DEV Community: Mike Hingley

Looking at the REST api for YouDontNeedACRM

Mike Hingley — Tue, 09 Nov 2021 00:09:26 +0000

I started looking at the REST API for youdontneedacrm - and I thought I'd share my experiences here in a blog post on DEV.

To start with you can get a 15 day free licence to use site (and the API) - so I started filling the code to create the account :

Now there is a part of the sign up that I found confusing - and it was around the type of account you want to set up - I don't have any screenshots of this section.

Once you have chose the account type that you would like to make, then eventually - you need to activate your account

one of the options to enable the account is to spread the word - hence this post on Linked In

Getting started with Insomnia

When I'm working with an API I like to document it using the Insomnia REST tool - it has the advantage of being both documentation and a testing environment - and you can download a partial Insomnia workspace that has the following functions set up

Authentication
- Login
- Ping (API KEY)
- Ping (User Token
- GetUserToken (UserID)
- GetUserTiken (User Email)
- Logout
Activities
- Get Activities
- Get Activities (User)
Leads
- Create a Lead
- Create and Lead and assign to user
- Create a Reminder

computamike / youdontneedacrm

Notes and supporting information for the YouDontNeedACrm solution

This is a very small subset of what the API can offer - but this is all the functionality I wanted to explore for the moment.

Authentication

The API docs say the following :

In order to secure your transaction, we ask you to use one of your generated api key or your user token with any https transaction.

In this version 2 of the API, you have the choice of making your requests:

user not dependent using one of your API key: it is for the account and it grants you admin rights. Meaning if you create a lead for example with this api key without specifying a user, the lead won't belong to any specific user and will appear in the interface as an unassigned lead.

user dependent using a USER token: all the requests will use the privacy of the users and some requests won't be allowed depending of the user rights.

user not dependent using one of your API key: it is for the account and it grants you admin rights. Meaning if you create a lead for example with this api key without specifying a user, the lead won't belong to any specific user and will appear in the interface as an unassigned lead. user dependent using a USER token: all the requests will use the privacy of the users and some requests won;t be allowed depending of the user rights.

Impersonation

So the way the security model is set up is that you can use basic authentication to log in as a specific user. Logging in will return a user token (it isn't known how long the user token exists for - but there is a specific call to invalidate - or logout. You can now pass in the user token into all subsequent calls, and have every privilage that the user has.

I think this is a little worrying, and not a stategy I would suggest to follow. If a user leaves the group, or changes their password then scripts that have previously logged in as that user will no longer work.

Instead I would suggest using the API key approach - something that YDNAC supports, and is (in my mind) a better approach.

API Key.

The API approach, allows a script using the API to identify using a key that can be activated, deactivated and even removed through the administration dashboard. This doesn't tie the script to an individual user and is (in my mind) a more robust way of handling the authentication, and is more in line with what and how we'd expect to integrate with services - API Keys and tokens (as opposed to user credentials) seem to be the way that services like Twitter / Facebook / Github all handle authentication of systems that integrate with them.

To create an API token, navigate to (YOURSITE)/admin/api_keys and click the Create an API key button.

Broken bits

There are a few areas where I've found problems - primarily the Get activities endpoint always seems to return a 403 (forbidden) error - I'm not sure why - maybe I need to add some activities?

There are references to getting activity ID's within the API documentation - but nothing really about how to set up an activity - I'll investigate more, but I also can't find anything about activity while looking on the UI.

I also experienced a really strange error being returned from this REST API

Mike Hingley

@computa_mike

Hi @noCRM - I'm trying to call a rest API, and I get some very strange responses. I get a 200 but in the body I get this :

11:19 AM - 28 Aug 2020

but that was down to be POSTing something to a GET endpoint - even so - surely it shouldn't return a 200 status - more likely a 405 error?

Next Steps

For my experimentation I set up a quick .NET class to talk to YDNAC. I plan to take this class library further, and implement the full API.

Can't get to the footer of Dev.to

Mike Hingley — Thu, 18 Feb 2021 01:26:37 +0000

dev.to has an infinite scroll set up - so that makes it almost impossible for a user to access the content in the footer - because as soon as the footer is presented, the scroll system goes ahead a fetches more content.

So does that mean that in order to view the footer I need to view ALL of dev?

All i wanted to do was find the github link to see whether the Dark Mode issue has been reported or not...

CCHits on Docker

Mike Hingley — Mon, 07 Dec 2020 18:21:21 +0000

Hello World. This is my first article on DEV - hopefully, part of a series on hacking (the good kind) on the CCHits Codebase.

So what is CCHits.net?

From the website cchits.net:

CCHits.net is a site promoting and featuring Creative Commons licensed music and the podcasts that play them.

CCHits.net also generates an automatic podcast providing a daily exposure show and RSS feeds for Daily, Weekly shows.

Daily Exposure Show RSS

CCHits Daily show for 06/06/2019

CCHits is based on Linux - and uses tools like festival and sox to construct Podcast episodes. Previously I would have suggested running Laravel Homestead - and I wrote a wikipage on the CCHits repository.

With the recent moves in the dev-ops arena towards Docker, this causes some issues for me - the main being the compatibility between Homestead (Virtual Box) and Docker (Hyper-V).

In this article, I'll use Docker to set up a couple of containers for the main website and a database - and go through some of the settings that are required to allow a developer to start hacking on the CCHits Codebase.

At the moment, you can find the code on the DockerSupport branch.

computamike / Website

Docker File

I've set up a docker file to stand up CCHits as a PHP5.6 / apache image and linked that up (using docker-compose) with a MySQL Server.

Standing up the required infrastructure to run locally just requires executing the command

docker-compose -f "docker-compose.yml" up -d --build

Once this is complete, there will be a website and MySQL 5.7 database server. Fire your browser to http://localhost and you should see...

Main CCHits front page

Setting it all up.

CCHits stores some of its configuration within the Database - so we'll need to set that up, and we'll need to set up a Google Application to do that.

Set up a project on Google Developer Console at https://console.developers.google.com/

Set up some OAuth 2.0 Client IDs - Here's my set up :

Google OAuth set up

I've blurred out the credentials - but the important thing is to register some endpoints for the application.

These need to be stored in the database in the config table in the following fields :

Key	Value
googleClientId	Whatever is in your Google OAuth Settings
googleClientSecret	Whatever is in your Google OAuth Settings
googleRedirectUri	http://127.0.0.1/oauth2callback

Firing your browser to http://127.0.0.1/admin should present the login page.

CCHits Login Page

As we have set up the Google Authentication, let's use that option to login using my google account.

Logging in using Google Authentication

Log in and boom...nothing happens... You're back at the login page. This is because you're a user - you're even logged in... but you're not set up as an administrator.

With Great Power comes great responsibility

To rectify this situation, connect to the MYSQL container (I'm using MySQL workbench here) and set the admin flag for your user to 1...

Setting your user record to have the admin flag

Refresh your browser to glimpse behind the curtain, and behold the majesty that is the administration page on your local CCHits instance.

CCHits Administration Screen

In the next post, we'll look at configuring a music provider and setting up Xdebug using VSCode.