0

I need to send timeline item to particular subscribed user using Mirror API. I have the user's email id. How can I achive this?

Thanks

Update: I have GDK app, companion app(which runs on Android mobile device) and Mirror API app. Both GDK app and companion paired via Bluetooth. My use case is I have to send timeline item to uesr if he reached particular location. We are using ibeacon to check user's location. When user reached that particular area, companion app detect it(via bluetooth) and send request to mirror app then mirror app will add timeline item to user's glass. Here my question is how to add the timeline item to one particular user?(not to all subscribed users) And what parameter should I pass to mirror app from companion app?(I was thinking to send the user's email id)

Karthi Ponnusamy
  • 2,031
  • 2
  • 25
  • 41

2 Answers2

2

The user will have needed to log into your service using OAuth2 and have granted specific permission for you to access their timeline using the role https://www.googleapis.com/auth/glass.timeline. You should request "offline" access so you will receive both an auth token and a refresh token, which you can use to get a new auth token after an hour.

You will need this auth token when you send a card to the timeline, which also serves as an identifier in this case. Having their email id is not enough, and you don't need it.

See https://developers.google.com/glass/develop/mirror/authorization for some code samples and details.

Update:

So it sounds like you have the following overall work flow:

  1. User creates an account on your website (which is where the Mirror API app is hosted). As part of this, they authorize access to their Glass and either give you their email address or authorize you to get it via Google's API.

  2. You'll store this information (auth_token and refresh_token) in a data store somewhere, indexed against their email address.

  3. They will also install your app on their phone, and it has access to the email address as well.

  4. When the mobile app detects an ibeacon marker it is interested in, it connects to your web service and sends the email address and location.

  5. Your web service looks up the email address, gets the access token to authenticate the connection to the Mirror service, and sends a message to Glass with the location information.

This is a generally reasonable workflow, but there are a couple of important points to make:

  • The Mirror API is well tuned to sending things to just one person at a time. You sound worried about sending bulk results, but as long as you use the auth token for just one user, it will send it to just that user.

  • You're using the email address as an index to the entire user account. While this is simple to implement, this is not the best solution, since it means that anyone who has a person's email address and the URL for the endpoint of your service can fake locations. You may consider this an acceptable risk given how you're using the location information (sending it back to the user), but you need to think about how the service could be misused.

You can mitigate the risk in a couple of potential ways:

  • Instead of an easily guessable email address, you can create and use some other userid which the user will need to enter when they first setup the companion app.

  • The first time (and only the first time) the app wants to connect to the service, it creates and sends a random secret string which it will use as a password and the web service could store this random string. Afterwards, the companion app would need to send this string along with the email address.

  • Depending on your needs, you could cut out the webapp completely and have the companion app use the Mirror API directly. This would leave the auth tokens on the phone and would greatly reduce the potential chance to have someone spoof your user. It does have a significant downside - although you can use it to send cards to Glass, it becomes more difficult to get responses from Glass back to the companion device.

Prisoner
  • 49,922
  • 7
  • 53
  • 105
  • As per your suggestion, I supposed to save the auth token and refresh token in database along with user email id upon login success. So that I can send the timeline item to particular user using email id. Please correct me if I am wrong. Thanks. – Karthi Ponnusamy Jul 08 '14 at 14:55
  • I've clarified my post a little - you don't need, and can't use, the email id at all. The important part is to have them authorize your access to the mirror timeline. – Prisoner Jul 08 '14 at 15:14
  • My prev comment is not meaningful one. I have GDK app,companion app and Mirror API app, my use case is I have to send timeline item to uesr if he reached particular location.We are using ibeacon to check user's location. When user reached that particular area, companion app detect it(via bluetooth) and send request to mirror app then mirror app will send timeline item to user's glass. Here my question is how to add the timeline item to one particular user?(not to all subscribed users) And what parameter should I pass to mirror app from companion app?(I was thinking to send the user's email id) – Karthi Ponnusamy Jul 09 '14 at 06:06
  • Can you update the original question to clarify the exact process flow for the data? In particular, are there really two apps (a GDK app on the device and a separate web service which is Mirror based) or do you have a GDK app which you intend to use to make Mirror API calls? – Prisoner Jul 09 '14 at 18:33
  • answer updated to reflect your workflow and a potential pitfall – Prisoner Jul 10 '14 at 10:44
2

As I understand your question and comments above, your user has already authenticated with your Mirror API based application, so you already have the required credentials (auth/refresh tokens). Your companion Android application detects a condition (user in a particular area) and sends a request to your remote endpoint in your Mirror API based application.

The companion app, when sending the request to the remote endpoint, needs to send a common piece of information that can be used to identify that user in your Mirror API app. In this case, you're saying you're sending the users email id.

To send a timeline card to only that particular user, I would take the email id that the companion application has sent, query your database to return the credentials that you saved when the user authenticated originally with your Mirror API based app and then use that to create an authenticated Mirror API request that inserts the timeline item for only that user. I don't know what your Mirror API app is written in, but a basic example in Python might take the following form:

# You sent along the email address
userid = notification['MyCompEmailId']

# set timeline card body
timelinecard_body = {
    'notification': {'level': 'DEFAULT'},
    'text': "You found a beacon!",
    'menuItems': [{'action': 'DELETE'}]
}

# Look up the user in our database and
# get their credentials
#
# _credentials_for_user() basically does a "WHERE userid = 'something'" query
user_credentials = _credentials_for_user(userid).get()

# Create a Mirror API service with some credentials.
authed_mirror_service = build('mirror', 'v1', http=user_credentials.authorize(httplib2.Http()))

# Send a timeline card
authed_mirror_service.timeline().insert(body=timelinecard_body).execute()
Justin R.
  • 360
  • 1
  • 5
  • Your understanding is exactly correct. I wanted to confirm that my flow is correct or not? or is there any other easy way to implement it?. Thanks. – Karthi Ponnusamy Jul 10 '14 at 09:37
  • There isn't anything wrong with the flow, but as noted by Prisoner's updated answer above, there are some pitfalls you have to take into account from both a security and performance perspective. – Justin R. Jul 10 '14 at 16:26