Pull data from CRM online using Web API - javascript

I've created a webpage that will be used as a survey for end users to submit a review of how the helpdesk technician did with resolving a ticket. I've built the webpage using HTML, CSS, JS, and PHP. The page currently needs to pull 2 things from Dynamics 365: Users name and the company. I currently pass the ticket # via the URL which I plan to use as the value in a lookup (somehow).
I think that I need to use the Dynamics API somehow to get access to pull data from the form but I am not sure how to go about that. I found this post online https://functionalthoughts.com/dynamics-365-web-api-retrieve-data-javascript/
which I think is only for web resources created inside of CRM.
Here is an image of what I currently have:
Image
and the value that I have passed via URL Image2
The end goal would be to pull the value of the name and company fields in Dynamics 365 Online.

Without full context of your application, I can only give you high level pointers.
Before anything,
You need to authenticate to Dataverse (the engine that is hosting the data your after). That means you need a an identity + JWT Token to auth.
This is the more complicated part, depending on how your managing access to your site and if your intending to allow dataverse to manage data access security.
To do that, in php, your going to want to start here: https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-v2-libraries#web-application and read up the Python path for MSAL.
Once you have that you will either use a S2S app ( ConfidentialClient app ), or user identity auth ( publicclient app. )
For explanation sake, I am going to assume that you created a Confidential app to work with. In Dataverse this type of login identity is called an "Application User"
Now you need add the application user to Dataverse and grant it permission to read the data you want. You should work with the admin of the dataverse instance to get that setup. if your trying to solo it :) there is a good blog on how to do this here: https://powermaverick.dev/2020/08/10/create-application-user-in-dataflex-pro-cds/ Dont forget to grant your user a security role that can access the data your after.
Next,
You said you want to query by Ticket ID, again assuming that ticket id is in dataverse, you need to create an alternate key for the field that contains the ticket to be able to query on it.
you can find info on how to do that here: https://learn.microsoft.com/en-us/powerapps/developer/data-platform/define-alternate-keys-entity
Ok, now that you have a user to work with and can create a token, and you have an alt key on the column your trying to query on, you just need to form the query to dataverse.
General info on how to form and call queries in dataverse can be found here https://learn.microsoft.com/en-us/powerapps/developer/data-platform/webapi/query-data-web-api a specific example of retrieving via alt key can be found here: https://learn.microsoft.com/en-us/powerapps/developer/data-platform/webapi/retrieve-entity-using-web-api#retrieve-using-an-alternate-key
Now that you have all the setup done, and once you have formed your query, you will need to generate the token and add it to the authorization header of the request and send over.
That should get you data back.

Related

Wondering if I can use mySQLs connection.threadID to continue running queries?

I am new to web development, but I am building a tool to help us visualize the customers in our database in a more concrete way (basically a CRM of sorts). Its a web app using a node.js backend and Vue.js for the front end.
THE BIG QUESTION - I found a connection.threadId query that can be run. If I save this threadID in a cooke or JSON web token, can I use this to have each user uniquely querying the database? If you need additional information on my issue, continue reading.
Essentially the problem I am running into is authentication. We were able to get a dummy user create that has read only privileges to the database, but this doesnt help the account management team. I am trying to find a way for them to be able to login with their own credentials and then be able to run queries from my node.js (javascript) backend using a series of get and post requests.
I am able to get the user to login with the SQL password and they can run the initial query (that fires upon login) but they then cannot re-query the database if someone else logs in after them (I realized that my variables were all globally scoped on the server.) I then moved everything client side in JSON web tokens, but I had to hash the database password to be safe which leaves me with another problem. My hash and the original database hash do not match, and that is not something I'll ever get access to. Not really sure where else to go with this at this point.
Please ask if you need any additional information to assist.
Thanks!
You probably can't.
You also probably shouldn't use variables on the SQL server for a web app like this. If you can refactor those into variables you can schlep around in the user session (or POST parameters or whatever), you're much better off, being more stateless (as far as the server components are concerned) and all too.

Using MongoDB to separate different user data

I'm already familiar that MongoDB is based on documents that are in JSON format. I'm creating my first web app using the MEAN stack, where users can register and then be able to sign in to a back-end dashboard where they can implement products/profile information etc. How would I set that up to be stored on MongoDB? would each user be stored as a document? And as far as security reasons, how can I go about not allowing a GET request to be able to get a different users information?
Currently, I just have a collection of users, and a collection of products (with the unique id number for each user), etc. to me that doesn't seem the proper way to store data.
If anyone can help me on how to setup the database for Mongo that would be fantastic! Thanks in advance!
would each user be stored as a document?
Yes, each user is an object, thus it's stored as a separate document.
how can I go about not allowing a GET request to be able to get a different users information?
This has nothing to do with Mongo or any other data storage mechanism. You'll need to work on a Web service layer which exposes your data filtering requests to authorize them based on user role, claims or any authorization approach you might find useful in your scenario.
Maybe you should look at implementing OAuth2. There's a package that integrates with Express to implement your own OAuth2 authorization server: node-oauth2-server.
Currently, I just have a collection of users, and a collection of
products (with the unique id number for each user), etc. to me that
doesn't seem the proper way to store data.
You are on the right way actually. Now when you show products page for users you need to retrieve only documents that belong to that single user that is currently authenticated, this implies that you have authentication set up, and products have a userId field.
This is how most application work. If you want to read about other ways of solving this then read about multi-tenancy.

Building an HTML Widget to embed paid content - how to secure communication with the backend?

I'm creating a widget that shows content when the page visitor pays for it. I'm handling the payment form inside the widget and I'm using Stripe for credit card handling, charges, etc.
My problem is: I want to make it easy for the user to pay for the content, right now, I'm my working proof of concept I only ask for the email, then:
Check if I already have this email on my system, check with my API server if it has a payment for this product associated and then let the user get to the content.
If the email is not present in the system, it is created, and return only the Stripe publishable key.
If the email is present, but it has no payment associated with this product, simply return the Stripe publishable key.
When the widget gets the Stripe key, then it shows the payment (credit card) form, which is used to get the Stripe token, and this token, along with the email, is sent back to my API server. If everything is Ok, then the widget retrieves the content and shows it to the user.
Now, the question(s): How to secure the communication between the widget and the server, besides using HTTPS? I already have support for application id/secret pairs, how can I use them to to authenticate the requests from the widget to the server? The widget will be inserted in pages on arbitrary domains, so using the Referer/Origin headers is out of the question.
I don't think that is really important, but if it helps, I'm using Django 1.7 and Django Rest Framework 3.0.5.
Thanks!
There is an api you can use, called CoinTent. Its sub-motto is "Purchase individual pieces of content for small prices with one account and one click." HEAD HEAD HEAD HEAD...

Client Side JavaScript and database interaction

I have been working on a large project for about 4 months.
We have a "lead" that I constantly question.
The rules of the project (from the customer who has no background in IT) are
Only JavaScript will be used (Kendo UI package for CRUD).
It is to be "secured" with SSO - ADFSv2/ACS
It must have use Odata to interact with the database.
Please correct me if I am wrong, but does this not mean
A. This is clearly insecure. (after the initial login)
B. How can Kendo even handle database interaction (correctly) if it must update multiple tables?
There is another programmer currently working on a similar project and he is using Node.js for a web app that interacts with a Database.
Doesn't this suffer from a similar issue?
How does this client side CRUD work security and accurately?
Correct me if I am wrong, but it seem to me that you think that javascript directly access the database.
For that I see, Javascript is only used to manage the UI, and to contact (with Ajax ?) the server to update/create/delete entities.
It isn't insecure, but developers must ensure that the requested user's action is permitted (on server side).
Example : For a DELETE requested URL like https://myServer/myApp/Person/1, an user can modify this URL like https://myServer/myApp/Person/6 or https://myServer/myApp/Work/1.
So it must be verify that the user can delete a Person with id=6, or a Work with id=1.

Grabbing facebook feed in website

I develop mobile websites for my clients. This particular client would like some facebook wall activity to be displayed on the website. I have looked into the facebook graph api and am getting confused on authentication.
I need the blah in https://graphs.facebook.com/clientsfacebookid/feed?access_token=blah
in order to grab the info i want. I read about authentication and all of that but it doesn't seem to serve my purposes.. For example a lot of the stuff I read about getting a token is related to creating apps and stuff - which is not what I'm trying to do. A lot of ways to authenticate redirect users to log in or grant access to the information but this also doesn't seem like it fits my scenario.
Should I just talk to my client and get them to send me an access code or set up some stream so I can grab an updated access code anytime I need it OR is there some built in functionality in the API that I could benefit from using.
Any thoughts?
P.S. I am trying to implement this via an ajax call in javascript.
Thanks!
What you'll need to do is create a Facebook App and have your client add this to their page. You can then get an OAuth token for this app and use it to query the client's feed. See the Facebook documentation for authenticating as an app for details.
It's actually far simpler if you just want to grab the data from the page. Create an App, but you don't need to add it to the actual page. You can generate an App Access Token by following the instruction on the Facebook Developer Website.
Then, all you need to do is call the Graph API with the generated access_token. E.g.:
https://graph.facebook.com/{page_id}/feed?access_token={app_access_token}
You can then use the data returned by Facebook to display selected posts from the page.
The Page Admin doesn't need to add the app to the page, and this method can be used to scrape any published page. The posts on Pages is public anyway, you just need an access_token to access the page.
If you want a simple way to learn and have an example of a working model try out fourgefeed.com its a simple framework with a simple to implement example kinda like jquery.

Categories