I'm looking for a way of propagating information between the authentication script I've setup in my Zapier app and the different actions/triggers I have. The data I am receiving is from authentication API which I want to use further in Triggers and Actions. I guess the environment global var is not the way as it's not bound to a specific zap but for all usages of the app. Thank you for your help!
Tried setting value in bundle.authData in code mode while authenticating user, but it's reflecting across triggers and actions.
API Key authentication does not support the ability to save off keys you might need later, only Session and OAUTH provide this ability. This are computed field and docs about it are here:
https://platform.zapier.com/docs/session#computed-fields
Related
I'm looking for a way of propagating information between the authentication script I've setup in my Zapier app and the different actions/triggers I have.
For now it would be a URL defined in a custom zapier form when authenticating a user that I could spread across all the actions/triggers scripts to make the calls properly using a context variable somewhere (not existing in bundle apparently).
I guess the environment global var is not the way as it's not bound to a specific zap but for all usages of the app.
Thank you for your help!
David here, from the Zapier Platform team. Great question!
If you're looking for data that will be unique to each user, but consistent across each of that user's zaps, you're looking for auth fields! They're filled out when a user authenticates (enters their password, connects oauth, etc) and are accessible to all zaps that use that auth via bundle.authData. A user might have multiple auths (in the case of multiple accounts with your service), and each one will have its own version of the auth fields.
Hope this helps. Let me know if you've got any other questions!
I am working with the eBay API using OAuth on my current Meteor project app.
There is a section of the app where I can create an eBay account profile, and assign custom values to the account (such as nick-naming it, etc.). This is where I initiate the OAuth sign-in redirect process.
My question is about the 'state' parameter in the token requests. I understand that it is for helping prevent CSRF, but do I HAVE to use it that way? 'state' does seem to be optional after all.
Let's say I wanted to pass another value into the request call such as the string 'eBay Seller', and expect that the same exact string be returned in the response. I want to use that value to help my app determine which account to assign the returned tokens to (based on which account profile initiated the redirect link).
Is 'state' a valid place to pass in a variable that I expect to be returned exactly as sent? I considered using Session variables to handle this scenario, but quickly realized that this would not work, since the OAuth process takes me outside of my project's domain.
Does OAuth support passing variables that are expected to be returned as sent? Is sending my variable as 'state' allowed or even recommended (or absolutely not recommended?) Is there a better way to achieve what I want to do that does not involve updating database values?
Thank you!
You can send what you want as state. You should try to make sure it's not guessable though, to mitigate against CSRF attacks.
If you want to return useful information like 'ebay seller' then include something for CSRF (e.g. hash of the session key id) and the text 'ebay seller' and delimit them e.g.
2CF24DBA5FB0A30E26E83B2AC5B9E29E1B161E5C1FA7425E73043362938B9824|ebay seller
Now you have the best of both worlds: useful state info + CSRF protection.
Your redirect endpoint logic can check the hash of the session id matches and also confirm the account type from the initial request.
I am building an api for others to use. This is a simple enough Json request the user passes as some data and we pass some back.
What I would love is to secure our api and have some sort of user system where we can turn users on and off and we can log how many requests each user makes.
What would be the best way to do this in Rails? I don't want it to slow down the request. I can see ways of doing it using devise maybe but would be great to hear other people's opinions.
Thanks
Another way is to use 3scale (http://www.3scale.net) - it's free up to a traffic cap but handles all the key management, users, documentation etc. and there's a ruby library which you can drop into your code if you're using rails. (other libs are here: https://support.3scale.net/libraries).
I've done this before using the Token Authentication capabilities of devise (see https://github.com/plataformatec/devise ).
I found the following setup works:
Create a user account for each api user.
Configure devise for token authentication
Set the Token Authentication configuration to require the token to be submitted with each request.
This will allow you to enable and disable individual users as well as to track every request back to the api user that made the call.
If you're really interested in tracking usage you may want to consider also creating a database table where you track all api requests. This can be setup to belong_to the users table so that you easily find all requests from different users (e.g., #user.api_requests).
The count of all requests made by a user would be:
#user.api_requests.count
# or use a where clause to find how many of each type
#user.api_requests.where("api_request_type = ?", 'SomeAPICallType').count
One final note -- I recently used the Grape library for building out an API. I thought it was pretty well done and it worked great for our needs. I especially like the ability it provided to version APIs. Details are here: https://github.com/intridea/grape/wiki
I'm using Devise in a Rails app and want to expose some of the model data via an API, but access to the API should be restricted just like the app.
$ curl http://myapp.com/api/v1/sales/7.json
{"error":"You need to sign in or sign up before continuing."}
Obviously.
Is there a best practice for accessing the API in situations like this? I'd prefer to authenticate + grab the data in one step, but that's just to make the client's job easier. They'll be pulling in the data client-side with JQuery.
Thanks for any info!
Vanessa
I recommend you follow the Option 2: Using API Key section on the following post to implement API authentication in Rails.
http://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_for_a_rails_app/
It's lightweight and simply requires passing an api_key param with each request.
My suggestion would to generate an API "key" (hash value) and have that passed with the json request. That way you can authenticate and track API use. A lot of APIs use "keys" to track and authenticate use. Google maps for instance, they use just an API key. Where as PayPal uses a user name, password, and key. There are a number of ways to do it.
I would try creating a one-to-many table that belongs to the user, just for keys. That way a user can generate more than one hash key for different purposes. (One for reports, one for backup, one for fancy pie charts that automagically pull from Powerpoint).
I want to pass in other hidden values to the server on the form for login. Then I want to be able to do some other computations on the server where I have access to the form hidden parameters and also the newly authenticated user object.
I was hoping to use the onInteractiveAuthenticationSuccessEvent event. However, I cannot find a pointer to the request object in its params anywhere.
BTW, this is my plan for how to pass information from Gigya to do a linkaccount to a acegi user account.
I don't recall the exact syntax, but I'm pretty sure we've used the org.springframework.web.context.request.RequestContextHolder to access request attributes in the security callback methods...
The first answer got me looking around in the right place.
org.codehaus.groovy.grails.plugins.springsecurity.SecurityRequestHolder.getRequest()
seems to be the best way in the grails plugin to get the request. Thanks for the help Eocdan.