I have come across few chat application and the website which I don't know how these things work. can someone tell me how these application works in the website.
I have seen some website with a chat widget for helping the customer for respective to their business. On signing in these application, a script file is send to email, when it is pasted over the website. Automatically a widget is created. And this widget and the application is connected externally.
Sorry, if my question is not clear. I will give some links of application and website which give you some idea what I'm trying to ask.
Website
http://www.a1000yoga.com/
http://www.voyzek.com/contact-us/
Application
https://www.zopim.com/
https://my.livechatinc.com/
What you mean is called providing Web API,
Wikipedia's definition of Web API is :
A server-side web API is a programmatic interface consisting of one or
more publicly exposed endpoints to a defined request-response message
system, typically expressed in JSON or XML, which is exposed via the
web—most commonly by means of an HTTP-based web server. Mashups are
web applications which combine the use of multiple server-side web
APIs.
In brief, They implement their service in their servers, and let you access their services by HTTP requests.
You sign up in their website and they generate a API token(a random string maybe), then when you want use their services, you send them your requests with your API token as authentication or identifying mean, and they process your request throw their application and with your data on their servers, and send you respond.
For example when you use this messaging services(or Captchas, Ads networks, etc), they provide a piece of Javascript containing your API code, then when someone views your web page, the code will send request with your API token to API provider servers and they process data for you.
You can then access to your data through their website, another API, email or etc.
Related
I need to develop an chrome extension to perform scraping on certain web pages of our customers in the private area of each user once logged on those web pages (all this always under the approval of the user informing him at all times the data that will be obtained). Each of our clients has a different website and the necessary scraping code is different for each of the clients. Every month we get new clients, so we have to develop the necessary scraping script for new clients. In addition, the information obtained from scraping will be sent by the extension to our REST web service for storage in a database.
To avoid having to generate a new version of the extension every time we develop the scraping script of the new clients, I had thought of developing a web service of type REST that the extension would initially consult, and that would return the URLs of all the clients, along with all the scripts associated with each client. In this way, we would only make a version of the extension and the scraping script would store it in a database and return it to the extension through the web service indicated above and the extension would inject it as a content script using the chrome.tabs.executeScript() method. Once the scraping is done, the result would be sent by the extension to the corresponding web service.
Would the architecture that I have commented be feasible in terms of security? If it is not, what options do I have? This project is very important for my company and I have to look for the right options.
Is there a problem with the injection of javascript code stored in our external system?
Is there a problem with sending the information obtained by scraping to our external server for storage?
I am very worried about all this, can someone help me?
Thank you very much in advance.
Basically I'm developing .NET API that allows a certain Javascript to access a Database through it. The database contains User Information and the API is the mediator between the client (running the javascript on their websites) and the database. The javascript simply gets the data from the DB and displays them.
My problem is, where do I host my API so that the client Javascripts can access it? What is this system called? I'm using Microsoft Azure SQL Databases to store the user information. How do I access my C# API from the client's javascripts? Do I need to host my API on Azure's API Hosting service? Very confused.
1) Client adds the Javascript and a HTML div to their website
2) The Javascript should access the API
3) API accesses the Database and gets the Data (Which is completed and it works)
4) Send the Data to the client and the javascript populates it
I just need to figure out how to make a connection between the API and the javascript on the client's website
Do I need to use THIS?
I would use ASP.NET Web.Api. It allows you to build a REST endpoint in C# that you can host on the Azure platform as well. You will be able to host it using the web sites features of Azure. Even though you want to build an API not a web site hosting it in a web site container will give you what you need:
Easy hosting solutions
Web endpoints for your client JavaScript to consume
C#.NET
Web endpoints close to your database. (Host them in the same data center)
Scalability
Monitoring
Ability to create a web site at the same address if you need to.
I haven't used Azure api management so I can't comment on that, but you will be able to get an ASP.NET Web.Api site up very quickly.
We have developed multi-client application i.e. the business logic resides on server side and the interfaces are exposed via REST API and mobile/web-client consumes the APIs.
The application allows different users to signup/login to get user specific data. We use http digest based authentication and a token mechanism to keep track of user state.
However, we want to restrict the access of APIs i.e. only our registered mobile/web-client could access them. So we introduced a second layer of authentication and named it service layer authentication. We are using our custom token based system just like we did for user authentication. The over all flow for mobile clients is good enough for us but for web-clients we have issues. If we embed the user credentials in Javascript, anyone can extract those credentials and consume the APIs.
In summary, all we want is to identify/authenticate the Javscript based web-client upon ajax calls.
P.S. Just for clarification, with web-client I mean our web application not the browser.
I believe you are looking for a credential exchange, where the user provides hard credentials once (such as username and password) and then recieves a scoped token which is used as an authentication mechanism on subsequent requests.
Disclaimer: I work at Stormpath, we offer user management as a service.
If you are building a Single-Page-App (i.e. AngularJS) I would recommend my recent writing on the subject: https://stormpath.com/blog/why-we-rebuilt-with-angular/
I want to develop a front-end in Javascript (possibly with one of the fancy frameworks around such as AngularJS) that consumes the REST API of my Salesforce org.
I don't want to embed my project in Salesforce technologies, so basically
no Visualforce pages
no Force.com Sites
I do want to write my own front-end on a separate server that just makes AJAX calls to the Salesforce back-end.
In addition, I want the application to be accessible for any user, even if he/she does not have a Salesforce account. So the AJAX calls should not require that the user logs in on Salesforce. I want anonymous users to be able to retrieve public data from my organization and create new entries when it is useful (in the case of a survey for instance).
Even though these requirements generate some security concerns, I can imagine that Salesforce takes care about the requests rate limits on their API endpoints and that it is possible to restrict the access to the API on a host name base (e.g., only requests with origin host my-trusted-domain.com should be allowed, send a 403-Forbidden otherwise). I would be surprised if SF does not provide such basic features.
How would you proceed? Is there a minimal Javascript code that works out-of-the-box on any domain without getting into troubles with CORS?
All REST API calls to Salesforce must be authenticated. If you want anonymous API access then you will need to proxy authenticated calls through a server (like on Heroku) that adds the auth token. Or you can use Heroku Connect to expose your Salesforce data to a Heroku app as a Postrgres database.
If you go the REST route then checkout the ForceServer and my CORS Proxy for Salesforce. Both are not setup out-of-the-box for the anonymous access you are looking for but could easily be tweaked to support that use case.
BTW: When allowing anonymous access to your Salesforce data through a proxy make sure you are dealing correctly with security and request limits.
I am attempting to write a plugin for a webapp that integrates it with facebook using the Javascript API. The application is installed by our customers on their own servers each with their own site names. This poses a problem to me as Facebook wants me to specify a site url for the application. This url is going to be different for every customer. Creating a new application for each customer is not an option.
In my research of this problem it seems that I have to pretend to be a desktop app and follow that authentication path. I cannot figure out how to do this.
Anyone have any idea how this can be done?
Are you going to host the app as a canvas app or outside facebook?
Is the url important to you? There is a strict one-to-one relation between base-url and application.
What many apps do is host the apps as directories in their domain. For example http://crazy-fb-app.com/customername
That's your options basically if you want to use Javascript SDK.
If you're going to be using server side technology you could have the user authorize the application while requesting permission to access user's data while he's offline. in that case you will receive a non-expiring (or long-expiring) authentication token which you can use from the server to make Graph API calls on behalf of the user. For some stuff you can obtain an Application Auth token (which is shorter and non-user-specific) to make calls to the graph.
Rotem