I'd like to implement an ironSource Offerwall in my app. I manage user's coins with a Firestore document for each user. ironSource documentation says:
check that we haven't processed the same event before
In short, they'll continue to send callback until my server send a 200 code response to their. But how could I implement a function that check for the eventID and check if the event has already been processed? (even though this shouldn't happeb because of the 200 code response, but they suggest to do also this check).
Related
It's so simple yet i can't figure it out.
I would like to write to DB on page visit (without Google Analytics).
I would like to do it on server side.
Since there is no trigger for it, and I redirect all requests to a function, i tried :
exports.contentServer = functions.https.onRequest((request, response) => {
...
...
return response.redirect(url + "?action=" + action )
.then(function(){ // **** error : .then of undefined
//write to DB a visit
Now this will return error since response.redirect will not return a promise. (as Frank said)
I could write to DB before I redirect user, then i make the website slower.
I could do so from client side, which have security problems.
How would I capture and save every page visit ?
In a callable Cloud Function, sending a response to the client is a signal that the request is completely handled, and that Cloud Functions can shut down the contain/use it for other requests.
So there is no way to continue processing after you send the redirect back to the client. You'll either have to perform an additional request from the client, or wait with sending the redirect until you've sent the event to the database.
Note that you won't have to wait for a response from the database, which is how many analytics systems deal with this situation. They send the response, and then trust that the majority if events will make it through.
I have integrated Smartsheet api in PHP, i am able to create the webhook and enable it. When a change is made in the sheet it hits the callback url. I am not receiving any data related to the change. I have logged the data as $_POST which is empty.
function smartWebhook_post(){
log_message('error','SS data: '.print_r($_POST,true), '', 'smartsf');
$this->response(array('HTTP status'=>200));
}
According to the documentation HTTP status 200 has to be sent back.
Every webhook callback will have a JSON body. So I'd look more closely at how you are handing the POST payload.
Note that the very first callback will be a verification request as per http://smartsheet-platform.github.io/api-docs/?javascript#webhook-verification
I have a method called GetAuthCode(). It is used to get an authorization code from an API server for my web server. I then store this code in the cache.
Because there is an expire time of this authorization code. So when it is expired, I'll call GetAuthCode() again.
Question:
If there comes 10 request 'simultaneously'(considering network deny) and the code has been expired, each request will call GetAuthCode().
Under this circumstance, I only want the very first request to successfully call GetAuthCode(). So I want to 'lock' this method:
When GetAuthCode() has been called, it can't be called by others at that moment
My users enter a few information fields in an iOS app.
This information must be validated on my server, which has a RESTful API.
After validation the UI of the iOS app changes to indicate the result.
Neither GET, PUT, or POST seem to be appropriate, because I'm not getting a resource, and neither is a resource created or updated.
What is the best fitting REST operation to implement this validation?
I use the same scenario as you and use PUT for it. You have to ask yourself: "when I send the same request twice, does this make a different state on server?" If yes, use POST, if no use PUT.
My users enter a few information fields in a iOS app. This information
must be validated on my server, which has a RESTful API. After
validation the UI of the iOS app changes to indicate the result....I'm
not getting a resource, and neither is a resource created or updated.
Since you aren't saving anything (not modifying any resource), I'd think this is technically more RPC than RESTful to me.
The following is my opinion, so don't take it as gospel:
If the information is simply being submitted and you're saying yes or no, and you're not saving it, I'd say POST is fine..
If information were actually being saved / updated, then choosing the proper HTTP method would be a lot more relevant.
POST = CREATE / SUBMIT (in an RPC context)
PUT = UPDATE (or CREATE if there is nothing to UPDATE)
I recommend using a ValidationResource and two requests. Each instance of this resource represents the validation of a set of data. The workflow:
1. Create new ValidationResource
Request: POST /path/to/validations
data to validate as the body
Response: 201 Created
Location: /path/to/validations/<unique-id-of-this-validation>
2. Look up result
Request: GET /path/to/validations/<unique-id-of-this-validation>
Respons: 200 OK
body: {'valid': true} or {'valid': false}
This is a RESTful approach in which the Validation is a Resource with server state.
Google proposes use of Custom Methods for REST API
For custom methods, they should use the following generic HTTP
mapping:
https://service.name/v1/some/resource/name:customVerb
The reason to use : instead of / to separate the custom verb from the
resource name is to support arbitrary paths. For example, undelete a
file can map to POST /files/a/long/file/name:undelete
Source: https://cloud.google.com/apis/design/custom_methods
So for validation the URL should be POST /resource:validate
I believe it is similar to GET entity but since we need to send data to validate and sending confidential data in URL is wrong habit as only payload data is ciphered by TLS, the only way left is POST or PUT.
However you may save or update the data in validate(eg. "verified":false). Based on requirement, you can go for POST or PUT (recommended POST if no update)
POST /user/validate-something
It seems like you're not doing it the correct way, if the validation is at the server-side then it should happen while submitting the data using a POST method. Then you'll validate that data, if validation fails then you can raise a 400 BAD REQUEST error, else you can create the resource.
This approach is more RESTful, as the POST method is properly used to create a resource or to raise 400 if validation fails
I'm creating a RESTful API for creating users that enforces unique email addresses:
Successful POST /users: HTTP 201 Created
If I POST the same email address again, what should the response code be? Is 409 Conflict the appropriate response code?
Yes, 409 is the most appropriate response code here. Even though you are most likely returning 201 on success, you're still POSTing to a resource which is described as a collection, and POSTing a duplicate email is definitely a conflict with "the current state of the resource" as a collection. You should return a response body with a description of the problem, and hyperlinks to help resolve the problem, if possible.
I am not really satisfied with returning a 409 Conflict for an existing registered email - in my opinion, it's not a client error. So let's take a look at how some big tech companies are handling that case (at least how they are doing it in their WEB Site APIs).
Gmail (Google) returns a 200 OK and a JSON object containing a code which is indicating that the email is already registered.
Facebook is also returning a 200 OK but re-renders the content to a recovery page to give the user the option to recover his/her existing account.
Twitter is validating the existing email by an AJAX call
To another resource. The response of the email validation resource is always a 200 OK. The response contains a JSON object containing a flag to indicate if the email is already registered or not.
Amazon is doing it the same way as Facebook. Returning a 200 OK and re-rendering the content to a notification page to inform the user that the account already exists and provide him/her possibilities to take further actions like login or password change.
So all these APIs returning always a 200 OK and presenting to the client/user either additional content to recover their account or an error message which is raised by the body content of the response.
While the accepted answer is correct in showing the correct status code for the task, I want to add that you are introducing a security vulnerability.
If you return a 409 for account registration, you are just exposing a service for account enumeration.
Depends on the application, if the api is public or not, etc, you may want to return a 201 even if the account wasn't created.
+1 to Barts answer - for security reasons. Usually I would agree that 409 is a good status code for sth. that already exists. But in an environment of user accounts/authentication/authorization etc., I would tend to not exposing the existing user accounts in your database.
Of course there are other mechanisms of handling security at this place. If you do not mind to expose a little number of your accounts, you could add a behavior to your application that returns 401 or 403 on numerous 409-events from one IP.
Another option (in general) is to define a status code on your own to have a 2xx that differs from the existing standard 2xx variants. This could be an option if you do not want to handle an "already exists" as an error. However, this would be regarded as non-standard and would have the same unsafe character like a 409 in your concrete example.
I often use the (WebDAV extension) HTTP 422 Unprocessable Entity:
The request was well-formed but was unable to be followed due to semantic errors
409 => Conflict
That mean.
The request could not be completed due to a conflict.
For example, POST ContentStore Folder API cannot complete if the given file or folder name already exists in the parent location.
For registration it is required to have a code that is different from success 200 code, but not an error 4xx code.
As suggested in HTTP response code for POST when resource already exists look at 3XX:
302 Found
303 See Other
In particular
According to RFC 7231, a 303 See Other MAY be used If the result
of processing a POST would be equivalent to a representation of an
existing resource.
The concern about exposure of existing addresses to enumerating bots can be addressed by different means such as captcha.