While working on a new application I came across a new, for me, scenario. Our identity system is a stand alone application with it's own data store only accessible though REST APIs. This is the theme we're moving forward with, independent apps that talk to each other through APIs.
Some entities in my new app have natural associations with identity entities on the IDM app.I can store a reference to that entity's Id as reported to my app through its API. I'm thinking it would be better to store the full URL where I can GET the entity.
Does anyone have suggestions on which way to go?
MyEntity
- User: IDM issued ID
or
MyEntity
- User: https://idm-server.com/users/{id}
Thanks in advance
Related
I'm using Django Rest Framework and it's integrated with an external service. I'm using an endpoint to receive a callback from a webhook whenever a new task is created in the external service.
When the callback request comes in, my code needs to create at least one object. But it's possible that multiple objects will need to be created from multiple different models. For example, if a new task is created it's possible that it was created by a new user, in which I also need to create a new user object to reflect this.
In total, there could be up to 5 additional objects made as side effects. I'm aware of multiple different places that this logic could be added (e.g. service layers, serializers, models, managers, views). But there seem to be issues with all of these.
Has anyone dealt with this issue before? If so, how did you solve it?
First of all, it is important to understand the difference between an RPC-style API and a RESTful API. Simply put, you can imagine an RPC API to be "methods" that are "actions", while a RESTful API represents the state of your models.
For example, let's say we want to create an endpoint to handle user registration.
A RPC style endpoint might be /api/register. A register function that might do X number of things.
A REST style endpoint might be /api/users. Not an action, but simply just an endpoint that give us the state of the users that exist. A GET request would list the users and a POST request would create a new user.
With that said, it might be a bit more clear that in general, creating endpoints that do X number of actions might not be very "restful", and using a framework specifically named "Django REST Framework" might not be the right choice.
So in your particular case. I suggest that you avoid creating endpoints that work as methods, and instead treat them as the resources that they represent. This means that if you need to create a new user, you do a request to the user-endpoint, then if you need to create a new article with that user, you do a second request to the article-endpoint.
Using Signals for Side Effects
I think if you do want side effects, they should be managed using signals. For example, let's say that you want to send out emails using a contact form. Instead of having a /api/send_email endpoint, you instead do a /api/messages/ endpoint that represent a Message model, and then you use signals to send out emails whenever a new message is created.
By doing things this way, it still means that the API endpoint itself just represent the state of the model, while the side effect of modifying the state (sending a message on creation of a new message) is moved to the signal's responsibility.
I am a newbie to Multi-Tenant architecture, developing SaaS product using django-tenant-schema
my requirement was something like clients would register for product. For every registered client, I was creating new schema by following single database and isolated schemas approach. Whenever client requested from a browser I was able to identify them by using subdomain and giving privilege to acces their specfic schema. While I was starting coding lot of questions were popup in my head. I am really sorry for asking here but stackoverflow is only my last hope. Database was like below
Database
Public_Schema
auth_user
Clients_List_Table
ClientA_Schema
auth_user
ClientA_User_List
ClientB_Schema
auth_user
ClientB_User_List
Q1.What kind of admin actions we can perform on every client?
I have rest api for example http://client.example.com/api/user_list/ here client maybe ClientA or ClientB
Q2. How can we implement api routing which gets client name dynamically when user requested at browser which let us to use corresponding schema to display current client's user_list.
I'm building a nutrition skill and I want to include some calculators. I could have Alexa ask for the parameters each time something is calculated, but I'd prefer to have users set up a basic profile for themselves to store age, height, and weight values.
I found a small section of Amazon's documentation that talks about how the userId element could be used to store attributes across sessions. Will that work for what I'm talking about though? Or will I have to add OAuth?
There are two way to do this:
1) You can use sessions.
In this method, your data will be vanish when session is end (user stop talking with your skill)
more details https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/alexa-skills-kit-interface-reference#session-object
2) You should implement an oauth 2.0 server to store user data. It is not that easy but you can find some oauth server example in here https://oauth.net/code/
For connecting your skill to your oauth server, you can follow here
https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/linking-an-alexa-user-with-a-user-in-your-system
bonus: If you do not want to implement an oauth server, you can use Login with Amazon (or login with google) services. But you will still need a database server to store data
The userId that you get on your requests uniquely identifies an Amazon account, not a person. Despite the option to switch between different accounts on a single device (see: https://www.amazon.com/gp/help/customer/display.html?nodeId=201628040), the feature to identify people has been discussed (http://time.com/4683981/amazon-echo-voice-id-feature-2017/) but it's not available yet.
As already mentioned in the comments, you will need to persist the session information between sessions and you could use the userId to identify each account.
But in any case, you don't need account linking or using Oauth to simply identify a person.
Additionally, I'd recommend you to stay within the Amazon ecosystem and run your stuff in Lambda (with free tier and with development credits for developers publishing Alexa skills).
If you need help getting started, I have a single-file template for Alexa skills using Python and several examples:
https://github.com/josepvalls/ask.py
I'm trying to design a good RESTful API for my web app and am looking at Facebook's Graph API as an example.
My plan is to dogfood the API in the web app. For example, if the user changes their name, gender, etc., on the settings page, it would just PUT to the /user endpoint of my web app with the new data.
However, I noticed that Facebook's Graph API does not allow modifications to the User resource. Are there some resources that you want to make sure are not modifiable from the public API?
I'm basically just wondering if there are any risks with my method, and if not, why other websites don't do the same thing.
Yes, there are resources that you want to prevent API users from modifying, but they are application dependent. For instance, an API I'm working on right now lets callers read but not update audit data, read user records (but only modify parts of their own), and create and update home addresses.
You will want to make sure that you have rigorous security in place to prevent users from modifying certain parts of a User (such as username or password), especially if user A is calling PUT /users/B.
I feel like exposing an edmx class as a parameter to a web service is not a good idea. I feel like it's wrong design. eg.
[WebMethod]
MyWebservice(int customerID, UserProfile profile){
}
now UserProfile is a class generated by Edmx framework. You might argue if the profile object is an input then it will not get a proper id (edmx id) because it will be created out of the context (since the web service can be called from any external consumer).
But i'm also looking for more explanation why exposing edmx class as a web service is not a good design. If you think it's ok, please tell me.
thanks
It's generally considered good design practice to keep the data contracts of a web service and the data model objects associated with a database separate, so that if required you could change the entity model used at the back of a web service, without having to change the interface that you expose to consumers of the service.