I design a application for a restaurant one of the features is that the user can make an order online and the oreder status is pending until the restaurant cashier or restaurant admin staff convert status by accept or refuse
so i wanna send to client a notification if there is pending orders or something that the admin staff or cashier know that there is an pending order created now without need to update or refresh the client page
so my question is how i make a backend server send to client browser notification without the client need to refresh the page or send request to backend server
i use django rest framework
I hear about websocket and Django channels
Also i hear about SSE
Also i read about client freamwork send requests every n minute to update the page
I need to know what the best approach to implement this and if there is another technology and what is best for server if there is a lot of loading or the application used by millions of users
For example - you can implementig full-state service on nodejs + express + socket.io or asp.net + signalR. Client connecting to your service via websocket if customer open page where there order status. This solution will allow scale only service if connecting many client, also you should think over communication between service and general app on django, for example use rabbit or kafka or other. Also your can use this service for new realtime features
Related
I'm currently trying to make an account signup page for a small project I'm working on and I don't know how to send data back to the server (I'm using the Flask framework) without also allowing everyone to send data. Let's say that I've set up an API endpoint on /createAccount. I can then send POST requests to that endpoint: {"username": "test", "password": "test"}. The web server will then handle that request by inserting that data into a database and responding with 201. The problem is, anybody would be able to send these requests, and I only want users to be able to register through the login page, and not by making an API call. Is there any way of doing this?
Edit: I've given this problem a bit more thought and I think that the only API that is difficult to secure is the signup API. When a user has created an account, I can just assign them an API key, which they will send to the API every time they want to make a request, which means that an account is required to make API calls. If a certain key is making too many requests, they can be rate limited or temporarily banned from making further requests. The problem with the signup API however, is that there is no information by witch a request sender could be identified. I could use the IP address, but that can be changed and wouldn't really help if multiple IPs are spamming the API at the same time. Is there a way I can identify non-registered users?
Short answer: no.
You have to check data to make sure the account being created is something legit and not trash data to fill your database or any other malicious intents.
This is the reason you usually have to confirm an account clicking on a confirmation link sent to your mail: this way the app is sure that your account is legit.
You could also check info on the front end, but that is never as secure as back end checking, because of your concern in the question: in the end, anyone who gets to know your endpoints could potentially send direct requests to your server with whatever data they wanted.
Assuming you have a trusted source of registrations, an if that source can make an ssh connection to the server where your Flask app is running, an alternative to trying to lock down a registration API is to provide a command line script to do the registration.
The trusted source does something like
ssh someuser#youripaddress /path/to/register.py "username" "password" "other info"
If you use a Flask custom command you can share model definitions db configuration.
I am trying to implement simple slack bot. So I have configured hubot which will take inputs from slack and passing it to my webapp (django app) and it will take whatever the response from django-app and will reply to slack.
In this process I am trying to store session in django using request.session but that is not reflected in slack. If I am accessing the django-url in browser it is able to store sessions and getting proper response with session.
So does the problem lie with slack or my approach and is there a way to store sessions in hubot when requesting to django-app ??
I can not speak to the specific technologies you use (hubot, django), but I am using server sessions with my Slack apps all the time and can give you a general answer on how it works. Note that my Slack apps are build with PHP, but I think its safe to assume that the principles are the same.
Slack does not support sessions
In general Slack does not support sessions or context. Instead everything is request based. So if you want to have sessions to keep a functional context between requests you need to organize that by yourself in your Slack app.
Challenge for using server sessions with server requests
One challenge is that most server sessions are designed to work with a client that uses a browser. e.g. a PHP server session will store a cookie in the browser, so the server knows, which requests belong to the same session. This does obviously not work with Slack, since all Slack requests are coming from a server and and there is no browser involved.
Approach for using server sessions with Slack
But you can use severs session with Slack with these two tricks:
Manually set the session ID
Usually the ID of a session is chosen automatically by the server, but you can also set it manually. This allows you to tell the server to continue an existing session that was started with a previous request.
Include session ID in Slack control
The functional session of a user is tied together by the Slack controls he uses. (e.g. an interactive button). Its possible to include custom data in those controls (see this answer for details) and that allows you to include the current session ID in it.
Full approach
You include the ID of your current session in the Slack controls, that you create with your app (e.g. an interactive button). Once the user clicks a button Slack will send a request to your app, which will include the session ID. That allows your app to continue an already started server session.
I have a chat web application and I want it to work offline. For this I use progressive web apps features (Service Workers) to use cache to get the shell app and the messages already loaded.
What I want to do is to be able to make a post message when I'm offline and let the service worker handle the connection issues (i.e.: keep the message somewhere till where are offline and as soon as we are online send the Post message).
I want to use Service Worker because I also want to send the message if the user as left the web app after posting a message with no connection.
What is the best API to use for this?
I saw the background sync API but it is not standard and it doesn't seem to be updated for almost 2 years.
If there is a way to do this in a manner that the client (the web app) is totally unaware of this mechanism it would be cool.
What I mean by that is I would like my app just do a
fetch("/message", {method : "post", body : {content : "hey there"})
And then the Service Worker just intercept the fetch, if we are online then it just send the fetch, but if we are offline it "wait" for the connection to be up again and then send the post.
I wonder if there is an event listener, available in the service worker, that will be activated when the connection change from offline to online. This way I should be able to store the request in indexDB when offline and then send the post when online.
I saw the navigator.onLine but it is not an event :(
Based from this post, you may use a Service Worker in running the app in the background either via its push event handler (triggered via an incoming push message), or via its sync event handler (triggered by an automatic replay of a task that previously failed).
You may check the Offline Storage for Progressive Web Apps documentation for storing data offline:
For URL addressable resources, use the Cache API (part of service workers).
For all other data, use IndexedDB (with a promises wrapper).
You can cache static resources, composing your application shell (JS/CSS/HTML files) using the Cache API and fill in the offline page data from IndexedDB.
I am new to eJabberd, after setting up the server and be able to send messages between users I want to be able to create rooms from our backend server (not from our clients).
I read this article:
https://docs.ejabberd.im/developer/ejabberd-api/oauth/
But I did not understand how can I use the api from our server side (for example, to automatically create rooms for our users), how can I obtain a token for the server to use the API?
Thanks.
You should consider using mod_rest - http interface to post data to ejabberd. You can read more about configuration & examples here.
Do consider adding some restrictions so that only your server can use the http interface.
I have a backend server in which is developed using Symfony 2 framework and FOSUserBundle as authentication provider.
I have made a custom (simple controller that return JSON) API to handle communication between server and the mobile app.
So basically all methods in this API need an authenticated user.
Blow is a little discussion between the server and the mobile app of what I’m planning to do :
mobile app: send https request with parameters(email and password)
server: verify email & password, generate a token, store it in the user table and send it to the mobile app
mobile app : include the token in future requests
server: getUserByToken() and continue the rest of logic
My Questions:
How to achieve credential(email & pass) verification on the server using FOSUserBundle (or anything else)?
I’m wondering what if a hacker use the Man In The Middle technic, get the token and use it to send requests to the server?
Disclaimer : I’m very novice in security and intermediate Symfony 2.
I’m sorry for not including image which will explain more(I haven’t enough reputation).
1.How to achieve credential(email & pass) verification on the server using FOSUserBundle (or anything else)?
Symfony2 handle it for you. You have an example of login here with FOSRestBundle using FosUserBundle. You just need to modify the code for only login with mail.