v4 API: OAuth #74
v4 API: OAuth #74
Conversation
n7studios
requested review from
a team,
noelherrick and
corydhmiller
and removed request for
a team
src/ConvertKit_API.php
Outdated
| @@ -1316,9 +1315,6 @@ public function delete_custom_field(int $id) | |||
| */ | |||
| public function list_purchases(array $options) | |||
There was a problem hiding this comment.
I don't think we have any parameters on this API call, so I don't know if we still want to keep this options parameter.
There was a problem hiding this comment.
This is presently unchanged, as I didn't want to submit a large, unreadable PR with all changes for v4 compatibility. I'll make sure this is addressed when submitting the v4 PR for purchases.
|
@mercedesb I would love to get your eyes on this implementation of the V4 API |
There was a problem hiding this comment.
I'm not sure I caught everything but there are some breaking changes from V3 to V4 that need to be addressed. We have breaking changes documentation. And I'll get the couple items I noticed missing added to it too.
src/ConvertKit_API.php
Outdated
| @@ -424,8 +539,7 @@ public function create_tag(string $tag) | |||
| return $this->post( | |||
| 'tags', | |||
| [ | |||
| 'api_key' => $this->api_key, | |||
| 'tag' => ['name' => $tag], | |||
| 'tag' => ['name' => $tag], | |||
There was a problem hiding this comment.
The request shape has changed in v4. The root tag attribute is no longer supported.
src/ConvertKit_API.php
Outdated
| 'api_key' => $this->api_key, | ||
| 'tag' => $apiTags, | ||
| ] | ||
| ['tag' => $apiTags] |
There was a problem hiding this comment.
Creating multiple tags is now under the bulk namespace.
src/ConvertKit_API.php
Outdated
| 'api_secret' => $this->api_secret, | ||
| 'email' => $email, | ||
| ]; | ||
| $options = ['email' => $email]; |
There was a problem hiding this comment.
The param has changed in v4 from email to email_address.
src/ConvertKit_API.php
Outdated
| 'api_secret' => $this->api_secret, | ||
| ] | ||
| ); | ||
| return $this->delete(sprintf('subscribers/%s/tags/%s', $subscriber_id, $tag_id)); |
There was a problem hiding this comment.
I believe this path should actually be sprintf('tags/%s/subscribers/%s', $tag_id, $subscriber_id). Ref
src/ConvertKit_API.php
Outdated
| 'api_secret' => $this->api_secret, | ||
| 'email' => $email, | ||
| ] | ||
| ['email' => $email] |
There was a problem hiding this comment.
V4 doesn't currently support unsubscribing by email address.
src/ConvertKit_API.php
Outdated
| 'api_secret' => $this->api_secret, | ||
| ] | ||
| ); | ||
| return $this->delete(sprintf('automations/hooks/%s', $rule_id)); |
There was a problem hiding this comment.
Webhooks routes have changed from automations/hooks to webhooks in v4
Thanks for the review. Scope of this PR is to support v4 OAuth:
Comments noted for said future PR's. |
Thanks for the review @mercedesb. The scope of this PR is to support v4 OAuth, for ease of review:
If you and @noelherrick prefer, happy to combine all work into a single PR, though. Let me know! |
|
@n7studios this PR is pretty thick as is, so I understand your hesitancy, but Mercedes suggested about 5 one-liners, so I don't think it would bloat it too much. I would hate for those suggestions to get lost, but that being said, I'm fine with not addressing them here as long as we account for all of those. What is your plan for merging? It looks like this is the main PR that all the other PRs will merge into. |
|
@mercedesb What did you think of the OAuth part specifically? Any comments around that since that's the heart of this PR? Also, this will supplant any usage of the V3 API - will we freeze the V3 API upon the release of V4? Or should there be a plan around releasing updates for consumers still on V3? |
Sorry @n7studios, I missed that bit and jumped the gun. I have no preferences on how you manage the work needed to support V4, feel free to break apart PRs however makes sense to you.
The OAuth bits LGTM
We are not planning to make any more updates to V3, unless we find major security issues. So there should probably be a plan for releasing updates to V3 as a "just in case" though the likelihood is slim. We plan to eventually sunset V3. But I expect that to take months since we have so many people using it. V4 will eventually support API Keys to make that process easier for creators who are not planning on creating apps and just want to use the API for their own personal uses. |
Let's address those in separate PR's (as some are likely to be more than one liners e.g. needing to support cursor based pagination),. I'll add a comment to each linking to the separate PR, so they're tracked.
Correct - other v4 PR's will merge in to this one, which will then form our |
Thanks for reviewing - happy to assign you to other PRs if you'd like to review, as appreciate your input here.
Will API Key + Secret authentication work in the same way as it does in the v3 API? Appreciate this isn't supported right now, but want to make sure this SDK is designed to accommodate both methods (API, OAuth) in the future. |
Not the exact same way, but close. We want to adhere to RFC6750. So we'll be using the Authorization header. And there won't be a secret. I'm hoping to add support for creating multiple API keys (rather than just one) so that when we get to the point of supporting scopes (for OAuth too), then we can limit specific OAuth apps and API Keys on read/write permissions for specific resources so creators can have more fine-grained control. We won't be migrating V3 keys b/c we don't want to break existing landing page embeds and some other functionality so all V4 keys will be new. |
# Conflicts: # tests/ConvertKitAPITest.php
v4 API: Webhooks
…e-subscriber-tests
v4 API: Improve Subscriber Tests
This allows specific headers to be defined depending on the request i.e. an API request or fetching HTML.
v4 API: Forms and Landing Pages: Pagination and Total Count
v4 API: Get HTML Resources
v4 API: Docs
v4 API: Use Trait for Methods
Summary
Implements the v4 API's OAuth implementation, removing API Key and Secret authentication.
Tidies up the
make_requestmethod, as 4xx and 5xx errors would always throw aClientExceptionorServerException.Tidies up the logging by removing repetitive log entries for helper methods
get,post,put,delete.Further PR's to follow to add, update and remove methods to provide full compatibility with the v4 API.
Testing
Tests outside of the scope of this PR are marked as
incompleteusing$this->markTestIncomplete(). As further PR's add compatibility to each section of the v4 API, these tests will be updated and the flag removed.Added:
testGetOAuthURL: Test that the newget_oauth_urlmethod returns the correct URl to begin the OAuth process.testGetAccessToken: Test that the newget_access_tokenmethod returns the expected data.testGetAccessTokenWithInvalidAuthCode: Test that the newget_access_tokenreturns aClientExceptionwhen an invalid authorization code is specified.testRefreshToken: Test that the newrefresh_tokenmethod returns the expected data.testRefreshTokenWithInvalidToken: Test that the newrefresh_tokenreturns aServerExceptionwhen an invalid refresh token is specified.Updated:
testInvalidAPICredentials: Test that aClientExceptionis thrown when an invalid Client ID, Secret and Access Token is specified.testGetAccount: Updated assertions to match the new shape of theaccountendpoint dataRemoved:
testDebugAPIKeyAndSecretAreMasked: Credentials (such as Client ID, Secret, Access Token) are not logged. The Access Token is included in the header of any authenticated requests, and therefore again is not logged. Masking of the redundant API Key and Secret are no longer required.Checklist