I am a newbie in integrating APIs and so I am encountering some issues that need help.I have been working with Clash of Clans API for some weeks. I want to make a website where users can make request and get data from the server. **To use the API, a JSON Web Token is required and it needs to be passed as part of every request. The token is bound to rate limitations and specified IP addresses. **
What I have been doing is, create a token with my IP address, get the token and make request using it. Now, I want to take this a step forward but I have no idea how to take request from users around the world.
I thought of taking keyword from the user and making request from the server but don't know the step forward. Or maybe I should make requests using my server's address from my PC? Which I don't know how. I will appreciate it if someone could explain to me with this in layman's language and if possible through a reference. Thank you in advance.
There are many ways to design for Clash of Clans API architecture.
I just to make a simple design base on quick review of Clash of Clans limitation.
API_KEY can add IP address only when create API_KEY.
It means can't update (add) user IP address after create API_KEY.
Step 0 : Create API_KEY
Clash of Clans server only allow specified IPs and API_KEY for REST API call.
You need to know your server IP v4 address(production purpose) and your IP address(debugging purpose)
your IP address get from google search
After create key, you (developer), develop(or debugging) your API.
This is created API KEY in CC server
This example, using Postman check API.
Step 1 : User login
With his User ID and password. it will save into your server with hashed value.
(It means not save password, save hashed data). it can verify but if leak to hacker much more safe.
Use request API call(or service) to your server
Step 2 : Your server forward API to CC server
Server verify user is valid
If valid user, server forward API call into Clash of Clans(CC) server by CC API with API_KEY(Bearer Token)
Step 3 : CC server check correct API call
CC server verify by compare called API_KEY/IP address with saved API_KEY/IP address
Step 4 : CC server return API response to your server
Your server received the server API call
Step 5 : Your server return to user
User received her request a service
This API list
You can test it from your home.
This is example API call via CC server's documentation
Related
Currently I'm trying to access data from my shopify store through local host and I'm getting the CORS error. I realize this question has been asked but I couldn't find an answer. Also I realize that this is a bad practice since credentials are exposed. I have a local computer that for a reason (with out taking the time to explain it) needs to be able to GET data from my shopify store. This HAS to be done in javascript so I am using XMLHttpRequest like so:
var url = "https://apikey:secretkey#mystore.myshopify.com/admin/orders.json?limit=25&page=2";
this is based on this answer on SO: shopify how to get product data using php in my localhost
In the above I'm passing my apikey and secret key from an app I've setup and approved on my account. One thing I didn't do is whitelist my ip which I'm not sure if that's what would allow me to get the data. This returns a CORS error.
I've also tried this:
var url = "https://username:password#mystore.myshopify.com/admin/orders.json?limit=25&page=2";
Here I pass my username and password and I get the CORS error also.
What is a challenge is that if I'm logged into the account or not logged in when I go to my browser window I can go to this url: "https://username:password#mystore.myshopify.com/admin/orders.json?limit=25&page=2"; and the json data appears in my browser window.
Again this has to be done in javascript and it has to be done from a local computer.
The way I went about this is forget the XMLHttpRequest. To access the shopify api via my local host I used the node library provided here: https://www.npmjs.com/package/shopify-api-node
I'm marking this as the answer just in case someone in the future is attempting to do this.
I refer to a answer given by Mike20132013 on
This IP, site or mobile application is not authorized to use this API key.
Mike in point 5 you say:
Once you are done, click create and your new Server Key will be generated and you can then add that server key to your URL.
Sorry, I am lost here. I have created a server key but to which URL are you referring to? Where exactly do I enter this URL please? I have bought the Google Reviews Plugin and I get the error message
"REQUEST_DENIED: This IP, site or mobile application is not authorized to use this API key. Request received from IP address 46.249.199.28, with empty referer" on my website.
My host has referred me to your answer.
Then you say
"Last thing is that, instead of putting the sensor=true in the middle of the URL, you can add it in the end like this:
https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=yourlatitude,yourlongitude&radius=5000&key=SERVERKEY&sensor=true"
I have no idea where to input this.
Easy part first: just omit the sensor parameter entirely. As the documentation says:
The Google Places API previously required that you include the sensor parameter to indicate whether your application used a sensor to determine the user's location. This parameter is no longer required.
For the REQUEST_DENIED error, please go to the Google Developers Console and ensure that:
you are using a Server key, not a Browser key or similar.
you have the Google Places API Web Service enabled (rather than e.g. Google Places API for Android).
your Server key either has a blank field for the IP addresses that may use it, or that the IP addresses field matches your IP (46.249.199.28).
The Get a Key part of the Google Places API Web Service documentation walks you through creating an appropriately configured API key.
For my application I want the user to be able to store files on Google Drive and for my service to have access to these same files created with the application.
I created a Client ID for web application and was able to upload/list/download files from JavaScript (client side) with drive.appfolder scope. This is good, this is half of what I want to do.
Now I want to access the same files from Node.js (server side). I am lost as to how to do this. Do I create a new Client ID for the server? (if so, how will the user authenticate?) Do I pass the AuthToken my user got client-side and try to use that on the server? I don't think this will work as the AuthToke is time-sensitive (and probably not intended to be used from multiple IPs).
Any direction or example server-side code will be helpful. Again, all I want is to access these same files the user created with my application, not any other files in the user's Google Drive.
CLARIFICATION: I think my question boils down to: "Is it possible to access the same Application Data on Google Drive both client-side and server-side?"
Do I create a new Client ID for the server?
Up to you. You don't need to, but you can. See below.
if so, how will the user authenticate?
Up to you. OAuth is about authorisation, not authentication.
Just in case you meant authorisation, the user authorises the Project, which may contain multiple client IDs.
Do I pass the AuthToken my user got client-side and try to use that on the server?
You can do, but not a good idea for the reason you state. The preferred approach is to have a separate server Client ID, and use that to request offline access, which returns (eventually) a Refresh Token, which you store in your server. You then use that Refresh Token to request Access Tokens whenever you need them.
AuthToken is ... (and probably not intended to be used from multiple IPs).
It is not bound to a specific IP address
Is it possible to access the same Application Data on Google Drive both client-side and server-side?"
Yes
Most of what you need is at https://developers.google.com/accounts/docs/OAuth2WebServer
I've been reading lots of documentation about Google API access and OAuth flow using it but I don't seem to get it working in my mind, so I want to get some help first in order to have a clear idea about how it works then I can code it using the corresponding API.
What I want to achieve is feed a Java application running in a PC with specific Google user data, like localization through Google Latitude API. In order to get this, OAuth must be used, so I need getting the user consent, then access the user data from the application running in my computer, and I don't know how to manage this.
I've already registered my application with the Google APIs Console and enabled the Google Latitude module. I've also tried the Latitude console application here and it works properly (a browser tab opened asking for a Google user; I entered it and I got the location data), but I'm having problems when trying to adapt the program flow to my needs.
In my application, the 'remote' user is supposed to send a request (a custom JSON message) to the server asking for service enable/disable, like allowing the server to track his/her position through Latitude. Then, AFAIK, the server should send to the user a URL so the user can give the consent, but I don't know how to get this URL and how the server realizes about this consent and gets the token (automatically? Google tracks this authorization process?). Once my server gets the specific user token, then I should be ready to get service data for that user using the received token.
As I said before, I've tried according to different references, but as the documentation seems to be really scattered and much of it is already deprecated, I've been unable to get it working.
Judging from your description, the installed app OAuth2 flow seems to be the right one for you.
At some point, presumably when a user is installing your desktop app, you should fire up a browser - either embedded one in your app or the default browser - and sent them to this Google OAuth2 endpoint. In your request, fill out all the parameters as required by the doc: Latitude API scope, client_id, etc. Google, as an authorization server, will take care of user authentication, session selection, and user consent. If the user grants access to her data to your API, you will receive an authorization code either in the title of the browser window or at a localhost port.
Once you have the code, you can exchange it for an access token and a refresh token. The access token is what you need to call the API and access the user's data. It is short lived though - check the expired_in parameter in the response, I believe it is 3600 sec. - so you will need to periodically ping the token endpoint with your long lived refresh token and exchange it for an access token.
You can find a more thoroough description of this flow in the doc linked above.
I am using salesforce rest api to access the salesforce account from my rails app.I created a remote access app and got the key N the id. I was able to authenticate the user and get the auth_token, instance url and all that. But, when I send request at "instance_url/services/data/v20.0" along with the access token , I get this error:
[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]
I have a developer salesforce account and have API enabled true for every profile, except for the "Authenticated website" profile(which is not accessible).
Please, can anybody help me with this?
I'm authenticating the user with following request
HTTParty.post "login.salesforce.com/services/oauth2/token";, :body=>{"grant_type"=>"authorization_code","code"=>"abc}","client_secret"=>"abc", "client_id"=>"abc","format"=>"json","redirect_uri"=>"localhost:3000/salesforce/callback";}
which is returning signature, id, instance_url, issued_at, access_token and refresh_token
HTTParty.get "ap1.salesforce.com/services/data/v20.0";, :headers=>{"Authentication"=>"OAuth access_token", "Content-Type"=>"application/json"}
which responds with
[{"errorCode"=>"INVALID_SESSION_ID", "message"=>"Session expired or invalid"}]
How are you passing the sessionId to the /services/data/v20.0 request?, if your access_token is abc123 then you need a http header of Authorization: OAuth abc123 in the request.
API session in salesforce expires regardless if there are activities or not.
to set the duration of each session go to Setup > Administration Setup > Security Controls > Session Settings>
the max is 8hours.
cheers!
Additionally to the other possible problems identified by the other answers, the Lock sessions to the IP address from which they originated setting in Salesforce is a possible contributing factor to otherwise valid code. From the following Salesforce KB article:
Description
When "Lock sessions to the IP address from which they originated" is enabled, if an OAuth2 access token is used to perform a Salesforce REST API call, INVALID_SESSION_ID might be returned even if the token is obtained in the same Apex transaction.
Resolution
"Lock sessions to the IP address from which they originated" is strict, and internal IP addresses are not automatically whitelisted in this case. Since the login callout and subsequent REST API callouts might be performed via different internal IP addresses, INVALID_SESSION_ID might be returned when using the access token if the mentioned preference is enabled.
To solve this you may use the continuous IP enforcement feature (introduced in Summer '15):
Turn "Lock sessions to the IP address from which they originated" OFF,
Turn "Enforce login IP ranges on every request" ON,
Select the connected app's IP relaxation policy "Enforce IP restriction", and
Add Salesforce's internal IP range 10.0.0.0 to 10.255.255.255 to the list of profiles needing to use Salesforce's REST API.
or simply relax the IP restrictions:
Turn "Lock sessions to the IP address from which they originated" OFF, and
Select the connected app's IP relaxation policy "Relax IP restrictions"
If you are using Oauth you need to use Refresh Token flow, on this error to get a new renewed token. Here are more details : http://wiki.developerforce.com/index.php/Digging_Deeper_into_OAuth_2.0_on_Force.com
Please search for "refresh token" in the WIKI page link above.
Issues I ran into:
Make sure to include the scope "web" in the authorize request, e.g.
https://login.salesforce.com/services/oauth2/authorize?response_type=code&clientId=xxx&redirect_uri=http://www.example.com&scope=id+api+refresh_token+web
Use the instanceUrl that is returned in the authorize response. In my case this was https://eu2.salesforce.com and I always tried to use https://na1.salesforce.com which didn't work
Faced the same issue and in my case < > characters in the password were causing the problem.
I am adding this answer because any of other answers above helped me. My problem was actually that I was using access_token as I received it in the JSON response during login.salesforce.com/services/oauth2/token requests.
You have to remove ID from access_token, as it is described in SalesForce documentation: "Substitute the ID for the token value"