Currently I'm recovering the omniauth information perfectly fine using the typical setup for omniauth gems.
I'm retrieving the access_token as a string and storing it into an Authorization model that is associated to a main Users model.
So, getting to my problem.
I need to access the calenders api and in the docs I see many references like this...
https://www.googleapis.com/calendar/v3//users/me/calendarList/calendarId
This seems fairly intuitive. I want to access this in conjunction with the access token that I have retrieved. Something along the lines of this...
https://www.googleapis.com/calendar/v3//users/me/calendarList/calendarId?access_token=blah
so that I can load it directly and more streamlined into Backbone models. However, I don't see anything in the docs and when I try the implementation, it consistently throws me 404s of "Not found" (which is rather annoying and undescriptive. I'd prefer if it threw 422s but I suppose that's a discussion for somewhere else.)
Is there anything in the docs that provide an example implementation of how to access the info with a token?
thanks
I did a bit more research and found out about the google ruby client gem that was released. Basically, we have to feed the token into the Google::Client instance and pump out an object that has a defined set of methods that can be used on it.
I created a special case controller to handle this logic to render out a suitable api.
TO-DO: Will get into specifics in a bit. Currently I'm very tired.
Related
So, I'm very new to this. I got a generated json file from my google developer console that holds information like private keys, client id, token stuff, etc.
Now, I'm trying to use the Google Analytics Report V4 api. I put all my code into a concern, and when I run the code I get this error:
Google::Apis::AuthorizationError: Unauthorized
So I know that I have to authorize my app, but I'm not sure how. I have this json file which appears to have all the information I need to authenticate my app.
After some research, I know that (on the following code) I need to assign analytics.authorization to something, I just don't know to what.
analytics = Google::Apis::AnalyticsreportingV4::AnalyticsReportingService.new
analytics.authorization = ???
Do you know of any method I'm supposed to call that takes in the location of my json file as a parameter or something that can in turn, authorize my rails app?
Thank you so so much if you can help.
I know there are other questions like this. But they use omniauth with devise I think, and I can't do that. I already have a specific context in which users need to be logged in to my app, so logging in with google wouldn't work in my case. Also, other question/answers that don't involve omniauth and devise are outdated or don't have an accepted answer.
I'm lost here- don't even really know what questions to ask.
I built an api as described here : http://railscasts.com/episodes/350-rest-api-versioning?view=asciicast
It's on a site that requires login.
I can access the api through the browser when I am logged in, no problem. Here are my routes:
## API
namespace :api do
namespace :v1 do
resources :users, :sessions
end
end
What I've been asked to do is to make it so that an outside party can request the json with a Api key and optional query parameters and userId
I've tried to curl the site (https) and get redirected to a logout, even with username and password.
My boss suggested a public form on the root url that accepts the userId, apikey and params, and can be curled and will return the data via the parameters posted from curl.
I have no idea how to do this, or even to allow the data to be called without loggin in. I looked at this other screen cast http://railscasts.com/episodes/353-oauth-with-doorkeeper (it's a paid version) but his interactions are allowing another rails app to interact with his original app.
Basically, where should I look for information on how to accomplish this? Any other suggestions, or more information that I could give to make my question more clear?
Thank you for your time.
More RailsCasts! Ryan Bates has you covered in http://railscasts.com/episodes/352-securing-an-api?view=asciicast
So to boil it down:
you need to determine if the clients calling your API need to identify themselves, or if they also need to authenticate somehow
you need to determine if the users of the client (that's calling your API) need to authenticate with your system -- that is, are there "users"?
Some APIs allow callers to pass an API Key as part of the query; others require a more sophisticated process of authenticating, typically OAuth, which is a little trickier.
Some APIs provide user-specific information, in which case you'll need a way to make sure the user can log in, change their password, recall a forgotten password and so on. There's a good RailsCast for that, too (or you can use the Devise gem, although I wouldn't recommend it if you're mainly implementing an API -- not Devise's strong suit).
I am guessing you know this part, but all curl does is simulate the HTTP requests your clients will be making to your API, and (with the --include option) can show you the information about the response returned -- headers, cookies, and so on.
Google "rails api authentication" for more.
I am building an api for others to use. This is a simple enough Json request the user passes as some data and we pass some back.
What I would love is to secure our api and have some sort of user system where we can turn users on and off and we can log how many requests each user makes.
What would be the best way to do this in Rails? I don't want it to slow down the request. I can see ways of doing it using devise maybe but would be great to hear other people's opinions.
Thanks
Another way is to use 3scale (http://www.3scale.net) - it's free up to a traffic cap but handles all the key management, users, documentation etc. and there's a ruby library which you can drop into your code if you're using rails. (other libs are here: https://support.3scale.net/libraries).
I've done this before using the Token Authentication capabilities of devise (see https://github.com/plataformatec/devise ).
I found the following setup works:
Create a user account for each api user.
Configure devise for token authentication
Set the Token Authentication configuration to require the token to be submitted with each request.
This will allow you to enable and disable individual users as well as to track every request back to the api user that made the call.
If you're really interested in tracking usage you may want to consider also creating a database table where you track all api requests. This can be setup to belong_to the users table so that you easily find all requests from different users (e.g., #user.api_requests).
The count of all requests made by a user would be:
#user.api_requests.count
# or use a where clause to find how many of each type
#user.api_requests.where("api_request_type = ?", 'SomeAPICallType').count
One final note -- I recently used the Grape library for building out an API. I thought it was pretty well done and it worked great for our needs. I especially like the ability it provided to version APIs. Details are here: https://github.com/intridea/grape/wiki
I've been working on the development of an Android app in my spare time for several months now. I've done all of my planning for the on-device side (except for server-side interaction), but I've been met with a very steep learning curve for the on-server side implementation. I've researched for about a month with no real leads. Consequently, I'm really at a dead end. The app that I'm working on included these minimal requirements:
Must offer account creation/authentication to the server from the
device
Must maintain some sort of session that allows the user authorization
to make changes that will impact only the on-server user data within the context of the account that they are logged in to.
The ability to log out/be logged out by the server under certain conditions.
A web interface will not be necessary, as this service is only to be consumed by Android devices.
I've decided that a Rails implementation is the most desirable option for me. My experience with Rails and servers in general is very limited. A friend recommended that I read though "Agile Web Development with Rails" in order to get up to speed. I made it through enough of the Depot Application demo in order to understand ORM libraries, the MVC pattern, and scaffolding, but then I got fed up with the way that the book presents the information. Everything is very sequential, and the authors seem to omit a lot of the "how", saying that they'll explain later, and to just not worry about it until that point. That's not the way I learn. I digress.
So far I've used scaffolding in Rails to generate a model, view, and a controller for an Accounts table. I've set up attributes for a username, password, session_key (a randomly generated key that the user should receive and use to connect from their device after login), etc using scaffolding. I am validating the username and session_key to ensure that they're unique, and my alphanumeric key generation is working properly (all of which is done in the model).
Now I'd like to focus on managing sessions in a restful manner. I know that I'll need to implement this by having Android devices pass their user's session key to the server when making HTTP requests and accessing resources etc., but other than that I'm at a loss.
I'm looking for someone to provide me with a good resource (or explanation) outlining how HTTP requests and responses work in general, how JSON information can be received and parsed using a request, and how to otherwise manage restful authorization (assuming that the user has already been assigned their session key). If my approach isn't quite right, please let me know what you would suggest.
Thanks!
For authentication, you might want to check out: http://railscasts.com/episodes/250-authentication-from-scratch You'll basically just be performing the authentication using the session_key. There are other more complicated things you might do, and you could check out authlogic, devise, sorcery, etc. to see how they implement keeping sessions alive. Since you need log outs, and presumably the need to log back in, I would suggest looking into using the session key you describe as the master authentication and then have a perishable key of some sort that gets reset after every request and sent back to the client as a keepalive. Depending on your ultimate needs, that might be enough security and functionality.
For JSON receiving, rails has built-in parsing. Look into respond_to. For sending back JSON, you can use any number of methods. The most basic is to just allow rails to automatically convert the JSON (which happens when respond_with is used, as in the link). You could also build out presenter classes or use something a little more formal like rabl.
I'm think something like Facebook apps here. User generated pieces of code that people can write to interact with my app.
I understand how an authenticated API works, but this seems a little more complicated because not only does the APP have to authenticate itself (with a regular api-key) but the USER using the app has to be authenticated somehow too, without giving the app free reign.
I've been reading a bit here to see how FB does it: http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application
And it looks like you have to pass a signature in addition to the api-key along with every call, but I'm having trouble wrapping my head around how this gets generated and used on the other end (my server).
Figure there must be a simple explanation of this out there? Thanks!
P.S. I'm building a Rails app if there are any applicable gems/plugins.
This may be what I need:
http://github.com/phurni/authlogic_api
Did you have any success with authlogic_api? I'm working on the server-side for a Steam game, where users are logged in through Steam, so I'm only responding to REST calls from the client (no user login required). The rdocs for authlogic_api give some brief set-up info, but I'm struggling with what to do in the application_controller to restrict access; essentially the equivalent of this code from the authlogic example:
http://github.com/binarylogic/authlogic_example/blob/5819a13477797d758cb6871f475ed1c54bf8a3a7/app/controllers/application_controller.rb