Check if an Auto-Submit URL has been flattred - flattr

There is currently no easy way to check if an auto-submit URL has been flattred by the authenticated user.
The current way is to
get the thing, which is 1 request
then get the list of all flattred things of the authenticated user, which is another request and a potentially really big response
then iterate over the list and match the thing, which is a performance bottle neck
All this makes it unusable for a mobile client like an iOS device. There needs to be a new call. My proposal is:
GET https://api.flattr.com/rest/v2/flattred?url=auto-submit-url
Response:
{
"message": "found",
"description": "The url has been flattred.",
"location": "https://api.flattr.com/rest/v2/things/:id"
}

We had mistakenly not documented the "flattred" parameter on a thing - it should tell you whether the thing is flattred by the authenticated users.
So do a /lookup on the auto-submit URL and check the "flattred" parameter on the thing it gives you.
We've added it to the documentation now: http://developers.flattr.net/api/resources/things/#get-a-thing

Related

Http delete request to Google Directory API returning 412 Precondition is not met: location If-Match

I have been using Postman to send http requests to Google's Directory API. The GET request works fine (which shows that the admin token as well works fine) to get info for a user.
But, what I need to do is delete the user, and when I try this, I get the following back:
{
"error": {
"code": 412,
"message": "Precondition is not met.",
"errors": [
{
"message": "Precondition is not met.",
"domain": "global",
"reason": "conditionNotMet",
"location": "If-Match",
"locationType": "header"
}
]
}
}
I was presupposing that I was missing the etag, which is what I added from the user, but it did not work. I also tried adding "*" to the If-Match tag, and that did not work either. Maybe there is a way with a put or patch request?
The API reference is this: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/delete
The API does not work on Google's reference page either. I have also tried this in multiple domains where I am the super-admin so the error is not related to a specific super-user or domain.
I have also made sure, in multiple tests, that the user I am trying to delete is not an admin of any type.
I am adding images below to show that the GET api works fine. So I just need to know how to format the API request to be able to delete the user.
Ok, after talking directly to Google and even seeing that Jay Lee (author of GAM) ran into the same problem, we found out that you can't delete a user if:
It has a license of some sort
It's an admin
It has a Google Vault retention rule applied
To be able to delete a user from now on, you must remove all these things (licenses, admin privileges, Vault retention rules) or you must transfer the information of that user to another user (along with whatever else Google asks you to remove beforehand).
The "Precondition is not met" is vague and Google should change this, but it means that one of the three things above have not been removed yet.
Below I am adding multiple links to confirm what I mentioned above as well as the APIs you need to use on users before being able to delete them.
https://groups.google.com/g/google-apps-manager/c/83kR-4MoPk0?pli=1
https://github.com/GAM-team/GAM/releases?gam-releases
https://developers.google.com/admin-sdk/data-transfer/reference/rest/v1/transfers#DataTransfer
https://developers.google.com/vault/guides/holds#python
https://developers.google.com/vault/reference/rest/v1/matters.holds.accounts/list

Ebay API: Connection between "Developer Account" and "Ebay Account"

A am just beginning to familiarize myself with the eBay RESTFUL API, forgive me this basic question, but I found no answer yet.
I have an eBay account since many years ago. I registered a developer account (same eMail address) recently, and I got the Tokens for Sandbox and Production. I have successfully used public APIs like list items, search items, and such, to verify the tokens, by querying some items in eBay.
How do I preceed from here to access data specific to my eBay account, like, for instance, the list of purchases and sales? Somehow I need to connect my app to my live eBay account, I guess, and give my app permissions to read data, but I could not find any matching setting in my eBay account settings nor in the API calls.
Please guide me through the next step: how do I give my app the required permissions, and how do I build a simple read-only query to query, for instance, the items I have purchased.
I think this question does not depend on any programming language, feel free to use any programming language you like.
Many Thanx!
Ok so if we are talking only about Authorization token and calling seller api like orders (in ebay it's called fullfilments i believe).
We need to start with creating User Token.
You can create one here:
Then you need to add ebay redirect URL:
I don't know much about Auth'n'Auth so I will talk only about OAuth
After adding new redirect URL you should add url address for authorization success and failure.
You will be redirected there after authorization.
Now we can test if generation of token works.
For this example i did set my redirect url like that:
We need to click "Test Sign-in" (set radio button to OAuth before)
You should be redirected to website:
You need to sign in with account which have access to sandbox.ebay.com or ebay.com (depends if you are on sandbox or production environment)
After logging in I don't remember if there will be another window with confirmation of App scopes to confirm (I already done it before).
But if that is the case just click confirm button.
Now you should be redirected to https://localhost.com which we did set up as our success redirect url
Url should look like that
https://localhost.com/?code=v%5E1.1%0VeMTI%3D%3D&expires_in=299
That code parameter is much longer btw. And you can see that it's url encoded so you need to decode it before using
And now you are almost at home :D
You have 300 seconds to call a POST request to authorize with that code parameter.
POST https://api.sandbox.ebay.com/identity/v1/oauth2/token
Header required
Remember first screen shot?
You need to go there and get your App ID, Cert ID then concatenate it with ":" then encode it to Base64 and add before that value "Basic " keyword.
In pseudo code it should looks like that:
Authorization:Basic Base64.encode(AppID + ":" + CertID)
Body required
format of Body needs to be "x-www-form-urlencoded" (key:value format basically)
here you need
grant_type:authorization_code
code:{code}
redirect_uri:{redirect_name}
{code} - is value from success authorization url
{redirect_name} - you can find it on screen below marked with red circle
If you did everything right you should get response from ebay
{
"access_token": "v^1.1#i^1#r^0VbbxW1wjv4HZGAAA",
"expires_in": 7200,
"refresh_token": "v^1.1#i^1#f^0#r^FDQ=",
"refresh_token_expires_in": 47304000,
"token_type": "User Access Token"
}
You should save that data, access_token is used for accessing data, refresh_token is used to refresh access_token.
Example request with authToken
GET https://api.sandbox.ebay.com/sell/fulfillment/v1/order?filter=creationdate:[2022-03-31T08:25:43.511Z..]
You need Authroization header:
Authorization:Bearer v^1.1#i^1#r^0VbbxW1wjv4HZGAAA
That's it I guess. To implement that into your app you need to be able to generate the first url which you are redirected to after clicking "Test Sign-in" and that's basically it.
Btw you refresh token like that
POST https://api.sandbox.ebay.com/identity/v1/oauth2/token
Body x-www-form-urlencoded
grant_type:refresh_token
refresh_token:v^1.1#i^1#f^0#r^FDQ=
Header
Authorization:Basic Base64.encode(AppID + ":" + CertID)
I hope that will help someone. :)

How to achieve the Dropbox equivalent of long-lived token now that they're gone (dropbox-sdk-js, Meteor, React)

For a while now I've been using dropbopx-sdk-js in a Meteor application without any trouble.
My Meteor app simply uses Dropbox to fetch images to be used in product cards. These files are synced now and then and that's it. By synced what I mean is they are scanned, shared links created or obtained, and some info is then saved in Mongo (name, extension, path, public link)
End users do not remove nor add files, nor are the files related to an end user specific account.
To achieve this, I created (in the far past) an App in the Dropbox App Console, generated a permanent token, and used that token in my Meteor app to handle all the syncing.
Now I've tried to replicate that very same thing in a new similar project, but found that the permanent tokens have been recently deprecated and are no longer an option.
Now, checking Dropbox's Authentication Types it seems to me like "App Authentication"
"This type only uses the app's own app key and secret, and doesn't
identify a specific user or team".
is what I'm after. I can safely provide app key and secret in the server exclusively, as the client will never need those. The question is how do I achieve such kind of authentication? Or for that matter, how do I achieve an equivalent of the long-lived token for my app, ultimately meaning that end users don't actually need to know Dropbox is behind the scenes in any way (and they surely don't need dropbox accounts to use this app nor should be prompted with any Dropbox authentication page)
In the js-sdk examples repo, I only found this example using app key and secret. Yet afterwards it goes through the oauth process in the browser anyways. If I don't do the oauth part, I get an error
"error": {
"name": "DropboxResponseError",
"status": 409,
"headers": {},
"error": {
"error_summary": "path/unsupported_content_type/...",
"error": {
".tag": "path",
"path": {
".tag": "unsupported_content_type"
}
}
}
}
as a result of calling
dbx.filesListFolders({ path: '', recursive: true }):
If I replace the initialization of the dbx object with a generated token everything works out. However eventually the token expires and I'm back in square one.
Any ideas what may I be missing?
The short answer is:
You need to obtain a refresh-token. You can then use this token for as long as you want. But in order to get it is necessary to go through at least one oauth flow in the browser. Then capturing the generated refresh-token in the backend. Then store it and use it to initialize the API. So it's kind of "hacky" (IMO).
For example, you can use the mentioned example code, and log/store the obtained refresh token in this line (as per Greg's accepted answer in the forum). Then use that value as a constant to immediately call the setRefreshToken method (as done in that very same line) upon initialization.
The long answer is:
ClientId + Client secret are not enough to programmatically generate a refresh token.
Going through the oauth flow at least once is mandatory to obtain a refresh token
If you want to hide such flow from your clients, you'll need to do what the short answer says.
The intended flow of usage according to Dropbox is: each user access his own files. Having several users accessing a single folder is not officially supported.
The longer answer is:
Check out the conversation we had in the dropbox forum
I suggested to replace the "Generate Access Token" button in the console for a "Generate Refresh Token" button instead. At least it made sense to me according to what we discussed. Maybe if it gets some likes... ;).

Appropriate HTTP status for redirecting to authentication in a REST api

I'm kind of surprised that, after searching for this for a while, I didn't find as many answers as I thought would be out there (well I found none), so maybe by asking it here we can help improve search results.
I'm building a REST api which has JWT-based authentication. There is an /auth/login route which returns the token after login/password verification, and the token is subsequently sent in every route in a Authorization http header.
Not, suppose that someone queries another route (say, /cars), without sending the token (that is, before logging in). If I return a 401 unauthorized, I can make the frontend query /auth/login to get the token.
But, strictly speaking, this does not conform to the REST specification, because every resource should be discoverable from the initial one, and a client accessing /cars and receiving a 401 will not know about /auth/login.
So another option would be a redirection like 302. But this semantics means that the resource was temporarily moved, and this is not the case (the resource is still /cars, you just need to authenticate first).
So, what is the correct way to do this procedure in a "true" rest api?
I 100% agree, and that's why I proposed this standard:
https://datatracker.ietf.org/doc/html/draft-pot-authentication-link-01
The idea is that for cases like this, you should be able to return a Link header with an authentication rel, so the client can discover how to proceed.

Google Simple API key stopped working

I'm using Python/Twisted to do asynchronous HTTP calls to the Google+ API. Our client app passes over the user's access_token and we do an API call to...
https://www.googleapis.com/plus/v1/people/me/?%s&key=%s&
... where %s and %s are being filled with a valid access_token and (supposedly) valid Simple API Key, respectively.
Everything was working beautifully yesterday. Today I continued to work on the unit tests for this when the API suddenly started returning:
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "keyInvalid",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
usageLimits, keyInvalid... Okay, I get it. I've seemingly hit the usage limits and they have invalidated API keys coming from this account. Except, I haven't...
The "Courtesy Limit" is supposed to be "10,000 requests/day", yet I've only made a couple hundred calls (according to Google's own usage graphs), and I am still seeing "0% used" on the quotas tab.
I would have brought this to Google directly, but they seem to have dropped their Developers Google Group in favor of a Google+ discussion that doesn't actually receive any responses.
Any help or guidance is extremely appreciated. Thanks!
The answer was quite simple! You can't send both the access_token and the key in the same API call. If you use the access_token you're authenticating the API call as the user, if you use your projects Simple API Key you're authenticating as yourself. If you use both, the call fails.
Just so we are clear, you are using your key from your Google API Console page? On there you should see a tab for "API Access" near the top left hand corner of the page. Make sure that the API Key you are using is your Key for browser apps (with referers) Key, otherwise it won't work.
At any rate, an API Call for me looks like this:
https://www.googleapis.com/plus/v1/people/114789529333378876576?key=ENTER_YOUR_KEY_HERE
You should be able to make at least one API Call per day without a valid Key.
This took me quite a long time to figure out, so hope to save some time to someone else :)
Take a look at thi spost, by google staff (in 2012..) https://groups.google.com/forum/#!topic/google-ajax-search-api/HuKhXfsoMQc
Sorry for the delayed response. This error (which we're working on improving the descriptiveness of) also occurs when you have a
restriction on your key (e.g. locked to a specific referer or IP
address). Please confirm that if you've set such a restriction in the
APIs Console, that the referer or IP address that you're making the
requests from. Pay special attention to any wildcards used on the
referer - for instance, if you use *.abc.com, it won't work if your
request comes from "yoururl".
also would have been great if google team fixed this issue! :)
In my case - I just had to wait few minutes because it was short time after updating my API KEY. Whenever you create a new key or update it on YT developer console. YT has up to 15 mins to make all the changes on their side
In my case I had a parameter named Key, so it thought that was an actual key, just renamed the parameter.