Developing Telegram like application using GetStream.io - channel

For example, in Telegram, we have channels (private / public) and, their members can join and post into it. So, like that, I am trying to implement this feature using GetStream where :
Member can create private and public channel.
Member should have right to join any public channel.
Member can get right to post, also.
Can anyone, please, suggest how this can be implemented using GetStream ? Please help.

The three points you mentioned are possible.
Most of that can be configured in the Stream Chat dashboard's permissions section for a given channel type. (Image below)
You can create channel types for private and public channels and set the permissions as desired (user can create private and public, user can post, etc).
For the second point (user can join any public channel), you can set the permissions so normal users can see the messages and interact with the channel, and if they want to join as a member, you can use the invite API or changing channel members API.

Related

API Keys Symfony and JWT Authentication

My question is more about logical understanding than in my code itself (at the moment).
I created an API with Symfony and thanks to the tutorial on KahereCode.
I have now 2 possible clients, an application and a website.
I have some resources that must be public, for example the creation of user implies that my POST point of USER is public.
Currently, I have JWT Authentication bundle that returns a JWT token for the endpoints I have set as private.
This allows to identify the user and to limit the data to his own.
Only, isn't it possible to add an API Key in addition to this in order to identify my 2 clients and to limit the access to public resources to these two?
I would like to avoid, by leaving the endpoints completely public and vulnerable, that someone could launch a script to send data to a public POST endpoint that would overload the API, and even create unwanted users. (Well, I could still manage that with an email verification).
Can anyone help me understand how to set this up or point me to an alternative to what I'm presenting here?

How can one manage the access of a book created using GitBook?

I have created a book using GitBook. I want only specific set of people to be able to read my book. These set of people should be able to access it by logging in somewhere or by any other method. How shall I achieve this?
Even if the link is public, how shall I restrict the users who see it?
(I don't want to add them in the collaborators list)
As mention in "How can I grant read-only access to a private book? "
There are two ways to grant read-only access to a private book:
by inviting him as Collaborator, or
by creating an Access Key.
So in your case, providing your book is private (private GitHub repo), an access key is a solution, but you cannot easily control the set of people using it; ie: you can only control the set you are giving the token to.
So that means you have to provide your own front-end, with user account management, in order to give access to the book. But GitBook itself does not have such mechanism.

Is redirecting (for roles specific content) in a REST API a good idea?

Lets imagine we have a resource URL /course/{id} in a REST based API. We also have two different roles: user and member. A user is just a normal user and a member is a user who has subscribed for a specific course.
A course has some public information (like name or description) visible for all user and some additional private information only visible for a member of the course.
I have decided to prefix all member specific content with "member". So the URL for a member would be /member/courses/{id} which shows the public and private information.
In short:
URL (only for role member): /member/courses/{id} => return public and private information
URL (for all): /courses/{id} => return public information
If now a member tries to access the public site /courses/{id} I would like him to be redirected to the member URL.
HTTP/1.0 303 SEE OTHER
Location: /member/courses/{id}
Is that RESTfull? Or is it better (while following HATEOAS) to provide for resources for which a user is NOT a member only the URL /courses/{id} and for resource for which a user is a member provide the URL /member/courses/{id}?
It doesn't sound too RESTful indeed, I think you'd be better off with the latter approach, building the relationship URLs depending on the user class (since you've already decided on the URL and not displaying that private information is out of the question).
Alternatively you might've split that "private information" into a separate entity, and just control the access policy for it - unless it doesn't really make sense to split it from a business/domain point of view.

Instagram API - Getting feed of private user whom the authorised user follows

I am using Instagram API for my application. I need access to the feed of private users whom I am following, but the response is:
code: 400
error_type: APINotAllowedError
error_message: you cannot view this resource
I could not find anything in the documentation regarding this.
I was hoping that as I am able to see the user's feed on my app, I would be able to retrieve the same using the API.
Any way around this?
Please help.
[As instagram changes their api, this tips may not work forever]
I faced same issue and the cause is it happens when the posts are private , even if user access token is passed with endpoints this errors happen.
Solution: just in place of userid use 'self' for private profile. means if a profile has private posts then who connects should be the same person of the profile and other person can not view his/her posts.
Example:
https://api.instagram.com/v1/users/USER_ID/media/recent/?access_token=USER_ACCESS_TOKEN_HERE if this endpoints shows error then use
https://api.instagram.com/v1/users/self/media/recent/?access_token=USER_ACCESS_TOKEN_HERE
(just replace 'userid' with 'self')

Instagram Realtime Tag API w/private users

I know there are reports of various issues when trying to pull pictures posted by 'private' users. We are working on a project that we want to use the real-time api for. After a private user approves our account, we are able to view images posted by them through the api's as expected. In addition when searching by tag we see their images. The real-time API reports the image when we subscribe to the user endpoint. We want to subscribe to the tag api, the issue is that while everything else works with private users, for some reason when a private user posts an image with a tag for which our client has subscribed, the notification is not set. It is working fine for public users, and if we search (without real-time notification) we are able to see the image. The only thing I can think of is that for search to work we must use our access key for our account (not the posters), not our clientid, perhaps real-time needs to use the same security by accesskey rather than client id?
You are correct:
we must use our access key for our account (not the posters), not our clientid
Because the privacy permissions are per-account, if you are making authenticated API calls on behalf of the user, this will not work. In theory, if you kept your hourly API calls under the 5000 limit, you could technically proxy or cache the private photos, however, rather than looking at a complicated workaround, you're better to just adhere to the API ToU:
If your application has any cached copies of User Content that has become "private," you must remove such User Content as soon as reasonably possible.
The realtime API is a bit different than the regular API as well, in that while you may or may not receive a notification of a post (it's not the most reliable service), it does't contain any data, and you're still going out to fetch the relevant data using either your own access_token, your app client_id/secret, or an authenticated user token.