I have a website in AngularJS. And a backend that is basically dumbed down to a RESTful API. Login currently works liket this:
User provides login credentials -> send to server -> Validate informations and deliver a token that will be used for future requests on the API. The API itself can be used anonymously as well.
Now I understand that in a RESTful environment, I shouldn't be using Sessions, but what if I wanted to show users that have been online in the last 15minutes? How would I determine if the user that was online within the last 15 minutes was authenticated or anonymous? I am not exactly looking for any code example but rather food for thought.
Thanks
I suggest you too add date field to user entity something like lastAccessDate and with every API request for user you update lastAccessDate to current date (now()).
To get all users that were active during last 15 minutes your just need to make query in your DB with condition: now() - lastAccessDate < 15 minutes
To track anonymous users you need to add separate entity guests, activities, shadow users, anonymous users could be good choice for that case.
Does this sound something helpful?
Related
So I'm using Jira Rest API, where the user can type their own JQL query and then a table will display tasks. The only problem is my Rest API is very slow, and I think it's due to login before it can access the data. Is there a way to make the Rest API faster?
a simple call which GETs around 20 task results takes up to 17sec, before the user gets the requested information.
the URL can be something like:
https://jirabd.xxx.com/rest/api/latest/search?jql=project%20in%20(BUG%2CFIELDB)%20AND%20component%20in%20(%22Fieldb%20Components%22)%20%22AND%20issuetype%20=%20BUG%20AND%20status%20!=%20%22Closed%22&fields=customfield_10100,customfield_10101,status
I simply just need to know where I might have to look to boost the performance, since I have no clue how/where to start looking.
EDIT
Did some more digging regarding login, and it seems its the way our accounts has been setup in the company. The service account I use for login, takes 17sec to login, where a regular account takes 1-2sec to login, so that's why. Now I just have to figure out why this is the case.
If the issue is login, try keeping the authentication cookie for the next requests:
https://developer.atlassian.com/server/jira/platform/cookie-based-authentication/
or OAuth as they do suggest
We're starting to migrate our Website to a REST Service based system and are in the process of developing the core right now.
In our current setup a user has one or more "accounts" assigned which define what data he can see on the website. Only one account can be active for a given user at any time. Right now we store the selected account in the database and use it to filter all queries.
Now I'm not sure how to handle this properly in a REST environment. Possible solutions I found are:
Sending the requested account with every request
Storing the current account in the auth token. (We're using JWT for that)
Having the current account stored on the server and calling a specific resource to change it
Each of these has its pros and cons for our setup. Currently we're using the 3rd approach in our Website. But what would be the correct way to handle such a thing in a REST environment?
Yea the design you are dealing with is fairly bad, and what you really want to do is remove the state completely out of this system.
For that reason the first option is by far superior:
Sending the requested account with every request
If this is simply an id, there's a very simple way to do this, just prefix all your (relevant) routes / uris with this account id. For example:
http://api.example.org/accounts/{id}/...
This way the 'state' is maintained by virtue of which url you are accessing, and the server can be unaware of the state.
This got stuck in my head from many days, can anyone help or say at-least this is not at all possible?
I'm working on developing a chat bot using dialogflow which integrates multiple applications along with google home assistant, dialogflow, actions on google and an application which i want to manage using chat or voice commands. Until now its good and got amazed of features providing by google.
But i'm expecting one more feature. Don't know whether any alternatives available for this or not, but i tried exploring and reached to desert. Below are my requirements, if others think this is really unique and useful to them as well then i can say they are improvements or add-ons i'm expecting from DialogFlow.
Let's take an example of a chat bot which is serving users through google assistant and as a web bot as well. Now while conversing, intents may trigger web-hook in fulfillments which may require an authentication like OTP(Nope if anyone thought it for payments) which means registered users or limited users only can perform actions. This is same as we use roles and groups in all the applications.
The way google is sending google prompt to the user for logging into gmail, is there any way that we can collect PIN or OTP or PASSWORD through some notification sent to the users phone as some card's or input box like and html while conversing with chatbot through web or home assistant etc..., so that it helps in adding more security.
I recently worked in a chatbot project where I had to authenticate my users. I'm writing an article about it, but I'll tell you what I did:
First of all, I'm using OAuth 2.0 protocol to authenticate my users, but if you doesn't use OAuth, there's no problem, you could do something equivalent.
I'm using Authorization Code Grand flow.
Let's see the steps:
Step 1 - Authorization Url:
My bot generates an authorization url which contains all needed data to identify the conversation in callback moment. Like this one:
https://authorization-server.com/oauth/authorize
?client_id={your-client}
&response_type=code
&state={conversation_id: 123456789}
&redirect_uri={your-callback-url}
Notice that the state parameter contains the conversation_id which identifies your conversation, this state parameter will be back when users return to your handler.
Step 2 - User Authentication
When users click in this link, they'll be redirected to your login page at your authorization server.
Step 3 - Callback
After users get authenticated, they'll be redirect back to your handler (an endpoint which will receive the authorization code from authentication server and the state parameter).
When it received this authorization code, it'll be exchanged by an access token in authorization server.
Step 4 - Store token
In the final step, you already has an access token and the conversation_id parameter, you can store it in a database, in a cache or be stateless. Your rules!
In my case, I'm using Watson Assistant with Cloudant database, and I store those access tokens in my database. So, when users request something to my bot, it could get this token from database and pass to my back-end servers.
This kind of approach, I call "magic link". And you could improve it by shortening the url as bit.ly does.
I hope it could help you, feel free to ask me if you need.
Best
You probably don't want to implement the OTP scheme yourself. While you could do this, there are other systems already in place that will do this for you.
The best is the one that you reference - Google Sign In.
Fortunately, you can leverage Google Sign In for both your website (where you would get the user to sign in and then pass this information along as you do the Dialogflow calls) and for the Assistant (where Google will pass along an ID token, indicating it has authenticated the user).
Unfortunately the facebook realtime api only informs about something has changed in the friends connection of the app's users.
What do I have to do to identify that UserA has just became friend with UserX?
Currently, anytime I receive a UserA's friends have changed notification from the facebook realtime api, I receive the whole /UserA/friends.json, paging throu the whole result to just identify what has been added since the last time.
While this works, it just feels like a lot of waste in compute-cycles and I like to know if there is a more elegant approach to this...
That's the way it is designed and there is no "solution" for it.
Note that this does not include the actual data values (either from
before or after the update). To obtain those, your app can request
them as normal, subject to the usual privacy restrictions. For data
that you have access to at any time, you may wish to query for that
data immediately following this callback so that it is ready for when
the user returns to your app.
Source: https://developers.facebook.com/docs/reference/api/realtime/
It makes a lot of sense, because Facebook is able to send you ALL UPDATES while not knowing if you have the appropriate permissions to get the new data, so a very easy way to do it in terms of privacy.
If you have a valid user token (in your db) you can retrieve the updated fields via Graph API / FQL and compare it with the data in your database. Without realtime API you need to pull data every x hours/days, which is even more waste of resources.
If you don't have a valid user token you can retrieve the updated fields via Graph API / FQL when the user comes back to your app and compare it with the data in your database. Without realtime API you always need to update/check the data when the user comes back.
I'm slowly beginning to unerstand REST and theres one thing thats confusing me .
I understand that most of the things in REST is a "resource" . So i was wondering what kind of a resource would we be referring to in the case of a user signup / login ?
Is it users ? Then does it mean that a POST on users would signup for a new user . If that is the case , then how do i authenticate a user ? a GET on users with an encoded password / username pair?
I'm really confused with this.
I may be COMPLETELY wrong in my understanding given that i'm just starting to understand REST.
Any help is appreciated !
Thanks!
It's a bit of an unusual but common problem for REST. Keep thinking about resources.
When you login you're asking the server to create a session for you to access certain resources. So in this case the resource to create would be a session. So perhaps the url would be /api/sessions and a POST to that url with a session object (which could just be an object consisting of a username or password and perhaps the UUID) would create a session. In true REST you'd probably point to a new session at /api/sessions/{UUID} but in reality (and for security purposes) you'd probably just register a session cookie.
That's my own personal approach to login forms if I were to implement them myself but I always tend to use Spring security for that job so this requirement never really takes much consideration.
I am working on something similar and this is the solution I have taken so far. Any suggestions welcome :)
I have users exclusively for singup and account modifications.
GET /users/{id} gets a user for the profile page for instance
PUT /users creates a new user with username and password. In reality this should send an email with a link to somewhere that confirms the signup with a GET method.
POST /users/{id} modifies the user (for example change password)
DELETE /users/{id}
For authentication I tend to think that the resource I request is the token or the authentication. I have tried to avoid the word "session" because it is supposed to be anti-RESTful, but if you are just creating the illusion of an actual server-side session for your clients, I guess it is fine.
PUT /authentication/ with usename/password returns Set-Cookie with the pair user_id / hashed value. Maybe it should be POST. Not sure
DELETE /authentication/{user_id} just deletes the cookie and the user is signed out. Maybe instead of user_id it should be a unique token_id.
Resources can be created, read, update and deleted using a restful approach, see e.g.:
https://cwiki.apache.org/S2PLUGINS/restful-crud-for-html-methods.html
So if you'd like to administrate you users this would be the restful approach to do so.
If you'd like to authenticate the users which you have in your administration dataset you need
to design or select a restful authentication mechanism see e.g.
http://de.slideshare.net/sullis/oauth-and-rest-web-services
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
For a jumpstart on these issues you might want to check out dropwizard:
http://dropwizard.codahale.com/
A resource may have one URI or many
but One URI will have exactly one Resource
Therefore, When Authenticating a user, you are addressing a user who is already registered
While when registering, you are addressing the user (resource) which is yet to be registered.
All you need is a way to process it to your SERVER.
THIS is an example taken from SUGARCRM REST web services implementation.
REST is like http requests to your SERVER.
For eg, when implementing REST Web Services.
Every REST Request is going to same File say
www.your_domain.com/Rest.php?json={your_json_method:'method',params:'watever'}
Where in Json is the request you are sending as a parameters
Requesting to authenticate a user
{method:'SignUp', username:'abc', pass:'pass', confirm_pass:'pass'}
Requesting to register a user
{method:'Login', username:'abc', pass:'pass'}
by this way you can have as many params as you want
Remember JSON is not necessory to be used. you can use simple get params for your query