Build my API Platform with DF

security
authorization
authentication
release
rest

#1

Hello All,

I’m new in DreamFactory, and want to know if DF can be used to build a Platform to my work.

This is the scenario for you to better understand what I intend:

  1. Have a website (our services) with 3 type of users:
  • Admins: me/company - manage the API, manage services we serve, etc;
  • Developers: 3rd party developers who want use our service (through our API) in their apps, can create “Keys” to use in their apps, one per app, manage other stuff in our website;
  • Users: registered users who use our services, see stats, and services subscribed;
  1. The website (service) is build using the API created by us;
    Isn’t the API management, it is a frontend website to our users. Our intention is to have a domain to the API and another to the website service;

  2. “Developers” users have a ‘Key’ to make requests to our API in their apps. Can request authorization to registered Users to access their information (some fields of user, something like FB Login/Connect);
    Is possible to do this with OAuth in DF?

  3. “Developers” need to have access to the API Docs, only endpoints to them, not all;
    Is possible to define what API have access?

  4. Security:

  • JWT and OAuth2
    How can manage OAuth2 to 3rd Party “Developers” ?
    The session/token in managed by DF or need some development by us?
    Is possible to have JWT to user login in website (requests to the API) ?
  1. Change the API endpoint, DF have something link this:
    /api/v2/mysql/_table/payments
    and want something like that:
    /api/v2/payments/
    Is possible ?

  2. Our API need to connect to 3rd partners (example: PayPal, Paysera, Amazon S3, others), already exists libs to do the connection and can be integrated with composer.
    Can be integrated with DF?

  3. Type of content in the requests to the API:

  • File Upload: PDF, Images
  • Text, Number, Datetime (with validation)
    Is possible to send file, in the API then process the file/image and send to Amazon S3 ?
    Is possible validate the sended fields, have “rules” or “validators” ?
  1. Have 2 tables to users, the ‘User’ table (basic information, like: email, password, username, and few more) and another ‘UserDetails’ table where can find more about the user (country, birthdate, address, etc), their are connected Master-Slave (1:1).
    Can have a API endpoint to get all fields, from the two tables ?
    Can have a endpoint like this:
    GET /api/v2/users/1 (get some fields from table ‘User’)
    GET /api/v2/users/1/details (get fields from table ‘UserDetails’)
    Is possible?

  2. When return records from the BD can manage who can have access to the records ?
    Like: the “Developers” have an app, from a list of 10 Users, only have authorize 3 Users, when ‘Develop’ want to know their users only 3 records are returned, is possible ?

It is a lot of questions, but can have a be picture about our needs, and I get a better view on what DF does and fits for what we want.

Best Regards,
LB


#2

@LB

I’ll take a stab at a few of these.

3: The app has an API key with a set of default privileges (which could be none). When a user logs in, the app/user combination gets a set of privileges. User names can be used to emulate row-level security.

4: I think it’s reasonable to publish the auto-generated docs for each endpoint separately once the schema is stabilized. This will also improve performance. In other words, each endpoint’s docs could be saved to a static html page somewhere on your website.

5: I haven’t had to touch sessions and tokens, but I’m using AD not OAuth, so there might be a difference.

6: Use a proxy or mod-rewrite; I haven’t seen a way to change endpoints. This dovetails with your other question about not needing an API key. If you’re using mod-rewrite or a proxy, I’d go with a structure like api.example.com/payments since you won’t be tied to DF’s url structure at all.

7: I haven’t tried doing these integrations; they might require some custom code to translate the API calls.

8: DF allows you to write custom code in PHP, Python, or JS, so I don’t foresee an issue here. http://wiki.dreamfactory.com/DreamFactory/Tutorials/Server_Side_Scripting

9: DF allows you to use Relationships which do what you want. http://wiki.dreamfactory.com/DreamFactory/Features/Database/Related_Data

10: This seems possible depending on the complexity of the request. If you’re open to server side scripting, you should be able to also specify a lookup table with “who can see what”. How to implement data access based on a table with user’s permissions

HTH!