Xero public applications authenticate with the Xero’s API using three-legged oAuth 1.0A. This is an authentication process where the user explicitly logs into Xero to authorize access by the application (the consumer). This authorization lasts 30 minutes until the access token expires.
Creating an API client in node.js is straight-forward and only requires the standard oauth package. The diagram below summarizes the process:
To start, register a public application with the Xero API to obtain a Xero consumer token and secret. These are the app’s credentials that are used to obtain a Request Token.
Create an endpoint in your application where the user initiates the authentication request.
eg. create a Connect to Xero button to GET’s this endpoint. It’s essential that the user initiates the request; the three-legged protocol depends on a web view and redirection of the user’s requests.
You set up oauth module to make a synchronous (blocking) request to Xero to get a Request Token for your app, then redirect to user to Xero’s authorize page with that token parameter.
Create an endpoint where Xero will callback to your application with the request token and a verifier.
When the user logs into Xero and authorizes your app Xero will redirect the user to this end-point with the request token and verifier as parameters.
You set up the oauth module to make a synchonous (blocking) request to Xero to exchange the Request Token for an Access Token. If successful, this endpoint will redirect the user to the next page in your app, while you can then initiate any asynchronous or other work with the API. All future requests to the API use the oauth module and the access token.
It’s essential to persist the tokens across multiple requests. A session object is the simplest place to store this data.
A detailed diagram of this whole process is in the oauth bible.
I’ve posted a example application on github that demonstrates the process and configuration of the oauth module.
Configuration of the endpoints: The end-point URLs are arbitrary, but the callback URL here needs to match the one passed to Xero as one of the oAuth request parameters (see below). Also, the domain of the callback URL must match the callback domain specified in Xero’s app configuration. For testing a public application, you’ll have to set the callback domain in Xero so it matches your testing URL.
Setup oAuth module so it works with Xero’s API: The constants here are those provided by Xero to access the API. HMAC-SHA1 is used for signing the requests. In this gist we set ‘oauth._authorize_callback’ to the URL we need Xero to redirect to (and provide the request token parameter). This points to the application’s other endpoint. It also must match the callback domain specified above.
Finally, for the authentication operations: When the user accesses the authenticate endpoint, we use the oauth module to get a Request Token, then redirect the user to Xero’s authorize page. That’s where they’ll login to Xero and authorize the app.
Xero will redirect them to the callback: When the user is redirected to the callback, we use the oauth module to get the Access Token (exchange the request token for access), then direct the user to our success/next page.
Once we have and store the access token, we access the api using oauth.get() etc.
Download the full source on github.Comments...
These are my rough notes on the Day Three pitches at the Launch Festival 2015.
Opinions are my own, ill-informed and probably ignorant.
Peer to peer transactions via mobile devices, demonstrated using USD. Their innovation is “crowdsourced(?)” tellers that process the deposits/withdrawals from/to cash. Anyone can register as a teller and perform the to/from cash transaction in the local denomination. This could work well. Security for tellers is obviously a concern, but they explained that most tellers are people that have to deal with cash transactions (eg. a 7-eleven is a good fit).
Patent analysis and analytics, analytics supporting patent strategy, analytics on the patent lawyers and judges I think it’s great, but it’s targeted towards lawyers. Would be interesting if it was free and open, or very cheap so every startup had this in their arsenal.
48 hour hackathon finalists
These were all surprisingly good.
Money transfer via iWatch. using pattern to establish identity/authenticity
Demonstrated provision of an iOS development environment very quickly. High school team.
Gamification of action sports via motion trackign sensors and video. Great concept, lots of work to go
The Interview Club
Real time video interview with real time coding via an expert. Get an expert to interview and test programming candidates.
Job simulation for pre-employment interview processes. Used Google web to speech API to demonstrate their effectiveness handling a call and metrics from the test. Good product.
PreHire and Abra were popular with the judges.
A pre-printed paper note book that allows very fast scanning via mobile (because of the layout of indicators on the page). The real innovation was that the book can be erased by microwaving it, allowing reuse up to ~20 times. I like this, as my main reason for not using similar easy-to-scan books is they’re too expensive.
Best Design Winner
They’ve designed a new glucose monitor (fashion focused) and accompanying app. The meter is bluetooth and syncs with the app. Users can manually enter too. The app helps understand patterns between readings and food/drink consumption. Some social components mixed in… It’s pretty a good app agnostic of the source of the BSL source.
Fast way to buy lotto tickets on phone, and schedule auto payments. Simple interface. Load the app via credit card and can cash out (somehow?) Can set up pools quickly. Not sure how they not break terms of service for Lotto?
HandUp This was an alumni update that won best social impact last year.
Demo pit - 1 min pitches
Demo Pit Winner
Cool, going back to the 90’s visibal basic in emails, this actually allows interactive widgets in email in a (presumably) secure way and presumably only email.
The email author must use a plugin to compose while in Gmail. It then embed emails friendly html (for gmail).
Grow, water dose and harvest plants automatically. The $1000 unit suites plants that are worth growing yourself.
Gets a dermatologist to check photo taken on app. I recall a similar app was banned recently that claimed to do diagnosis automatically. This one sends photos out to real experts on-demand.
Sleep monitor using a mask over eyes. Much better accuracy than a band.
3D property visualisation. I stopped taking notes.
MixMax, OneDrop very popular with the judges. Autolotto interesting if it’s legal.
See also Launch Festival Day One
These are my rough notes on the Day Two pitches at the Launch Festival 2015.
Unfortunately I missed the final batch of pitches so this list is incomplete today.
Opinions are my own, ill-informed and probably ignorant.
Modular sofa furniture custom (configured) design, delivered in 24 hours in LA. Built to order using a line of 7 people with a capacity of ~10 per week (but scalable). It’s cool, pretty high risk and probably way ahead of the curve. I probably wouldn’t use it myself today unless the sofa’s were amazing, but it’s good that they’re learning how to design processes and retail for made-to-order furniture.
Real-time recommendations from local experts for restaurants. (and other categories?) They say search is like a conversation and demo’d finding some suggestions and booking within messaging. Messaging is the future of search, they say, as People are better than Algorithms. Like Yahoo once thought? Very well delivered pitch.
Annotation of websites, collaborative / social. In Safari, it’s integrated into the share panel in iOS which is great. ie. highly some text on any webpage in safari and add it to your highlights list Looks very, very polished and great design. I’d use it (but not pay for it).
Social media metrics across all networks targeting high social-worth individuals. Intelligent Curation of posts based on most successful content Facilitates cross-communication with other social leaders Facilitates communication with brands to monitize social network
Social Impact Award
“Crowdsourced fact checking of news articles” Website annotation (fisking) Tagging of comments. Analytics of the tagging on the article Conversation within structured data How does it work with publishers (needs to feed their engagement, not take it)
Captiv8, BenchMade, Fiskkit were popular with judges
Best B2B Winner
Market intelligence and decision engine for commercial real estate Like zillow for commercial property with analytics They have analysed every commercial property across the US Impressive product, must be 2.0 (1.5M seed)
Organize tonight. Friends indicate availability for tonight. Agree location / plans (Exactly like the Tonight app in Sydney) Share photos, Find each other. Tracks your location and photos across the night so you can see them in context the day after - this is pretty novel.
Aggregate content of where friends go Share/aggregate places to go Sponsored lists/follow others lists Find places to go from your friends/experts
Makes it simpler to start a video cast, have a Q&A (with timestamp videos) and run polls during the event. You can also find virtual “conferences” / search Uses google hangout embedded in their page Very good use of google hangouts actually. There’s definitely a business model and strong use case here (unless google wrap hangouts with free conferencing/collaboration tools)
Crowdcast and REscour were popular with the judges. Both seem very strong.
I missed the presentations for the other pitches. These were: Minbox, Glimpse, Nova, Whever and Givme
See next Launch Festival Day ThreeComments...
These are my rough notes on the Day One pitches at the Launch Festival 2015.
Unbounce, an online business that provides landing pages for A/B testing, has published their Year in Review on their public blog. It’s a spectacular example of company transparency, more than I’ve ever seen. Probably more than I’d be comfortable with myself to be honest.
It’s an interesting read and example of transparency: Unbounce Year in Review 2014
I usually just tweet or favourite interesting posts I see. Today was a good day though:
It’s time to get this site going again.
I felt inspired to write something today, but I can’t justify the time to takes to articulate original thought. Instead here’s a copy of a few notes I keep stuck on the wall above my desk.
Many new accelerators and incubators for tech startups are popping up in Australia at the moment. I’m not sure if I’ve just noticed more of them because of the media coverage and my interest, or if there’s really a groundswell. I asked around to get some opinions on what’s going on here.
Git is a version control system that most software developers would have heard of. It’s the tool of choice for the team behind the Linux kernel and comes with the associated prestige and sets a high floor for the technical competence of its users.
I start the 3rd trimester of my MBA studes this week. Corporate Finance. This is an area I already find interesting and have been anticipate. I’ve read a of adhoc information on the topic, practiced a bit and even completed a few basic courses, but I hope this bring about new ways of looking at problems. The first good sign that I’ll enjoy it is much of the recommended “viewing” were movies I love:
I recently ran a project on freelancer.com as an outsourcing experiment.
Today I attended a webinar by ThoughtWorks on Continuous Delivery. This is a practice of trying to minimize the duration between an idea and it’s release into a production system, without being reckless. The benefits are consistent with lean practices and customer development in that they get real feedback as quickly as possible to minimize waste.
I was recently introduced to Mockito by our new Java developers. Mocking frameworks are used to isolate unit tests to only exercise the code under test. Anything outside is replaced with a mock object that returns an expected result where needed. It’s a simple form of test isolation that’s more productive than stubbing out code. Any testing that needs to cross a boundary are software integration tests (quite distinct from real world integration tests that engineers know and love).
I was walking through my local shops recently, took a different path and stumbled upon this cafe. In a moment I knew they made good coffee.
I recently attended a one day course by MBE Education on Capital Raising and Exit Strategies. It followed the standard pattern: the course was cheap, provides enough information to inspire attendees, but not enough specific information for them to really do anything. At the end of the day, they offer the one-time opportunity to take the real course at a expensive price. This time the real course was $6,000 per month for 3 months. Wow.
At the moment Mailchimp doesn’t include a way to delete a large segment of subscribers in a list. You can delete an entire list, unsubscribe a list of emails or delete subscribers one page at a time. Deleting an entire list that contains history is usually a bad idea and unsubscribing may affect how you add the subscribers to the same list later. Deleting subscribers is okay, but it’s limited to 100 subscribers at a time.