Versions Compared

Old Version 3

changes.mady.by.user Lite Farm

Saved on

compared with

New Version Current

changes.mady.by.user Lite Farm

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

Work in progress Feb 17 2023

Use case

For many reasons, farm data can be sensitive. Part of our commitment to our users is that their data should default to private unless they explicitly share it. One use case where this is particularly important, is when the users answers additional survey questions for their certifying body via the SurveyStack iFrame via the certification export flow. The expectation of the farmer in this case is that data is only shared with:

...

https://app.surveystack.io/api/submissions?survey={survey_id}&match={"_id":{"$oid":"{submission_id}"}}

Example:

Code Block
breakoutModewide
https://app.surveystack.io/api/submissions?survey=60f615459a6b1c00012ee41e&match={"_id":{"$oid":"63ee860f3f453c000128a2c9"}}

Background

gbathree  1:48 PM
Hey guys, Kevin from LiteFarm is querying surveys they are using from their DB - he had a question about authentication (the surveys contain some private data)

Kevin Cussen  1:49 PM
Howdy!

1:52

I was hoping to get some help with one of our use cases

1:52

LiteFarm is making a callout to https://app.surveystack.io/api/submissions/...

1:53

We'd built the integration assuming surveys would be public and now we're seeing folks making private ones

1:54

So Greg suggested rather than passing in a token (which would take time for us to build) you might be able to just whitelist or server or some such

1:54

Does that make sense?

December 5th, 2022

Manuel Härdi  12:47 AM
Hi Kevin,"We'd built the integration assuming surveys would be public and now we're seeing folks making private ones"by saying "folks making private ones", you mean that your callout to https://app.surveystack.io/api/submissions/ does not return all survey data but only those parts not being defined as PRIVATE in the survey definition in surveystack?

gbathree  5:37 AM
Yes that's what he's talking about

5:38

Their server needs a token (at least that's one way to solve the problem)

Kevin Cussen  8:59 AM
Correct @Manuel Härdi

8:59

So if you point us to documentation on access and refresh tokens, we can do thatt

9:00

Or if there's something else you are able to do that wouldn't require engineering time, I'm all ears too

gbathree  9:00 AM
(or @will if you seeing this)

Manuel Härdi  2:07 PM
Most common solution would be to just add the auth header when calling surveystack. Thats a userid and a token (i'll supply docs). Depending on the use case, the auth credentials you use are system wide and fixed, or defined per user in its profile settings (edited) 

Kevin Cussen  2:08 PM
For our case, it would be per certifier

2:08

So I assume we'd just need to hold an extra column in our certifier table for access / refresh tokens

2:09

image.png 

Manuel Härdi  2:11 PM
Makes sens, though you wont need a refresh token (our auth mechanism is more like in Slack, as opposed to OAUTH

Kevin Cussen  2:13 PM
OK

Manuel Härdi  2:13 PM
Often thats called API KEY

2:13

You could certainly use that new col for other integrations

Kevin Cussen  2:14 PM
Do you have doc on that / those endpoint(s)?

Manuel Härdi  2:14 PM
Yep, i'll provide it later as i'm on the road.

Manuel Härdi  2:16 PM
Btw only alternative to auth i can think of: prevent surveys from having private data - but i guess you can't influence that?

...

2 repliesLast reply 2 months agoView thread

December 6th, 2022

Manuel Härdi  6:14 AM
How to define the request header:Requst url example: GET http://app.surveystack.io/api/submissions?survey=60d20b292f38fe0001916497
header key: Authorization
header value format: email token
header value example: test@test.com 6575c307-de99-4df9-876a-c78571ee86c7There's no place in the UI yet where that token could be copied by users, we could add that if required@will feel free to comment / correct (edited) 

December 9th, 2022

Kevin Cussen  4:57 PM
Could we meet early next week? I'd like to better understand how we could retrieve the token.

4:58

The use case is this: We want the survey itself to be available to view and input data into without any credentials. Once a user submits a survey, that data should then be hidden.

4:59

We would like to be able to use the token of the survey creator (not the users that fill out the survey) to log-in and get the data.

December 10th, 2022

gbathree  10:32 AM
The user need to submit to your organization, in which case your orgs admins can see the results.  So you just need a token for an admin of your group.1

...

10:33

We are reevaluating the group permissioning structure so I do understand there's some improvement there on our part

10:33

So for example a token for your user would work

December 12th, 2022

...

Work to be done

Two pieces of work here:

  1. A decision: decide which solution (of those outlined in https://lite-farm.atlassian.net/wiki/spaces/LITEFARM/pages/1271889935/Allow+LiteFarm+to+access+private+SurveyStack+data#Solutions or proposed as an alternative) to move forward with

  2. To augment the current communication between LiteFarm and SurveyStack to provide authenticated movement of data. This may potentially include augmenting the schema as well.