I use Nextcloud as a normal user to store and share files.
I decided to use it as a backend for a web application I am developing so that I can store the files in Nextcloud while the frontend is done by me.
I spent some hours on the API docs
https://docs.nextcloud.com/server/latest/developer_manual/client_apis/WebDAV/index.html
and, with some disappointment, unless I have not made a mistake, I realized that the only API that can be used from outside Nextcloud is the WebDav API.
This is a minimalistic API that allows doing basic things such as uploading a file by passing the full path like with this GET statement (authenticated by basic auth passing username and password in the headers:
GET https://nextcloud.example.com/remote.php/dav/files/username/FolderOne/SubFolderTwo/HelloWorld.txt
This will download the file located in /FolderOne/SubFolderTwo/HelloWorld.txt
with a PUT request, it is possible to overwrite the file by passing the file content in the raw body request
This is very effective but minimalistic.
I was expecting to have a full REST API to access more properties and perform complex operations.
Could you please tell me if I missed some important information?
There is the OCS API but it works only from inside Nextcloud.
Thanks.
A full REST API is avaiable - https://docs.nextcloud.com/server/22/developer_manual/client_apis/OCS/ocs-api-overview.html
Create a Share - https://docs.nextcloud.com/server/latest/developer_manual/client_apis/OCS/ocs-share-api.html
The OwnCloud documentation also offers more examples
https://doc.owncloud.com/server/10.8/developer_manual/core/apis/ocs-share-api.html
You can register an App id and use that to login or passthru a username and password in the authentication header.
Related
I try to migrate from eBay Finding API to Browse API. My technical setting is quiet easy:
A Server searches the Browse API to find products by a keyword. Thats it.
Does anybody know if I need to implement OAuth, a redirection page for eBay-Users to log in etc.? I don't need all those features..
Thanks!
You can use the browse API with the client credential flow that mints the Application access token.
Application tokens are general-use tokens that give access to interfaces that return application data. For example, many GET requests require only an Application token for authorization.
See Documentation
The client credential flow does not require a User to Login via eBay and the redirect etc. However, you can only use the "GET" methods like getItem, getItemByLegacyId or search for example.
If you using NodeJs or Browser you can checkout the "Get Item" example here. (The library will get the Application access token automatically and return the result.)
I have an endpoint on my API that serves PDFs to users, and a web app that displays a link to the endpoint in a simple href to allow the user to click on the link and have the PDF download and display directly in their browser. A sample link to an endpoint would look like:
<a href=http://localhost:51660/api/v1/MyAPI/GetPDF?id=94a8ea0b-aec9-4812-839f-a2f7f4d0e122>
This works just fine, the problem is this endpoint is difficult to secure as I can't really pass the JWT token in the headers as we would for the other endpoints in the API since it's just a simple link in order to use the native PDF viewer in browsers. I can try storing a cookie from the front end with the JWT token then try to read this from the API, though this feels like a clunky solution to add in cookie authentication and use this for a singular route in the API, when everything else uses JWT bearer authentication but I can't think of any other way around this.
I need to be able to pass the token so that I can verify the user and the organisation they are a part of to ensure they aren't trying to access a file they shouldn't be allowed to view, but I can't really think of a non-clunky way to get around this. Is this something I'll just have to accept?
I just installed Directus, but I have to create the HTML interface, and I can't extract the data via the API. How can I use the static API? That is, with some kind of static token (the front will do it with PHP).
I have the Directus suite (APP + API https://github.com/directus/directus) installed and the HTML will be hosted on the same server.
Directus has built-in static tokens that can be assigned to any Directus User, and inherits that user's permissions. You can set this static token in directus_users.token (plaintext), and then use it to authenticate to the API. This is less secure than the other auth methods, but that depends on how you use it.
https://docs.directus.io/api/reference.html#tokens
The other option would be to set the data you need to "public". Obviously that only works if that data is public (READ)... but that is the case for many websites.
Thanks RANGER, I have the following installation:
URL:
https://cms.domain.com/public/ (APP + API Directus)
I have reviewed the column of the table you comment, and there is indeed a token already established:
BGJFwQ1KlHnH91V2oIwMbOsG
$contents = file_get_contents('https://cms.domain.com/public/_/collections/categories?access_token=BGJFwQ1KlHnH91V2oIwMbOsG');
var_dump($contents);
But it does not work, I have read the documentation more than 10 times and I have been with the subject for days, I wanted to solve it myself, but I cannot find the error using file_get_contents () or curl in PHP to call the API.
The Directus ADMIN is in:
https://cms.domain.com/public/admin/#/
I have taken the token from the ADMIN user, and therefore I understand that you have all the permissions to use the API. In the example, I wanted to list the "categories" (collection), which have 3 records.
Solved: curl https://cms.domain.com/public/name-of-project/collections?access_token=BGJFwQ1KlHnH91V2oIwMb34343G
Solved: I should use the **project name instead of "_" (default project).**
I am sorry that it is such a basic mistake, but I have come across several people with this problem.
My Vue.js app which interacts with data via a Node.js backend accesses both sensitive and non-sensitive data. I have been able to protect the API's on the Node server, the ones working with sensitive data (such as updating pricing information) using the google authentication API. This requires a user to have to login with a google account before being able to interact with those API's.
I'm now trying to protect the API's which simply retrieve non-sensitive data (such as Names, descriptions, prices of products I sell, etc.) so that even said API's cannot be accessed directly without some form of authentication. ie. If I used something like Postman to retrieve data from the API directly, without authenticating I would not be able to get any data. However, these API's are accessed from a part of the Vue.app which does not require login. ie. Users on the site may see Product, pricing etc. information without having to login first.
In order to protect these "non-sensitive" API's I would have to pass some "secret" such as an API Key from the Vue front-end to the Node backend. I believe from 2 other posts I've done (here and here) that it isn't possible to pass Environmental variables into a Vue App at run-time (I'm using Vue CLI 3). This leaves me with having to hardcode the API Key into the front-end code which means it is no longer "secret" or secure.
I'm in essence trying to do "Application Authentication" but without the ability to pass ENV Variables in Vue at run-time I don't know how to do this securely.
Everything I read on the internet points to either:
Passing ENV Variables into Vue at build-time (which isn't secure in this scenario); or
That I'm missing something for wanting to pass ENV Variables into Vue at run-time in the first place.
Question: Am I overthinking or overcomplicating things by trying to protect data which isn't sensitive?
One way of doing so is the following:
Upon successful authentication generate a JSON Web Token
Send token back to the client (Vue app) and store it in the browser's local storage
On the API route you want to secure add a function that will check whether the the request contains the token you provided on Step 2. You can send the token as part of the request body or maybe a header.
This is a simple yet effective way of securing an API.
Currently I'm trying to access data from my shopify store through local host and I'm getting the CORS error. I realize this question has been asked but I couldn't find an answer. Also I realize that this is a bad practice since credentials are exposed. I have a local computer that for a reason (with out taking the time to explain it) needs to be able to GET data from my shopify store. This HAS to be done in javascript so I am using XMLHttpRequest like so:
var url = "https://apikey:secretkey#mystore.myshopify.com/admin/orders.json?limit=25&page=2";
this is based on this answer on SO: shopify how to get product data using php in my localhost
In the above I'm passing my apikey and secret key from an app I've setup and approved on my account. One thing I didn't do is whitelist my ip which I'm not sure if that's what would allow me to get the data. This returns a CORS error.
I've also tried this:
var url = "https://username:password#mystore.myshopify.com/admin/orders.json?limit=25&page=2";
Here I pass my username and password and I get the CORS error also.
What is a challenge is that if I'm logged into the account or not logged in when I go to my browser window I can go to this url: "https://username:password#mystore.myshopify.com/admin/orders.json?limit=25&page=2"; and the json data appears in my browser window.
Again this has to be done in javascript and it has to be done from a local computer.
The way I went about this is forget the XMLHttpRequest. To access the shopify api via my local host I used the node library provided here: https://www.npmjs.com/package/shopify-api-node
I'm marking this as the answer just in case someone in the future is attempting to do this.