I have perused the questions asked about this, but I still don't have a definitive answer.
I have an application and would like to build a RESTful API to expose a subset of information. I have three resources:
users
reports
photos
Users have reports and reports have photos. Photos cannot exist outside of reports and reports cannot exist outside of users.
I have designed the following URLs for my requirements
User login, server responds with token which is sent in the header of all API calls
GET example.com/api/
Get user info
GET example.com/api/users/{username}
Get all user reports
GET example.com/api/users/{username}/reports
Get all photos of a report
GET example.com/api/users/{username}/reports/{report_id}/photos
Add a photo
POST example.com/api/users/{username}/reports/{report_id}/photos
Delete a photo
DELETE example.com/api/users/{username}/reports/{report_id}/photos/{photo_id}
Modify photo description
PUT example.com/api/users/{username}/reports/{report_id}/photos/{photo_id}
Questions
Is it good practice to add a resource id in the URL, i.e. resource/id, or should this rather be added as a query parameter?
Is this method of chaining resources, i.e. resource/id/sub-resource/id/etc., acceptable and good or should I put all my resources at the top level and specify its position with query parameters?
Nothing wrong in this design.But this creates long URL which sometime are difficult to understand and the user of the API needs to know the hierarchy.Moreover the consumer of the API need to write more code in little bit non-standard way(Even though it can be done, but will be little messy). Think this from a different perspective
You have three resources and each has its own identity.So if we refactor the above URI's it will looks like below (I am demonstrating only GET)
User Resource:
Get users list
GET example.com/api/users
Get specific user
GET example.com/api/users/{username}
Report Resource:
Get all reports
GET example.com/api/reports
Get a specific report
GET example.com/api/reports/{report_id}
Photo Resources
All Photos
GET example.com/api/photos
Specific Photo
GET example.com/api/photos/{photo_id}
User All Reports
GET example.com/api/reports?username={userName}
Specific report of a user
GET example.com/api/report?username={userName}&report_id={reportId}
User All Photos
GET example.com/api/photos?username={userName}
User All Photos for a report id (You may not need user Name if report_id is unique irrespective of the user, which will further simplify the URI)
GET example.com/api/photos?username={userName}&report_id={reportId}
All photos of a report
GET example.com/api/photos?report_id={reportId}
This simplifies the understanding and more standard code can be written on the consumer side using this approach.
IMHO you are modelling it well.
Regarding 1 I'd rather go with resource/id rather than query param. But one thing you must have in mind when modelling is the cache mechanism by proxy and so on. So do not forget the headers.
I go for query params for filtering and those sorts.
About the login, the credentials should be in the headers, and no specific resource is needed. Just apply per resource security.
I don't see anything wrong with your scheme.
Most frameworks nowadays use a similar standard for specifying url's (like Django).
In my personal opinion, it makes the URL more readable and a bit nicer for the user.
Related
I've built a CRM webapp with Django for a specific lead heavy industry. It's working for both gmail and outlook users. Through MsGraph and Google API, the user is able to give authorization via Oath2 to the app to access their inboxes. The app then grabs and parses emails from various sources.
Each lead source always sends the lead emails with same subject. This makes the lead emails easy to identify from the users inbox. Unfortunately, the subject of EVERY email that comes in has to be searched to find the desired lead emails. Unfortunately, Identifying by sender isn't an option, and wouldn't change the issue. Each email would still have to be searched.
I have a couple of colleagues beta testing right now.
As I think about taking on new users that may be outside of my colleagues, I am starting to think the webapps unrestricted access to a user's inbox via the available scopes isn't the best approach for trying to attract new users. I would be suspicious of any 3rd party program wanting to access all of my emails, even if just searching for specific emails.
I use Google's watch() and MsGraphs subscriptions to do this while the user is offline. It doesn't appear that Google or Microsoft allow for any kind of message change filter based on what's in the subject line.
Are there any methods that I have not been able to find in either Google API or MsGraph documentation that would limit access to only the emails that meet the subject search criteria?
Would this even pass either of their security checks to get 'Published Status.'
Reading through the Google docs, it looks like you can set authorization scopes that limit access to just labels and basic settings. This should allow you to filter messages by subject and apply labels to those filters.
Of course, the subject filtering doesn't have anything to do with authorization. But fine tuning the authorization is better than allowing write access to an entire mailbox.
I would say in general, the more open the permissions are, the less likely you are to get approved. Google wants you to only have access to what you need to achieve the product's purpose, nothing more.
https://developers.google.com/gmail/api/auth/scopes
There definitely isn't a way to set custom permissions based on subject. In fact, I don't know many APIs in general that allow you to define custom permissions that granularly.
That said, it doesn't seem like you even need read access to message headers, let alone message body content, to achieve what you want to do in Gmail.
I assume Microsoft has similar scoping, but I'm not sure.
I would like to access other users public data to show in my website when they configure the page by their username/id.
It means I will create an app on FB/Instagram side and with the help of this app's access token I would like to fetch public data of other user.
Is this scenario valid now? Earlier it was possible but I am not sure now with changes in policies. Even the documents are not clear enough which can say it's possible or not?
Has anyone tried this out recently?
Users: Only data of users who specifically authorized your App is available, depending on the authorized permissions. It does not matter if data of user profiles is public or not, you have to get permission from each user separately.
Pages: If you want to get data of pages you don´t own, you have to go through a review process with your App to get access to "Page Public Content": https://developers.facebook.com/docs/apps/review/feature/#reference-PAGES_ACCESS
That´s for Facebook, about Instagram you can just hit the docs (as well): https://developers.facebook.com/docs/instagram-api/business-discovery
My number one recommendation, in this case, is Facebook API or Instagram API from Data365. I may be considered biased since it is the tool I work for, but it is really a reliable tool you can get public profile data by users ID or username.
Of course, you can use the official Facebook/Instagram APIs for searching all public objects (post, user, page, event, group, place, check-in). But note, the official API has a number of restrictions. Andyrandy has already described them in his answer. Compared with official APIs, we do not have such restrictions.
Besides, our APIs provide such unique features as gender and age recognition (via face photos) along with identification of post reactions that give a competitive advantage in obtained analytics. Data365 APIs also enable developers to create monitoring tasks for a one-time or auto data update. And above all, we do not break the law but only provide web scraping within the legal framework.
Currently I set up a RESTful API backend using Django and I can list a set of articles by the following GET:
api/articles/
Also, I can get a single article by:
api/article/1/
Each article is owned by a certain user, and one user could have multiple articles of course.
On the frond end side, I present all the articles at loading of the page, and I hope the user who is logged in currently could see the articles that they own in a different style, e.g, outlined by a box, and has a associated "delete" or "edit" button.
This requires me to tell, after the retrieval of the articles, which ones are owned by the current user programmatically. One way of doing this is to check the current user id with the owner id. However I feel this is not a good choice as the user id is the check is done fully on the client side and may be not consistent with the actual server judgement.
Therefore, is there a way, to tell by looking at the response of the GET, (say, let the server return a property "editable=true/false") to get whether the current user could edit(PUT) the resource?
I understand that this could be done at the server side, by attaching such a property manually. However, I am just asking whether there is better/common practice.
I just started learning web development and I am sorry if the question sounds trivial. Thank you!
You can attach propriety manually as you suggested. The advance of this approach is that you dont need any other http request.
Second possibility might be, that your client intentionally request information about endpoint permissions. In this case I would suggest to use OPTIONS HTTP method. You send OPTIONS HTTP request to api/articles/1 and backend returns wanted info. This might be exactly what OPTIONS method and DRF metadata were made for.
http://www.django-rest-framework.org/api-guide/metadata/
I think that this is a very interesting question.
Several options that come to me:
You can add to the GET api/article/1 response a HTTP header with this information i.e. HTTP_METHODS_ALLOWED=PUT,PATH,DELETE. Doing this way helps the API client because it does not need to know anything else. I think that this is not a good approach when more than one entity is returned.
call to OPTIONS api/article/1. Allowed methods for that user on that resource can be returned but notice that, in my opinion, this approach is not very good in terms of performance, because it duplicates the number of requests to the server.
But what if the entity returned also contains information on the owner or it? can, in this case the client know which policy apply and try to figure out it by itself? notice that the policy can be obtained from another endpoint (just one call would be needed) or even with the login response. If your entities do not contain that kind of information, it could be also returned as a HTTP header (like first option above)
I want to build a dashboard that returns more customized insights from the insights generated by app.
The app is a facebook connect website that users visit and view a list of products. They can post to facebook about that particular product by sharing a custom story that incorporates that product on their timeline.
When I go to the insights for my app, it does a great job of showing me all social impressions for all custom stories that were generated on my site.
I'd like to narrow that down even more for specific products.
My plan is to record the object ids that are generated by these actions and link them to a partucular product in my database.
I'd then like to create a new dashboard page that will allow me to login, request read_insights permission from me and then use that object_id:product mapping from my database to show how many social impressions where recorded for a given product's object_ids.
Is this possible? I've read alot about it but still haven't found the most elegant way to get a segmented report of social impressions per type of content that was posted.
Thanks for your time.
The implementation all depends on which platform you want your app to run on.
The first major component is you must have a Facebook developers account which is easy to signup for. Just go to developers.facebook.com and register. Takes like 2 mins. After that you will need to create your first app and add the correct domain name where your app will be hosted and what platform it will run on. (iOS, Android, Web, ect.) Once that is finished you can make your app public so you can use the Facebook API in your code.
For the app creation itself. The first thing you need to do is import the correct API for your platform. Which you can find a walk through at https://developers.facebook.com/docs/. Once the API is imported you must build a Facebook object which contains your app id and possibly app secret. If you're using JavaScript you don't want to use the app secret because it will be visible to the public.
Now that you have your Facebook object you must require the app users to log in and grant permission to your app. You can add extended permissions to your log in process by adding a scope value to the log in button generated by Facebook. Here is an example.
<fb:login-button id="loginBtn" max_rows="1" scope="basic_info,read_insights,manage_pages" size="medium" show_faces="false" auto_logout_link="true"></fb:login-button>
After the user is logged in you can now query information from the users account using Facebook Api calls to Social Graph. Facebook also provides a tool to help you figure out what information you can query. https://developers.facebook.com/tools/explorer
Everything else you want to do with the app can be done by Facebook API calls. You just need to insure you grant the user the correct permissions before making the API calls.
API calls are a little different depending on which language syntax you are using but they all follow the same data model and return some array of responses which can be parsed using JSON or the standard array format. The Graph Explorer tool listed above will show you the output for your queries so you can handle them accordingly.
I hope this helps gets you started.
EDITED
Here's the implementation in JavaScript
function getMetric(){
// make the API call
FB.api(
"/{app-id}/insights/application_opengraph_story_impressions",
function (response) {
if (response && !response.error) {
/* handle the result */
}
}
);
}
Here's the reference now that Facebook docs are back up https://developers.facebook.com/docs/graph-api/reference/insights
application_opengraph_story_impressions will probably give you the total impression of all stories made by your app. I ran it against my Facebook app and it came back empty but I don't have any stories so it might work with your's. Also to note in the documentation there is an * by this metric and I could't find what that means.
I'm pretty sure that right now Facebook don't give developers ability to get insights about app custom stories.
Currently Facebook documentation has the following Graph APIs for Insights data:
/{page-id}/insights
/{app-id}/insights
/{domain-id}/insights
/{post-id}/insights (where this is a Page post)
So /{post-id}/insights won't work because custom story is actually user's post and others endpoints don't apply to your case.
As far as I know the only other option to access Insights is FQL. For that you'd use insights table in a manner similar to this:
SELECT ... FROM insights WHERE object_id = ... AND metric = ... AND end_time = ... AND period = ...
Now most likely this also won't work with your custom story posts (I don't have posts which I could try it on right now, so I can't tell) but at least it is not explicitly stated so in the documentation, so you should probably try it out.
UPDATE:
I wasn't able to get any insights data via FQL, although as far as I understand the following code should have gave me at least something (object id is for my page):
SELECT breakdown, end_time, event, metric, object_id, period, value FROM insights WHERE object_id = 224981264214413 and metric = 'page_fans' and period = period('lifetime') and end_time = 1395597892
But it results just in
{
"data": []
}
Facebook also has some pretty old bug report about similar topic: https://developers.facebook.com/x/bugs/508088155954330/ where they confirmed the issue, assigned it, and... did nothing to fix it for 6 months.
In case FQL doesn't work, my suggestion to you is - use your own analytics code to track the creation of custom stories and get the friend count of the users. It won't show you the real exposure of the posts but at least you will see some data on which types of custom stories where posted more often and what was the maximum potential friend count that could have seen them. By the way - to make charting easier, you could use Google Analytics events for that.
I am building a website that will require the user to provide permission for us to post a story back to the users wall when the user takes an action on my website. I would like the story to include a link back to my website so that friends can see the actions taken.
I am not sure of the correct permissions because I cannot get a link back to my website from the story post. I saw publish_stream, but that appears to be old now. Any pointers to FB policy and documentation would be appreciated. I
Instead of making stream posts, you should instead use Open Graph actions, which will give you a much better result and feel less 'spammy' to your users. I can't post code that will do this for you as it would need to fit into your existing setup, however it is a relatively simple process, which is well documented (https://developers.facebook.com/docs/opengraph/actions/):
Auth users by prompting them to give publish_actions permission and any other permissions your app might need.
Store the users access token in your database (not necessary if you're using the client-side Javascript SDK, but you might want to do it anyway)
Setup your Open Graph Actions and Objects in the Developer Dashboard.
When a user performs a relevant action in your app, make a simple Graph API call to the following endpoint:
https://graph.facebook.com/me/YOUR_APP_NAMESPACE:YOUR_ACTION? YOUR_OBJECT_TYPE=YOUR_OBJECT_URL&access_token=YOUR_ACCESS_TOKEN
Done.
You can add extra elements to the action, such as action links, however the basics are outlined above. Once you've performed those steps, the user will see something like this on their Timeline:
The part that says 'on NYCCookbook' is customisable and clicking on most parts of this story will bring Facebook users back to your site. There are many benefits you can get if you implement this all correctly.