I am trying to come up with something which will be scheduled to run daily and would import newly created invoices from a database into Xero. To have this run daily, I want to avoid logging in manually i.e entering username and password for logging into Xero, is this possible?
So if you are reading and writing data to a Xero org on a customer's behalf, they will need to authenticate that connection a single time. From there you can use OAuth 2.0 access_tokens & refresh_tokens to programmatically run scripts that connect to their org via Xero API. We are looking at ways to make this easier while maintaining security standards for use cases like this. But for now you will need to prompt a user login and save the credentials in your database/store.
A daily update can be performed without user interaction, but does need the user to authorise your application the first time.
After that, your application can use the 'refresh token' to automatically generate a new access token each day.
2 important things to remember:
you need to specify 'offline_access' in the SCOPE to give you the refresh tokens in the response.
save the refresh token to a db or file, and then use this each day to obtain new set of tokens (without user interaction). When new tokens are obtained, use access token to perform your updates, and save refresh token for tomorrow.
Related
we are working on setting up tableau extract refresh through API invocation. We are using Personal access tokens from tableau for authentication. While we are able to establish the communication and are able to retrieve details on tableau site, we get a 401002 response when we try for extract refresh. Is there a need for an additional privilege to the access token to set the extract refresh.
Any pointers on this would be of great help!
Make sure that the user whose PAT you're using is the owner of the workbook (and hence the extraction schedule). If not, the extraction request will fail. Alternatively, if the user cannot be the owner, they must be server administrators or site administrators on your Tableau server.
Also make sure you already have a schedule for the extract refresh. If one doesn't exist, you can create it with the Create Schedule method (with the API this can only be done by server administrators, on the browser the owner of the workbook can do this).
From the Tableau API docs, also note that "A REST request to start a refresh task will fail if the task has been put in the task queue in any of these ways, or is already in progress". This might also be one reason why it fails.
I am currently building a Flutter app which lets users do personality tests, and until now I planned to do it without forcing users to register an account via Firebase (as this is annoying for many users).
Problem I am facing now is that I need the results from the tests from the users, so that I can tell the users in the result section how these results are compared to the average of all people who have done the test.
If a user would now register, the test results would be saved locally on the device. Will it then still be possible to save the test results in a online database?
If you don't want to force users to sign in but still need to differentiate between them, you can use Firebase Anonymous Authentication which will create a user account in Firebase and return a UID similar to any other auth method. A new anonymous authentication can be created by using signInAnonymously() method:
UserCredential userCredential = await FirebaseAuth.instance.signInAnonymously();
As you get a unique UID for each user, you can then store data in database itself instead of storing locally. If the user proceeds with registration, you can convert this anonymous account to a permanent account using linkWithCredential method. The UID of user remains the same.
Do note that if the user logs out of the anonymous account, then there is no way to retrieve that same anonymous account back.
Working on a very basic React-Native App with a login-form, fetching Data from an API and display it. (Token based OAuth2 with Password Grant Type)
Question: When is the best time to retrieve data from my REST service again?
Currently I only fetch the data once, and that is when the user logs in.
Possible Solution: My idea would be to save the user data (username,password | token) in AsyncStorage (or SecureStorage) and to query it again every x minutes - Is that the normal workflow or do I have a major security gap?
I did not include any code, because it is a question of understanding and I shouldn't have any problems with the programming part.
Storing user password is a big NO.
If your server is using standard OAuth2, normally the sign in response would include an access token and a refresh token. See the standard doc.
The access token is embedded in the app's requests to the resource server in the session.
The refresh token is used to retrieve a new access token, either when the current access token has expired, or when a new session is started. So this refresh token is what the app should save, across sessions.
The refresh token's lifespan should be reasonably long such that the client, in this case your app, doesn't have to worry about redoing user sign in.
We use XERO to authenticate and sign in to our app on firebase, however, we dont want a user to connect with multiple organisations, we just want a user to sign in and choose a single organisation.
If we remove all tenant connections from our app once a user have finished signing in, this will solve our problem, and we already do this upon logout for the same reason.
I just wanted to find out, is there any implications of doing this ? Will our logged in user still be able to make api calls and get new access tokens ?
I could not find any info of this in the XERO docs.
Thanks
The list of connected tenants represents the orgs the user has authorized your app to interact with their Xero data on their behalf. Deleting the connections by making a DELETE call to the connections endpoint with a specified connection ID will effectively un-authorize your app to interact with that orgs Xero data until the user reauthorizes your app to do so.
So, the shorter answer is - no, you won't be able to make api calls after disconnecting.
What I think you are after is limiting the XeroAPI access_token to only be able to write to a single org at a time. This can be achieved through your UX by simply deleting all connections if they try to go through your authorize flow a second time.
That way you are limiting their API connection to a single org, and if they want to change the org they are connecting to they can use your UI to disconnect/reconnect to another one.
XeroAPI Documentation
https://developer.xero.com/documentation/oauth2/auth-flow
Removing connections
If you would like to remove an individual tenant connection from your app (e.g. a user wants to disconnect one of their orgs) you can make a DELETE request on the Connections endpoint:
DELETE https://api.xero.com/connections/{connectionId}
I need to give out Dropbox api access tokens and then be able to revoke access at a later time, then I need to be able to generate more access tokens to give out without the user verifying my application again. I thought I would be able to do this using the authorization code multiple times, but it only lets me generate one access token for each authorization code. Does anyone know how to do this without getting more input from the user?