ID in session, when he logs in. And whenever he makes a request to the API, the email ID in session is passed as a input parameter to the REST API, and the REST API checks that data is asked for same email ID, as the email ID parameter.
Is the above way of thinking correct? What is the recommended/best way to implement REST API in the scenario as given above?