I was just wondering if there was a simple function to create a customer in the Stripe API from my app in Swift? Instead of having to create a manual HTTP post request to my server, "createCustomer.php", and then retrieve the results (This is what I do right now).
I tried to search this up on Google, but I can't seem to find anything. I simply want the user to save their card details for later user, that's why I am in need of creating a customer.
Thanks in advance!
Except for payment information tokenization (which is done via Stripe's iOS or Android SDKs in mobile apps, and Checkout or Stripe.js in web apps), all API requests must be sent from a backend server.
The reason is that aside from token creation, all other API requests must be sent using your secret API key. You cannot embed or share the secret API key with your mobile app in any way, as it would then be possible for an attacker to retrieve it and use it to issue API requests on your behalf.
This is why there is no Swift function to create a customer -- the customer creation must be done from your backend, using the server-side language of your choice.
Related
I created a shopify app using the shopify node app template: https://github.com/Shopify/shopify-app-template-node. I haven't modified much of the template yet.
I want to be able to make eBay api calls in my shopify app but I need to incorporate eBay's oauth flow to do so. To do that, I need to set up a redirect url in my ebay dev account. This is the url that eBay will send the access token to (in the query params) after the user logs in on the oauth page. In my shopify app, I can easily redirect the user to the eBay oauth page for them to sign in, but how can I allow my shopify app to be called by eBay so they can send me the token?
I've tried using the "shareable app url" which gets generated after running 'npm run dev' as the ebay oauth redirect url and setting up an endpoint in my shopify app (in web/index.js) such as /ebay/auth/accepted. But eBay doesn't seem to be able to reach my endpoint.
I also just tried entering this url/endpoint in the address bar directly and am not able to reach it. It seems that whichever authentication mechanism the app template has built-in is preventing external applications from making calls to my app. How would I allow eBay to call my app using this shopify node app template?
I used to do this by peeking into the App callbacks. So we set /auth/shopify/callback and what I noticed is the the router interpolates the shopify aspect there. So if you set /auth/ebay/callback to get their token, in the callback in the App, you'd stop assuming you only get shopify, and now start checking for either shopify or ebay. So I had my router let me know: your mileage may vary of course, but that is all it was, and probably still is.
get '/auth/:provider/callback' do
case params[:provider]
token = request.env['omniauth.auth']['credentials']['token']
when 'shopify'
# save shopify record
when 'ebay'
# save ebay record
end
# ... lalalala do whatever.
I need to send emails from my server, through simple REST calls, from my backend-server email address, to the email addresses registered in the system.
But there is a problem, bear with me.
The thing is a lot of the documentation I've seen so far seems to assume I want to access the clients gmail data, which I don't, I only use the client's address as a destinatary.
A lot of the examples I've seen, involve a visual promt to authorize the access to the api.
BUT WHY?
They assume I'm gonna be making apicalls from a mobile device, acting on behalf of the client, which needs a visual prompt for consent. But none of that applies to my use case.
The thing is, there is ever only gonna be one sender, "ME" (the company email designated for the backend server).
I should be able to create a secret api_key on the google console, and send that in my request headers (like freaking FIREBASE does), or use that key to generate a token which I then send to the api endpoint (like Paypal does).
I want to be able to do something like:
POST https://gmail.googleapis.com/upload/gmail/v1/users/{userId}/messages/send
Authorization: key=<key_created_on_google_console_or_token_obtained_using_said_key>
{
message stuff...
}
The api reference on google says that I need to create an authorization using OAuth credentials, which I'm then supposed to use to create a short lived token that is inserted as
"Authorization: Bearer <TOKEN>"
in my next apicalls, until it expires. But...
In the console, creating a new OAuth2.0 client ID, says I need to create an app. But I already have a proyect and an api_key (with permissions to gmail api). And that said app is gonna have to be sent for review!. What's going on?.
So..
How do I send emails, from my own-controlled email address, using REST calls.
It's all server side, no need to access any user data (not even my own), I already control the sender address, I already have created a project on google console, I already created an api_key.
OAuth seems to think I'm doing something I'm not, so what am I missing?.
Thanks.
The Bearer token is an OAuth2 access token that you get after authorizing your app to access your Gmail account. It's designed for 3rd party authorizations really (like your users allowing your app to access their Gmail) that is why it seems complex when you're accessing your own account.
Check this out https://developers.google.com/identity/protocols/oauth2
Turns out I was trying to use the wrong tool for the problem.
After looking for alternatives I found out about MailGun and SendGrid.
Tried SendGrid and it fit like a glove. Love it.
I was using Gmail+PHPMailer for this problem and thought the new api was meant to replace that, but turns out it's not.
Alexey pointed out the intended use in his answer. Actually I might end up integrating the new Gmail api more in line with it's intended use on my clients mobile devices.
It was all my missunderstanding.
Thank you for your time.
I know I'm probably going to get a "no, you can't do that" but it doesn't seem reasonable to me.
My client uses Quickbooks Online and wants to be able to have his customers sign in to his web site and see how much they owe, and then pay their invoices with a credit card.
Obviously, the customers themselves can't be signing into Quickbooks Online. We want the web server to be able to directly access the data via the api.
I've found the api but I'm not sure if it's possible to have the webserver connecting to it and getting the data it needs.
I know this can be done with other systems. I've done it with GMail and Salesforce using OAuth2.
The biggest piece I want to load from quickbooks as well might be something unavailable as I couldn't find it in the API anywhere. When my client opens Quickbooks Online, he can send an email to any customer that will include a link to pay online by credit card. We'd like to be able to find that link and redirect the user to it. But I'm not sure if it's available via the api.
I could go with webhooks but that would require storing all that data on our webserver, and syncing it for existing data. Not to mention what happens if an update happens to fail.
You're misunderstanding how OAuth works a bit, which is what is causing the confusion here.
The person who owns the QuickBooks company logs in, not the end-user. They log in ONCE, and that gets you OAuth tokens that you can use to make server-to-server calls forever going forward.
Soooo...
I know I'm probably going to get a "no, you can't do that" but it doesn't seem reasonable to me.
You can do what you're trying to do, you're just going about it the wrong way.
Obviously, the customers themselves can't be signing into Quickbooks Online.
Correct.
We want the web server to be able to directly access the data via the api.
That's fine, and totally do-able.
I've found the api but I'm not sure if it's possible to have the webserver connecting to it and getting the data it needs.
It is do-able.
The key understanding here is that you're going to have an OAuth connection process that the person who owns QuickBooks is going to go through just once, to get you OAuth tokens.
You're then going to store those OAuth tokens server-side (e.g. in your database).
You can then use those stored OAuth tokens to make future server-to-server API calls whenever you want.
When my client opens Quickbooks Online, he can send an email to any customer that will include a link to pay online by credit card. We'd like to be able to find that link and redirect the user to it. But I'm not sure if it's available via the api.
I don't think this information is available via the API right now.
There is an API endpoint to send an email invoice, if that's helpful:
https://developer.intuit.com/docs/api/accounting/invoice
How do you make a request to Google to get a user's profile information with the returned tokens from Azure Mobile Apps? Specifically I am using the iOS Microsoft SDK in Objective-C.
I found this article but it looks to be referencing old information based on the date and the response that was returned.
I also tried calling /.auth/me as a GET request, but that returned Cannot GET /api/.auth/me
You need to make an HTTP request to /.auth/me, but without using the custom API support that's in the iOS SDK. In other words, use NSURLRequest directly, and not MSClient.invokeAPI. Your call needs to be authenticated, so put the token from client.currentUser.mobileServiceAuthenticationToken in the X-ZUMO-AUTH header.
We have an open feature request to add a method to the client SDKs to make this easier: https://github.com/Azure/azure-mobile-apps/issues/30.
And, you're right that your article was referencing information on Azure Mobile Services, which behaves completely differently when it comes to authentication.
TLDR: All I want to do is secure my cloud function in Parse so that it only accepts requests from my iOS app. How can I do that?
Longer version:
I recently got started with using Parse for a client side app I'm building using a Google API.
Before using Parse, my issue was that the Google API calls from my app were not secure. I tried a Man in the middle attack on my app, and I was able to successfully get the bundle id and app id (Google claims some form of security is achieved by ensuring that the call is from the correct bundle id that you can specify on their console). So despite using SSL, seems like it was easy to get this information. Now this Google API is paid, so someone could easily abuse my key when I release my app and raise my bills.
I was anyways also thinking of doing some lightweight work in the backend, so I figured to use Parse. Now the call to the Google API is done in Cloud Code. But a new problem I'm facing is how to secure calls to the Cloud function I've defined in Parse? The Parse App ID and Client Key aren't secure at all.
All of Parse's blogs keep talking about creating users and defining ACLs etc. But in my case, there is no data in my Parse app and there is no user per se. It simply calls the Google API and returns the result. All I want to do is secure my cloud function so that it only accepts requests from my iOS app. How can I do that?
The inherent security risk here is that any key you store in your app is vulnerable, for that reason encryption is also vulnerable. My recommendation is to use the automatic user in Parse on your iOS app, you could even throttle excessive requests/abuse by a single user. By creating and using a user you are able to gain the benefits of ACL which appears the best security option available in Parse currently. At that point you send the automatic user in your cloud code request and verify it's a valid iOS user.