before anything, I wanna you to Know that I'm a Complete Newbie
in these things about developing "paid" webapps. I have been reading some posts
about how to integrate Paypal's IPN with Google App Engine, and I have some questions
about the topic, the thing is like this:
I want to use a paypal's Subscribe button in my webapp (wich is developed with GAE's Python base)
so the users can subscribe to the premium version if they don't want to use the free one anymore...
I was reading that paypal can help me to manage this thing about the users control via IPN but
I have to setup that in my GAE App and I don't know how... For example:
Where the notification URL has to point to in paypal's profile configuration?
I believe it has to point to a python script in my app but I'm not sure... If
that is true, What does this python script has to have?
Then, after that's finished, How can I make paypal create
usernames and passwords for my users in order to keep non premium users out of the
"premium features"?? I don't want links to something, I need explanations on how
to implement a "Paypal Subscriptions service" inside a Python based app on GAE
in order to offer a "premium service" and a free one,
Thanks, hope you can help
To make a short answer (as I'm not exactly sure what's the scope of your question).
It's not paypal's job to maintain your data model. You need to create a database entry with your users.
For an example of that, look Google's documentation at
http://code.google.com/appengine/docs/python/gettingstarted/usingusers.html
and, more importantly, http://code.google.com/appengine/docs/python/gettingstarted/usingdatastore.html
So you could create, for example, data model of this sort:
class Users(db.Model):
gae_user_object = db.UserProperty()
premium_member = db.BooleanProperty(default=False)
(of course, since you want to track subscriptions, this would be way too limited but you can get the idea).
and make the script called by Paypal trigger a function to change the value of *premium_member*...
Yes, paypal instant payment notification will call your app (you can specify somewhere in Paypal interface what uri, so you can choose what to map it to, preferably using your https appspot subdomain). Your app will need to store what paypal just sent and, before officializing anything, call Paypal servers back with the parameters that were just sent to know if the first was truly made by Paypal and not someone else.
To see a working example of that, check http://blog.awarelabs.com/2008/paypal-ipn-python-code/ and http://groups.google.com/group/google-appengine-python/browse_thread/thread/d76701e774e308be, even if both these example sucks (it will probably work, but don't use them as is in production as you'll notably end up with real bad error management).
Related
(Note: Now, I know a lot of you might jump ahead and be like "Hey. Duplicate." Please read ahead!)
Background:
My goal is to make a Python app for PC that interacts with Spotify using their python API Spotipy. This obviously brings about the need to store the client_secret for purposes of user authentication. Based on my research, storing this as plaintext anywhere is a big no-no. The other solutions involved encrypting that data (but then, where to store that key). The best solution is apparently to have the authentication request handled by the backend in a server (I being a student, obviously have a million servers at my disposal ;) ...) But seriously, to be clear, I do NOT have a server to host this app on. And I do not want to spend money to buy resources from AWS, or others. Also, to clarify, this is not to be a web application. Is it meant to be downloadable, so that a user can install it, login to Spotify, and voila.
Problem:
Basically, without a server, how do I store this key securely? And based on my usage, is there even a need to store the key securely?
Is it meant to be downloadable, so that a user can install it, login to Spotify, and voila. Basically, without a server, how do I store this key securely?
No secret should reside on the user side. Or the user/hacker will be able to find it sooner or later. More about this here How to store a secret API key in an application's binary?
And based on my usage, is there even a need to store the key securely?
If you work without a server, I see 2 options:
(safe but inconvenient) let the user use their own app ID / Secret,
(risky but convenient) decide to publish your app ID / Secret openly. Since everyone can create Spotify apps for free, there isn't really much that's secret about it, apart from the statistics your app will generate. At least, it shouldn't stop your app from working unless someone decided to use their own time and money to reach the rate limits of your app.
Edit: you might be interested by the Implicit Grant Flow that works without any secret. However it's not implemented yet
I am currently learning how to use django. I have a standalone python script that I want to communicate with my django app. However, I have no clue how to go about doing this. My django app has a login function and a database with usernames and passwords. I want my python script to talk to my app and verify the persons user name and password and also get some account info like the person's name. How do I go about doing this? I am very new to web apps and I am not really sure where to begin.
Some Clarifications: My standalone python program is so that the user can access some information about their account. I am not trying to use the script for login functionality. My django app already handles this. I am just trying to find a way to verify that they have said account.
For example: If you have a flashcards web app and you want the user to have a program locally on their computer to access their flashcards, they need to login and download the cards from the web app. So wouldn't the standalone program need to communicate with the app to get login information and access to the cards on that account somehow? That's what I am trying to accomplish.
If I understand you correctly, you're looking to have an external program communicate with your server. To do this, the server needs to expose an API (Application Interface) that communicates with the external program. That interface will receive a message and return a response.
The request will need to have two things:
identifying information for the user - usually a secret key - so that other people can't access the user's data.
a query of some sort indicating what kind of information to return.
The server will get the request, validate the user's secret key, process the query, and return the result.
It's pretty easy to do in Django. Set up a url like /api/cards and a view. Have the view process the request and return the response. Often, these days, these back and forth messages are encoded in JSON - an easy way to encapsulate and send data. Google around with the terms django, api, and json and you'll find a lot of what you need.
This is a bit long so please bear with me.....
I am in the middle of building an android application. I have built the client app, now I am working on the server.
I have decided to use Django for the server. Though I have already decided on the data structures, currently I am stuck with how am I supposed to send different kinds of requests from the server and how the server is supposed to handle them differently.
For example:
A request could be registering a new user and storing his
credentials.
Another request could be when a user likes or dislikes a comment.
..... there could be few more
One way that I can think of is to first have separate "django views" for each kind of requests and then attach a "django url" to it. Now from the client app, a particular kind of request could be made at its specific url, and then once received at the server, "django" will automatically direct it to its view, which will then take the desired actions.
Please let me know if there are any better ways to do it.
Yes, that is exactly how to do it.
You probably want to look into Django REST framework for this.
I am trying to create some Glassware with the Mirror API. I am new to using AppEngine and Jinja2. I have python experience but never with a web framework before. So basically I am very new at this.
I have modified the Python quickstart for the mirror API to include many of my endpoints and designs. Basically I want to be able to be able to POST data from a constrained device to Glass. I have an endpoint all setup which works to accept and parse out the data and send the timeline item.
My problem is that the device itself is acting all on it's own and cannot provide input, therefore when I call my app from it e.g. https://foo.appspot.com?operation=deviceData the app presents the auth page and then nothing happens. I can see in the logs that the auth page is being sent, but the device has no idea what to do with this.
Basically, I need a way where I can hardcode credentials and get around having to do oauth everytime. What is the recommended way to do this? Another app which doesn't require auth which passes the data along? This would be fine as I only need to set this up with one user right now, it is for an internal demo only.
Is it possible to set my credentials in a header and auth automatically without handling any return, more like how basic auth works?
There are also the "Simple API access" keys. Would these work in this situation, I tried creating browser and server keys and tried them on the device and in the browser by doinghttps://foo.appspot.com?operation=deviceData&key=KEY_HERE but in both cases I was still prompted to login. Is this what simple access keys are for? Do they not work with the mirror API?
Basically my question is, what's the easiest way to allow access to my apps endpoints without having to oAuth or having a hard coded user which auto-auths?
Here is the project that I started with: https://github.com/googleglass/mirror-quickstart-python
I have a simple scenario for which I can't find solution. I'd like to use Docs API for my application, but I want to use only one application account to store documents and perform all the API calls. So I don't want to use all this redirect_uri stuff, that needs any kind of user interaction - only my app and it's own Google account.
I've found similar question here: gdata-python-api + Analytics with simple auth but the solution still involves user interaction (yes, probably only once but I still don't like it as most of the interactions with API will be done by some daemon).
I'm using gdata-python-client for interactions with API. I'm not sure if I understand correctly if ServiceAccount authentication might be a solution, but couldn't find any examples of how to perform it via gdata-python-client lib (can somebody share working code?).
To access the documents owned by this single user, you must have an access token for that user. There's not really any way around this. The access token is how Google identifies your project, which user's data you'd like access to, and that you have all of the necessary permissions granted.
It sounds like you've already found the solution: You must go through the OAuth 2.0 dance at some point in time and store the refresh_token for subsequent access. Be aware, though, that refresh_tokens may not last forever. For example, if access is revoked, it will stop working. For this reason, it's wise to expose the ability to execute the OAuth 2.0 dance again from an administrative page in your application.