I had a question regarding global availability of an API and performance. Basically, we would like to build an API that is central to our business, but it must be highly available and performant globally, meaning, response times of the API should be minimal whether the call is being made in the United States, China, or any other country in the world. The API is actually an interface into a microservice architecture that is domain driven. We are currently using Microsoft Azure as our cloud provider to host these microservices but I wanted to get some suggestions on architecting a solution that makes this performant across the globe. Would we need to deploy services in multiple regions to be able to make this work? If so, how would I route an incoming request to the appropriate region?
I would partition your data by region using username as the partition key. Distribute your microservices and databases around the world in appropriate places, but keep one central login service. As users register with your central registration service, you assign them to a region depending on their home address, IP, or some other geographical indicator. When they return to login the second time (using the central service), you authenticate them and pull their region from the central DB. You can now route all additional traffic to the proper region for the best performance.
You would have to implement a full set of domains in each region.
Related
I was unable to find a similar question posted in the past on this site. The website, OneShop, provides account automation as a paid service for users selling on the Poshmark platform (as well as other websites).
This includes listing, sharing listings, as well as other services. The number of actions against a user's account can be over 1,000 in a day. The service on the platform is not a web browser extension, so the actions are taking place directly on OneShop servers.
My questions on this topic are these, with consideration of Poshmark having no available APIs:
How is the user's account not flagged for unusual activity from an unrecognized IP address ?
How are the OneShop IP addresses, over time, not blacklisted through the course of providing service to 1,000's+ of accounts ?
What method of programming would someone use to circumvent the need of an API in this context? Spoofing IP addresses to make it appear the activity is coming from each account owner's IP address?
This is posed as multiple questions, but the core of this post is to understand how it is possible for OneShop to provide the service they offer successfully without leveraging any available API's with Poshmark.
I very much appreciate this community and frequently come here for support of all kinds in the space of programming.
I’m learning about micro services and API gateways. Some articles mention that api gateways only have one endpoint. Is that correct?
Let’s say my e-commerce page makes 2 calls, /products and /users to get products and user data, and they are in a Product service and User service respectively.
Does my client make calls to api.com/products and api.com/users separately? Or does it do api.com/exec?endpoint=users (or something like this)?
From the context, it seems that the endpoint here is the domain - api.com. The specific url inside that domain, this is something for api gateway owners to decide on.
Typically there are two different approaches to api. In your example, there are two services and one way of exposing them to customers would be:
products.api.yourcompany.com
users.api.yourcompany.com
Clearly, each service would own its own endpoint (domain) and they can use any url format for specific operations; like /operationAbc or exec?operation=abc etc.
The second approach, and this is were api gateways shine, both services can be hidden behind single endpoint: api.yourcompany.com - and the api gateway decides how actual operation call looks like.
Use case: When coming to work I want to ask Alexa things like "Alexa, which employees are ill today?" or "Alexa which project managers are already at work?"
So essentially the Alexa Skill has to access sensitive (employee-)data from inside the company's network. As far as I know Alexa Skills only works with HTTPS and Amazon Lambda(ARN) endpoints. So to enable the Alexa-Skill to access the data we would have to publish some sort of endpoint exposing the data to the web. But this would obviously violate several security/privacy policies.
I'm not really into authentication/authorization of API requests so I would really appreciate some suggestions on how I to make sure only authorized users have access to the employee-data.
Thanks in advance.
You could have an API which Alexa talks to. Your API should handle the collection of sensitive data from your organization. Whatever authentication is required by your organization that can be done through Alexa as well (eg Account Linking) which can basically link the user's organization account. If that is done then we can authenticate the user and they only will be able to ask for sensitive data through Alexa. Your API would be the main point of control between Alexa and accessing sensitive data. Hope this makes sense.
I've looked briefly through Spotify's API documentation to try and see what exactly can be done with the API. I'm trying to do some data analysis on Spotify data, specifically on user listens / user playlists. However, as far as I can tell, the only way to uncover that information is through OAuth, and each user whose play information I desire would need to explicitly grant permission to my app to use their information. Since I am not building a user-facing app and am interested in doing mass analysis on many users at once, I don't think this would work for my purposes.
My question - is there any way to return multiple users' listening habits through a script that pulls data from Spotify using its API? Or is that possible strictly by way of an application that one user at a time gives authentication to when they load an app that uses this API?
is there any way to return multiple users' listening habits through a script that pulls data from Spotify using its API?
Spotify doesn't expose users' listening habits unless they authorized the app requesting it (I think this is what you meant when you said "through OAuth"). There's pretty big privacy reasons for not exposing users' data to the world.
I want to make a desktop application which will need to use a 3rd party REST API to get information. However, the number of requests is limited by the API Key. If I use one API key for all users, the request quota will be exhausted really fast. Now, is it standard (and legal) to make each user sign up for his/her own API key? How are API keys used in context of open-source projects?
To generate the API key, I want to make a sign up form within the application, where the user puts in his/her information and the application sends those information to the 3rd party website to get an API key. Does that sound right?
In general the use of an API is limited to the requests from one machine and not to the API key most of the time.
Again depending of the type of third party services you are using, but the requests to the service should be established by the client not the server.
For example if you want to know geographic coordinates from a specific place, but obviously you can't ask the user directly for GPS coordinates. So you implement the Google Maps Javascript Library into your app which requests the Google API for the coordinates to the human readable address and returns it to the client. This in turn sends the data to your server.
In this way your server never comes into contact with the third party service.
If you have sensitive data or data which shouldn't be manipulated by the user you have to request from your server directly of course. But take a look into the documentation of the service before hack something together which isn't in the intention of the service provider.
Never ever try to outwit a service provider. They will detect your inappropriate use and block you for all time!