The Indiehackers podcast #152 Picking the Right Market to Get Started In with Justin Jackson and Tyler Tringas lays out this relationship quadrant between a product and the audience, which I think is a very important when thinking about a software business.
Strapi is an Open Source headless CMS based on NodeJS. It provides the backend admin tools to quickly create an API – both REST and GraphQL. I picked this up for a quick project in place of my regular Python frameworks like Flask or Django, because I can have an API up and running without writing a single line of code.
This is a mini series which outlines:
There is already wealth of blog posts on using Strapi for creating a variety of websites and apps. But most of them tend to focus on capabilities of vanilla Strapi. I want to focus on a couple of customisations that I made when using it to build a web application.
Our example API is for an expense management system. Users can do the following things via the API:
Note: I am not going to get into building frontend in this series, we will just focus on Strapi and the API
The Strapi Documentation is probably the best source for this based on your method of choice. You can install it on local machine, just pull a docker container or use a cloud provider like Digital Ocean or Platform.sh.
I will refrain from posting the instructions here to avoid duplication.
Once you have created a new project, start the application in development mode.
yarn develop
Side note: This is very important, I once started it using the yarn start command and spent a solid 5 minutes searching why all the edit functionalities have disappeared.
You will be greeted with a admin registration screen like this one.
Fill in the information and create the admin account. This should log you in and show the Admin Homepage
Strapi employs the well known MVC (Model-View-Controller) pattern. So, the first step is to define the Models for the API. Models are called as “Content-Type” in Strapi due to the CMS nature of the application. Click the “Create Your First Content-Type” button on the home page to create our first model – Category.
Click Continue, now we can add the fields for the model.
The category model is going to have two fields:
Since both of them are strings, let’s click Text and create the fields
When we describe models in code, we usually have some constraints like primary key, unique, not-null ..etc., In this case we want the categories to have a name and have a minimum of 2 characters. We can specify that by switching to the Advanced Settings tab and setting the constraints.
Click + Add another field and create another “Text” field for color. (I am leaving the screenshot out for that one)
Click finish after putting in the details for color field.
We want the Categories to be user specific. So we need to add a relationship between the User Model which is already there and between the Category model which we just created.
api folder and look at the contents you will see the files that Strapi created for the ‘Category’ Modelapi └── category ├── config │ └── routes.json ├── controllers │ └── category.js ├── models │ ├── category.js │ └── category.settings.json └── services └── category.js
Now that we know the steps to create a model visually, I am going to leave creating the Expense Item Model as an exercise. The model will have the following fields
Now that our models and controllers are all in place, our API is ready. Let us try it out by visiting http://localhost:1337/categories
Oops, we don’t have access. While it is a disappointment, it is actually a good thing. By default Strapi doesn’t allow access to any resources. We need to configure access rules for the API to be usable. Let us do that by heading back to Strapi admin page.
Go to the Strapi Admin page, click the Roles and Permissions on the sidebar and click on the edit button for Authenticate.
In the Permissions, click Select All for Category and Expense-Item and Save. This will allow any user who is logged into to perform all sorts of operations on the Category and Expense Item models.
It can be noticed that the Roles & Permissions page shows “0 User” for the Authenticated role despite us logged in as the admin. That’s because Strapi considers Super Admin users different from users created for the User content type. So, we will create a new user who will act as the test user.
Now if you switch to the Roles & Permissions page, you should see it say “1 User” in the Authenticated row.
Side Note: I will use Postman to test the API. You can use whatever you are comfortable with using this as reference: Authenticated Request
In order for the requests to be sent as an authenticated user, we need a use the JWT returned during login and use it as the Bearer Token. So, let us login at http://localhost:1337/auth/local
Let us copy that JWT token from the response and use it to test http://localhost:1337/categories
The 403 Forbidden error is gone and we have a 200 OK response with empty array []. Now let us create a Category using a POST request with the same request.
raw and type JSON and{
“name”: “Travel”,
“color”: “{{$randomHexColor}}”
}
Side Note: I like how Postman provides functions to generate values like random colors.
Response
{
“id”: 1,
“name”: “Travel”,
“color”: “#535203”,
“user”: null,
“created_by”: null,
“updated_by”: null,
“created_at”: “2020-08-08T08:01:13.290Z”,
“updated_at”: “2020-08-08T08:01:13.290Z”,
“expense_items”: []
}
A new category has been created with the with the ID 1. But notice that the user attribute is actually null. That is because we didn’t pass the “user” attribute in the POST request. We shouldn’t have to. That information is already available with Strapi in the form of JWT token we have sent with the request.
How do we make Strapi automatically populate the user field?
Before we answer that, let us test another thing related to this user issue.
intruderintruder user and get the JWT Tokenintruder‘s JWT token let us send a get request to the /categories
The intruder is able to access the category created by test_user. This will happen even if the user value is not null. For example, go to the Strapi Admin and set the user value of the “Travel” category to test_user
Now switch back to Postman, don’t change anything and rerun the GET /categories request again.
You will notice that we are still able to access test_user‘s information as intruder.
To summarise:
So, any authenticated user can read anyone’s data. Not just read, if you recall the settings from “Roles & Permission”, they can also change and delete anyone’s data. Effective making the entire API useless.
Now we have identified two issues:
Both of these can be solved by modifying the Controller logic of the models. We will deal with that in the next part.
The impressive thing about using Strapi for an API is the amount of stuff that comes out of the box.
All of this without writing a single line of code. If we have used a regular library, we would be swimming in configurations and routes by now.
Covid-19 has created a number of challenges for the society that people are trying to solve with the tools they have. One such challenge was to create an app for data collection from volunteers for food supply requirements for their communities.
This needed a form with the following inputs:
Multiple ready made solutions like Google Forms, Zoho Forms were attempted, but we hit a block when it came to having a map widget which would let the location to be picked manually, and uploading photos. After an insightful experience with CovidCrowd, we were no longer in a mood to build a CRUD app with Database, servers..etc., So the hunt for low to zero maintenance solution resulted in a collection of pieces that work together like an app.
Someone has successfully converted a Google Sheet into a writable database (sort of) with some Google Script magic. This allows any form to be submitted to the Google Sheet and the information would be stored in the columns like in a Database. This solved two issues, no need to have a database or a back-end interface to access the data.
The AWS JavaScript SDK allows direct upload of files into buckets from the browser using the Congnito Credentials and Pool ID. Now we can upload the images to the S3 bucket and send the URLs of the images to the Google Sheet.
Almost 100% of this data collection is going to happen via a mobile phone, to we have a high chance of getting the location directly from the browser using the browser’s native Geolocation API. In a scenario where the device location is not available or user has denied location access, A LeafletJS widget is embedded in the form with a marker which the user can move to the right location manually. This is also sent to the Google Sheets as a Google Maps URL with the Lat-Long.
All of this was tied together into a React app using React hook form with data validation and custom logic which orchestras the location, file upload ..etc., When the app it built it results in a index.html file and a bunch of static CSS and JS files which can be hosted freely as Github Pages or in an existing server as a subdirectory. Maybe even server over a CDN gzipped files, because there is nothing to be done on the server side.
We even added things like image preview in the form so the user can see the photos he is uploading on the form.
All of these are overlooked for now as the volunteers involved are trusted and the URL is not publicly shared. Moreover the entire lifetime of this app might be just a couple of weeks. For now this zero maintenance architecture allows us to collect custom data the we want.
Building this solution showed me how problems can be solved without having to write a CRUD app with a admin dashboard every time. Sometimes a Google Sheet might be all that we need.
Source Code: https://github.com/tecoholic/ResourceForm
PS Do you know Covid19India.org is just a single Google Sheet and a collection of static files on Github Pages? It servers 150,000 to 300,000 visitors at any given time.
This is a combination of the problem that I posted in Dev.to and StackExchange and the final solution that I adopted.
I have a function which takes the incoming request, parses the data and performs an action and posts the results to a webhook. This is running as background as a Celery Task. This function is a common interface for about a dozen Processors, so can be said to follow the Factory Pattern. Here is the psuedo code:
processors = {
"action_1": ProcessorClass1,
"action_2": ProcessorClass2,
...
}
def run_task(action, input_file, *args, **kwargs):
# Get the input file from a URL
log = create_logitem()
try:
file = get_input_file(input_file)
except:
log.status = "Failure"
# process the input file
try:
processor = processors[action](file)
results = processor.execute()
except:
log.status = "Failure"
# upload the results to another location
try:
upload_result_file(results.file)
except:
log.status = "Failure"
# Post the log about the entire process to a webhoook
post_results_to_webhook(log)
This has been working well for most part as the the inputs were restricted to action and a single argument (input_file). As the software has grown, the processors have increased and the input arguments have started to vary. All the new arguments are passed as keyword arguments and the logic has become more like this.
try:
input_file = get_input_file(input_file)
if action == "action_2":
input_file_2 = get_input_file(kwargs.get("input_file_2"))
except:
log.status = "failure"
try:
processor = processors[action](file)
if action == "action_1":
extra_argument = kwargs.get("extra_argument")
results = processor.execute(extra_argument)
elif action == "action_2":
extra_1 = kwargs.get("extra_1")
extra_2 = kwargs.get("extra_2")
results = processor.execute(input_file_2, extra_1, extra_2)
else:
results = processor.execute()
except:
log.status = "Failure"
Adding the if conditions for a couple of things didn’t make a difference, but now almost 6 of the 11 processors have extra inputs specific to them and the code is starting to look complex and I am not sure how to simplify it. Or if at all I should attempt at simplifying it.
Something I have considered:
1. Create a separate task for the processors with extra inputs – But this would mean, I will be repeating the file fetching, logging, result upload and webhook code in each task.
2. Moving the file download and argument parsing into the BaseProcessor – This is not possible as the processor is used in other contexts without the file download and webhooks as well.
I solved it by making two important changes:
kwargs as I receive them without unpacking. It is the processor’s job.
def run_task(action, input_file, *args, **kwargs):
params = kwargs.copy()
# Get the input file from a URL
log = create_logitem()
try:
file = get_input_file(input_file)
if action == "action_2":
params["extra_file"] = get_input_file(kwargs["extra_file"] # update the files in params
except:
log.status = "Failure"
# process the input file
try:
processor = processors[action](file)
results = processor.execute(**params) # Unpack and pass the params
except:
log.status = "Failure"
# upload the results to another location
try:
upload_result_file(results.file)
except:
log.status = "Failure"
# Post the log about the entire process to a webhoook
post_results_to_webhook(log)
Now I have the same lean structure as I originally had. The only processor specific code is the file downloads which I think I can live with for now.
Kain0_0‘s answer pointed me in the right direction and helped me simplify it in a way that makes sense.
Arunmozhi 