I want to provide a geolocation API servce so end users can send IP and the API return geo information about the IP.
While the ideal would be to install a database on my server the database providers like Maxmind, ip2location etc suggest to directly query their API service.
This doesn't sound right to me as the end user will have a query to my API + the query from my API to the provider.
Is this doable ? or I should take a different approach ?
Your idea is doable, just that it boils down to whether this is a practical/sound approach based on what you want to achieve. Below are a few drawbacks by doing this based on my opinion.
The overhead cost is too expensive, as it involves the calling to your own API server + the query to an external 3rd party API solution.
The query speed will be slow due to too high the latency.
You solution will be depending on the 3rd party server uptime, which you have no much control of this.
Any point of failure on either your server or 3rd party server will bring down your API.
Unless you have a good reason for this, the best solution would be to host your own geolocation database and build the API service on top. You can either use IP2Location or Maxmind database, whichever you like.
Related
I'm writing a mobile app which at high level does:
Retrieves data from third party vendor in JSON format via HTTP POST request
Filters results based on user preferences and displays results
Periodically refreshes data
My current approach is to create a web service which handles communication with the third party vendor and also takes care of filtering logic, which contains a fair amount of calculation.
The downside of this approach is the extra hop from client's perspective since there will now be two web service calls (client -> custom service, custom service -> 3rd party vendor)
On the plus side, the filtering logic and future enhancements will be completely agnostic of operating system and I don't need to write custom code for Android & iOS.
Is this the right approach?
It is, under the following scenarios:
Third party site requires an API key (or another form of authentication) which needs to be kept secret and can't be distributed to clients,
Third party charges for each API call or throttles the calls, and you want to cache results on your site to limit the number of calls,
Third party API is likely to change, and you don't want to release a new version of client with every change,
There is a likelihood of switching to a different third party vendor,
Your site is more reliable with better uptime than the third party site.
Otherwise, calling directly from the client will be less of a headache, in spite of the extra amount of coding you mentioned.
I'm designing an architecture where the web interface is a client (developed using a front-end js framework) and all requests are routed to several webservices.
All communication will happen using standard HTTP responses and JSON entities.
Now I'm facing the authentication mechanism.
My service will, of course, have several users, and I need to restrict access to users' resources.
Users will 1) signin to the web client (/admin) and then 2) the client-side js will perform several AJAX requests on webservices on user behalf.
Should I create a persistent session between the client/server and then pass some reference alongside each request or authenticate each single request using a stateless approach? How could I authenticate the web-client requests for the current user without adding too much overhead or complexity to my system?
I'm looking at passport-local and passport-localapikey but it's not very clear to me if I should authorize my client or the user itself (meaning should I have only one pair of credentials for all users when performing web-service request or one pair per user?)
A simple example (explained I don't need to copy-paste code) would be very appreciated. At this stage I'd prefer the solution introducing less complexity but granting a good security in order to be able to set it up very quickly.
PS. I could also take into account creating a distinct service handling authentication in order to create a common API to be shared between client and server, but that seems a bit over-engineering to me.
Thanks,
If you're already using Express as a framework for Node.js, you can use it's built in session handling. It is capable of using any sort of session store including memory, redis, mongo, etc.
There's a good example here: http://blog.modulus.io/nodejs-and-express-sessions
I am working on a WP 8 app which I would like to connect to an on-premise(local) web service. I have managed to do so using simple BasicHttpBinding without secuirty and Azure Service Bus Relay, but i cant manage to make a secure connection. WP 8 only support BasicHttpBinding, and thats my biggest problem so far.
I understand that Azure mobile service is an efficent and easy way to securly connect your WP 8 app to the cloud. Is it possible to access an on-premise web service through Azure mobile service? And if possible, could it be done without exposing all the content of the local service publically via Azure Service bus relay?
You should be able to do this securely from WP8 -- I'm not quite sure why it's not working -- but even if you had to roll something yourself, it should be possible (example, check out this post from Michael Collier on doing something similar: http://michaelcollier.wordpress.com/2011/08/19/azure-sb-and-wp7/)
To the question, though, WAMS (Windows Azure Mobile Services) is definitely easy to use, but it wouldn't be feasible to do what you want -- that is, to be a public endpoint in this fashion. In short, WAMS gives you an easy to use CRUD interface to data that happens to also expose features for authentication and notifications, and at the same time gives you some server-side javascript to do custom work -- such as calling out to other services, sending emails or notifications, etc.
But, each request into WAMS is essentially mapped to a CRUD operation on a database table. While you could likely 'inject' a simple call, this isn't what you want. It sounds like using the service bus is the right way to do this and should be possible...
I am currently working on a single-page web application. The web app will make calls to a REST-like API for authentication and data storage. We are currently in the middle of securing the application, and have worked out a strategy securing the site so only registered users can gain access. But one thing we also want to do is securing the API from others to write their own applications, or access it in any other way than through our web application. The problem from my view is that the API will be open for everybody and not only for my web application.
Anyone who knows how to do this, or who can point me in the right direction. Because right now, don't have a clue.
Considered using certificates and validation?
Your API should only be accessible, if the session of the client is authorized. That's pretty much anything you could do.
There are complex approaches like using client- and server-side encryption or something really basic: render a secret in your webpage that validates the user again on every request.
You could check the headers, where the original request comes from. And so on...
But as most of that is public in a users browser, anyone could read it and adopt it in a third party app.
So save yourself and the people that really want to do a third party app some time and provide a public API :)
Simplest way will be to use OAuth 2.0 ( supports both authentication and authorization) which you need.
Also ensure you secure the data on wire using TLS (HTTPS) and any of the options below
1. HTTP Digest
2. OAuthn 2.0
3. Certificates ( Shared secret)
Stick to HTTPS+Oauth2 for now.
You could lock down your you API to accept requests from known IP's. Also depending on how your network infrastructure is designed, your web application can sit in a DMZ and your API on an internal network accessible only by servers in your network, one of which will include your backend API (This article here info https://www.digitalocean.com/community/tutorials/5-common-server-setups-for-your-web-application has some tips). For better security, a secure network design in addition to an application security framework implementation like OAuth2 and HTTPS (mentioned above). For API's, I've found that resource based authorization works better than role based authorization. Lastly, constant review of your security setup is vital as things change all the time. A good approach to this is Threat Modelling described by OWASP here https://www.owasp.org/index.php/Application_Threat_Modeling
I am newbie here and confused by few things
Some websites (twitter, foursquare, etc) provide API to third-party developer to call. are those APIs the web services that the sites provide?
Are those web sites themselves built on top of those public APIs/web services? theoretically is it possible?
Comparing the traditionally built website and the websites build on top of web service, pros and cons? are there any performance, scalability, etc differences?
Thanks in advance!
I'm sure somebody can give you a more exact answer but reading your question and applying my self-taught knowledge:
The simple technical definition of Web Services according to W3C:
A Web service is a software system designed to support interoperable machine-to-machine interaction over a network.
http://www.w3.org/TR/2004/NOTE-ws-gloss-20040211/
I like to think of web services as the interactive elements of a site that its customer base utilizes. For example, Twitter's web services include: tweeting, messages, hashtags, etc. Web services are what users get to DO or DATA passed back and forth.
A public web API provides means for developers to utilize the web services on their own site. For example, Twitter's API allows example.com site to utilize tweeting, messaging, hashtags, etc from within their own domain. An API is how developers get external access to web services to make apps using those services.
I have no idea about this question. I wouldn't do that. I would use the methods the public API exposes access to. But, I've never written my own API, let alone on the scale of Twitter or foursquare.
I hope this helps.
First of all, maybe you need some more info about what an API is: please take a look at the Wikipedia api page.
To answer to you questions (these are only general thoughts and not best practices):
An API, in this case, is a way that a developer uses to access a webservice, and it's not the service itself.
The websites you mention are not using their own APIs, as these APIs are meant for remote users (clients), and offer limited data sets, while the websites need maximum performance, access to the full database, and (almost) always use server-side code. The websites you mentioned, probably use other, server-side, high-performance APIs.
See the previous point: although it depends highly on which APIs you use, what you call "traditionally built websites" (that is, web applications using server-side APIs) can afford higher performance than websites totally built on top of remote APIs, because they do not depend on the bottleneck of the network connection (because, again usually, the web server and the database server either run on the same machine, or communicate faster than the client's browser and the server).
The reason that would make most people choose to develop a webapp the traditional way is that free APIs provide limited functionality (e.g. Google custom Search, limited to 100 reults).