API for autopilot - javascript

I am a newbie at using API's. Because of my work, I have to learn to use Autopilothq. There is also an API for this which is in JavaScript:
http://developers.autopilothq.com/
But my question is basically, how do I implement all these functions? Do I have to make a administration site, where I implement these functions, or is it often in the online program itself they are called from?
For example, in the console of their site Autopilot, I can type the following:
var sessionId = AutopilotAnywhere.sessionId;
sessionId;
Then I get a 24 digit number. That number can be attached to a contact_id. But how do I execute this line of code on a site? Should I simply make a JS file and make my functions in here, then call the script from the head tag?
Updated question:

If you want to use JavaScript to access their API, you create a HTML document that contains a JavaScript script which does a XMLHttpRequest (Ajax) request to their REST-API with some code like the one from the example in your screenshot.
You need to specify your private API key (it acts as a kind of username and password in one thing) to allow the script access to your account. Then you create a request body and use a HTTP method to send your request (see CRUD). The API then returns a JSON encoded string (or some error) that you can work with in your script.
So yes, basically you can create an administrative website that implements some functionality to make changes to your account (or whatever the API allows you to do). But an API allows you much more as it can be used with almost any programming language, so you could also create a native mobile or desktop app. You could also allow users to do something like unsubscribe themselves if the API allows you to create API keys with certain restrictions (i.e. only allow the unsubscribe action with the key that the user uses).
Keep in mind to not expose your API key. If you create a website to work with the API, make sure to not store the key in your script as everyone can view the source file. Instead you can either provide the key via PHP after some successful login only or have a look at server-side JavaScript (e.g. Node.js) or think of something else.

Related

Query while typing in a textbox like Netflix

When you search using the textbox in netflix.com, the URL updates automatically on what you type. It changes to something like https://www.netflix.com/search?q=test. The results also updates automatically or in real time.
I would like to know how this was done. Not the DB query part but more of the real-time/automatic update of the results with the use of GET functions. I was wondering if this could be done using Node.js, and javascript? Where should I get started?
Kind of related but not important: I saw this question with a fiddle code but didn't contain DB query and not updating the URL.
question
All of this is JavaScript, but specifically there are two parts to this.
For the first, the fetching of fresh data, this is done via the Fetch API. (Or on older sites, XHR/AJAX.) Using this API, the client-side JavaScript can make an HTTP request to the server and read the response. What is used server-side (like Node.js) isn't important... most anything can be used for this. (Node.js though is awfully convenient... it's my preferred method, but it isn't a requirement that you use it.) With the response data, it's parsed and injected into the page however the script wants to do it.
The second part you're asking about is the URL change. This is often done with the History API. That way, the developer can control what the URL says. This allows the user to bookmark this particular page for later use.

How to make a website's JavaScript file inaccessible or hide certain info on it

I'm currently using GitHub pages to host my website and I'm making a simple web app that requires an API call. The API call is a web url with certain parameters and one of the mandatory parameters is the personal API key issued from the service which they strictly warn to not share with others cause its the equivalent of sharing your password. This service has no public API keys, only account bonded ones.
In my JavaScript file I have a line that goes something like this:
var api= "https://osu.ppy.sh/api/get_beatmaps?k=[MY API KEY HERE]"
Where this string is then used in a getJSON call.
Where after the ?k= is my account tied API which I do not want to share because its the equivalent of giving out my password. I realised that any user can just go on myname.github.io/js/script.js and they can view the JavaScript and thus see my API key. Is there a way to make it so this file is unable to be accessed or a way to make it so no one can see my API key.
Unless you can isolate this, as in run that code on a server you control and can lock down, the answer is no.
You could also do this "serverless" as in an Amazon Lambda function or equivalent.
Remember, client-side code runs client-side, so if they have access to your key, they have access to your key. The only way around this is to intermediate or proxy the request.

Is there a way to hide my api in javascript? (pulling it in from php?)

I have a gaming page that accesses an API that I would like to share but I don't want anyone else using my api. Is there a way to create a variable in javascript that would obfuscate the api? Maybe pull it in from a php page?
Just looking to replace
var apiKey = "7**************";
so that the api isn't available to people that download the page to use it for themselves.
No. You cant hide anything in javascript.
No. It's not possible.
Any information that your javascript uses, is public. Any API key that you put in js or pull from server or decode or whatever else can be easily recorded and then used elsewhere.
Create nginx proxy which will just add your secret API key when you make calls to API. But dont share API keys - the only security in this case is lazyness ot your visitors to take that API key.
You can't hide Javascript from your source but you can made it more difficulty to read and understand.
www.sitepoint.com/hide-jquery-source-code/
Image from sitepoint
Javascript Obfuscate

How to prevent script sharing from it's users?

I am making a small payment system, basically it's just a point system, you pay say 1 USD and you get 100 points which is used later on in a game project to get bonuses. It's a script for game servers, something like a user panel.
Now, the script system is ready, but I'm afraid to give it away, since than someone will share it and it will spread all over the gaming area. What would be the solution keeping it working only if I give them a permission?
I thought about re-making whole code and make it work on my website but I don't think that people will want to put their SQL data to website that located NOT on their host. Please help me out, at least with some clues, maybe its possible to make some widgets? or maybe some license system?
I'm really lost.
You should implement the logic on the server side as an api REST call and include in the script only an ajax call to the api. You can limit the use of the api through an api key that you'll provide only to qualified sites.
You'd need to implement some sort or serverside authentication/api so that only varified users can use the script. Much like how software checks a licence.
On script load your javascript could make a ajax call to a server passing through the users IP, auth key, username etc etc.
This can then be varified on the server, maybe returning a dynamically generated url containing a javascript file which contains your business logic
(so that urls are dynamically generated for that users session only)
That way people cant hot link the script, and the script you give out is solely the ajax call
(With the business logic script injected on auth)

How to "Secure" AJAX calls?

I'm sure this question has been asked before, but I can't find a thread that explains it in a way that makes sense to me.
I'm creating a bookmarklet/browser plugin written in Javascript. This script makes calls to an api, effectively sending a users activity information from one site to another. (think, making a tweet when a user posts a facebook status)
This site loads javascript right into the site. The API I'm using requires an MD5 hash to be generated using an API secret code. This is no problem, I'm making an ajax call to a PHP script I'm hosting elsewhere, that returns the correct string.
Problem is I don't want the user to be able to make a call to this same script to generate their own strings, with the secret embedded to abuse the API. Is their a way I can only allow calls to this API when I want to make them?
Or maybe I'm approaching this from the wrong direction.
You cannot dictate how a client executes your javascript. There is no way to create a "secure" request, or insure that it wasn't modified by an attacker. This is the nature of the client/server system. The page its self can be modified using GreaseMonkey and any request can be modified or replayed using TamperData.
1) you should open a token on your DB like GUID.
this guid will represent some info and can only be executed once ( put a db field in table called "isAlreadyuse" -type bit).
now ,
when the ajax will call itself - you send this guid to the server.
the server will see if the guid exists
and emits its logic and update thefield to "1".

Categories