by Nikolay Derkach

All Your Hashes Are Belong to Us

| Comments

I’ve seen quite a few tricks of apps trying to hide credentials to access APIs to prevent reverse-engineering. Let me say it again: if you assume that your deliverable is secure, and use security by obscurity, you are doing it wrong. Sigh. If you delivery the binary with credentials to the user, assume that they will be able eventually to recover it.

Recently I needed to replicate API access for a major ticketing website. They use Digest authentication to generate access tokens which expire every 5 minutes. I was able to intercept almost all the missing pieces of puzzle, including API key using mitmproxy as usual.

Hacking Parse.com Quota

| Comments

Parse.com is a great BaaS (backend as a service) solution, it helped me numerous times to take a mobile app prototype or MVP off the ground and focus on the product features, rather than building the database layer, push notifications infrastructure and analytics platform from scratch.

The provide you with a pretty lean pricing structure when you pay proportionally to the number of requests you make to the API on top of free 30 requests per second. Now, even though one should optimize an app to make as few requests to the API as possible, Parse has no built-in request throttling support, i.e. if you have a spike of API usage at some point, there is no way to balance it. If you reach your plan quota, all the requests made above the threshold are being simply rejected. Parse seem to present it as a feature ensuring a better QoS and recommends upgrading your quota: this way the API is responsive and you don’t have to wait, but frankly I’d much rather make my users wait a little bit every once in a while than lose their data.

How to Dynamically Generate Jade Templates With Express.js

| Comments

Recently I’ve been playing with Express.js - yet another MVC web framework. Even though I’m not particularly fond of Javascript for the backend, I decided to give it a shot for yet another weekend project. Even though I had to learn a new framework (Node.js with Express.js) and a new template language (Jade), my journey to building a simple website that does some web-crawling and serves as intermediary for passing through HTTP requests was fairly straight-forward. In fact, I enjoyed working with Jade, I definitely prefer it to a more verbose Jinja2.

The website works like this: you search for a term and it displays a list of videos matching the criteria. The search button sends an AJAX call to the backend which automagically generates a dictionary with metadata and links to the videos. Here comes a gotcha: instead of returning a JSON, you render a template on the backend side and return it to the client.

Using Flickr API for Beautiful Landmark Photos

| Comments

While building Traffle (a social travel iOS app), I’ve stumbled upon a problem: how to generate high-quality landmark photos for a particular destination. To give you an idea of the kind of pictures I was looking for, check out Yahoo! Weather. In Yahoo! Weather image content is curated: the best photos are being handpicked by editors.

Tha app required to create a simple algorithm which produces relevant content. Surely no algorithm can compete with curated content, and I didn’t want to spend time implementing a machine learning algorithm, like this one.

Basic HTTP Authentication With Forms

| Comments

Here is a fairly simple trick, how to use basic HTTP authentication (yes, the one where you have an ugly popup window) with HTML forms. I’m actually quiet surprised not a lot of developers are aware of it, as it’s quiet neat.

In short, the idea is that you create a form and pass authentication data to your backend. Simple enough, right? Here is how it’s working under the hood.

Hacking couchsurfing.com API Part 2

| Comments

This is a follow-up for my previous article. To remind you, I’ve created a web app http://couchrequests.com which extends functionality of http://couchsurfing.org by accessing their private API.

I’ve decided to go an extra mile and implement another highly-demanded feature: couch availability calendars embedded in users’ profiles. Wouldn’t it be just awesome to have such a calendar which is updated automatically?

Hacking couchsurfing.com API

| Comments

Traveling is my passion and I’m an huge fan of couchsurfing. Couchsurfing is a global community of travelers, where you can find a place to stay or share you own home with other travelers. On top of that couchsurfing helps you to have genuine traveling experiences while interacting with locals. Here is how it works. Hell, I’ve met some of the most awesome people in the world and made lots of friends though this community.

I’ve hosted a lot of travelers myself, much more than I actually surfed yet. Living in one of the major touristic destinations on the French Riviera, I receive an enormous amount of couch requests (sometimes up to a 10 a day during high season). The problem with couchsurfing.org website is that it doesn’t really handle such “high-load” cases properly. There is no information about availability of your couch - when you receive a new couchrequest you can’t be sure if you already hosting someone those days or not. There has to be a visual representation of your accepted and pending requests, so you can manage it better. And then, if you make your couch availability public, you can avoid unnecessary couch requests which overlap with days when you are unavailable. To have a better idea what I have in mind, have a look at Airbnb calendar.

Things I’ve Learned Porting Ebay SDK to Python 3

| Comments

One day I’ve decided to play around with Ebay a little bit (nothing illegal i swear). And since I love python my first step was to find if there is an Python SDK available somewhere. And indeed there was one. Had a look at the corresponding github repository it seems it’s being maintained as well. Great! Well, not really - it doesn’t work with Python 3. Oh well, time to get my hands dirty.

First thing I did was to run an infamous 2to3 tool. And frankly it was quiet a help as it’s had a great work, especially with those tedious brackets around print statements (but unfortunately not in doctests).

Well the “porting” part itself was pretty smooth and straightforward in fact. The problem was that, well the SDK itself was mostly broken and I had to fix up quiet a lot on my way through.

How to Setup a Typical Python Development Environment on openSUSE

| Comments

It’s been a long time since I’ve last installed a Linux distro on my desktop, more than 3 years I’d say. Naturally I was quiet excited to watch the breakthrough it made over that time. Since my previous macbook air kicked the calendar, I figured time has come to give openSUSE a spin.

Frankly I was quiet impressed that everything went pretty smooth, apart from the fact that I had to configure my BIOS to disable UEFI Secure Mode and that double-finger scrolling didn’t work on my touchpad out of the box (yikes!)

I wanted to build a python app using Flask as a web-framework and I’m using Heroku for deployment. Here is how I went ahead an setup everything required to get started. Ah yes, I’m using python3 and so should you.