Charles Proxy vs Chrome Inspect Element - google-chrome

I am new to Charles Proxy. As far as I have read, it gives me ability to see all the calls happening from within my application.
Is there any difference between what we can do using Charles Proxy and Chrome -> Inspect Element -> Network ?
My requirement is as follows:
I would like to see all the calls (specifically API calls) being made by the application I am browsing and that is to any levels.
Is this possible by any of them?
I am seeing one level API call but not any further (i.e. not multi-level).
Is this because none of the captures server to server API calls, which I feel should be.
Please let me know if any further information is needed to get the whole context.

After a bit more exploring found answer to the question
"I would like to see all the calls (specifically API calls) being made by the application I am browsing and that is to any levels."
This is possible through Charles Proxy but we need to have the application running in local. This is obvious server to server API calls will not be exposed so as a developer if he/she wants to get the any-level API calls being made by the application that he/she is trying to explore, the solution will be to setup the application locally and configure Charles Proxy.
Please share if anyone wants to share any other thought.

Related

Connect Sproutcore App to MySQL Database

I'm trying to build my first Sproutcore App and I struggle to connect it to a MySQL-Database or any datasource other than fixture. I can't seem to find ANY tutorial except this one from 2009 which is marked as deprecated: http://wiki.sproutcore.com/w/page/12413058/Todos%2007-Hooking%20Up%20to%20the%20Backend .
Do people usually not connect SC-Apps to a Database? If they do so, how do they find out how to? Or does the above mentioned tutorial still work? A lot of gem-commands in the introduction seems to already differ from the official Sproutcore getting-started-guide.
SproutCore apps, as client-side "in-browser" apps, cannot connect directly to a MySQL or any other non-browser database. The application itself runs only within the user's browser (it's just HTML, CSS & JavaScript once built and deployed) and typically accesses any external data via XHR requests to an API or APIs. Therefore, you will need to create a service wrapper around your MySQL database in order for your client-side app to be able to load and update data.
There are two things worth mentioning. The first is that since the SproutCore app contains all of your user interface and a great deal of business logic, your API can be quite simple and should only return raw data (such as JSON). The second is that, I should mention that the client-server design, while more tedious to implement, is absolutely necessary in practice, because you can never trust the client side code, which is in the hands of a possibly nefarious user. Therefore, your API should also act as the final gatekeeper to validate all requests from the client.
This tutorial I found helped me a lot. Its very brief and demonstrates how to implement a very simple login-app, how to send post-requests (triggered by the login-button-action) to the backend-server and how to asynchronously process the response inside the Sproutcore-App:
http://hawkins.io/2011/04/sproutcore_login_tutorial/

CouchBase WEB(AngularJS), Android(Native), IOS(Native)

I'm planning to build an application that runs on WEB(AngularJS), Android(Native), IOS(Native).
I have experience with MongoDB, but I found CouchBase which sounds really good for me.
I read documentation and I found out I need to use sync_gatway to sync my mobile databases with main database server and reverse, until now everything is fine.
I also need to use "channels" to share records with multiple users.
The problem comes when I need to implement this for web application.
In their documentation on "Working with web applications" they explain how "bucket shadowing" is working, but they also say:
Bucket shadowing is meant to enable sync for existing Couchbase Server
apps. If you are creating a new app with both mobile and web clients,
we recommend starting with the Sync Gateway REST APIs, and connecting
backend services using the Changes Worker Pattern.
After reading Sync Gateway REST API I found out I'm limited to facebook and persona authentication. So I can't use my own authentication mechanism?
Also, there is nothing specified in REST API about channels?
Is there any example project or more documentation about this? I couldn't find anything :(
If someone has experience with this, please explain how this works.
Thanks
There is also Custom (Indirect) Authentication available on Sync Gateway, which you can use for any type of auth you need.
But you have to hide Sync Gateway's Admin API under your backend layer.
As for the channels: it is responsibility of Sync Function to route different documents to necessary channels based on Document data.
Here is a good video that describes how to build production architecture around Couchbase Lite.
I'm probably late for the party - but as of today I'd recommend taking a look in the PouchDB project for the WEB AngularJS side - they match pretty well and will sync with Couchbase.
Regarding authentication, I just released an article on that topic, find it here. Hope this helps somebody

rest api for 3rd party customers (AAA)

I am currently working on a REST/JSON API that has to provide some services through remote websites. I do not know the end-customers of these websites and they would/should not have an account on the API server. The only accounts existent on the API server would be the accounts identifying the websites. Since this is all RESTful and therefore all communication would be between end-user browser (through javascript/JSON) and my REST API service, how can I make sure that the system won't be abused by 3rd parties interested in increasing the middleman's bill? (where the middleman is the owner of the website reselling my services). What authentication methods would you recommend that would work and would prevent users from just taking the js code from the website and call it 1000000 times just to bankrupt the website owner? I was thinking of using the HTTP_REFERER , and translate that to IP address (to find out which server is hosting the code, and authenticate based on this IP), but I presume the HTTP_REFERER can easily be spoofed. I'm not looking for my customer's end customers to register on the API server, this would defeat the purpose of this API.
Some ideas please?
Thanks,
Dan
This might not be an option for you, but what I've done before in this case is to make a proxy on top of the REST calls. The website calls its own internal service and then that service calls your REST calls. The advantage is that, like you said, no one can hit your REST calls directly or try to spoof calls.
Failing that, you could implement an authentication scheme like HMAC (http://en.wikipedia.org/wiki/Hash-based_message_authentication_code). I've seen a lot of APIs use this.
Using HMAC-SHA1 for API authentication - how to store the client password securely?
Here is what Java code might look like to authenticate: http://support.ooyala.com/developers/documentation/api/signature_java.html
Either way I think you'll have to do some work server side. Otherwise people might be able to reverse engineer the API if everything is purely client side.

how to access chrome net-internals from the chrome extension code

is it possible to access, invoke and see the results of operations in chrome://net-internals/ WITH and from the extension code that I am trying to write/build?
Not directly.
The closest analog is the WebRequest API, which gives you access to various bits and pieces of the network requests going back and forth between Chrome and the server. That doesn't, however, give you access to some of the even lower-level details that you see in net-internals.
What exactly would you like extensions to have access to? I'd suggest formulating a clear use-case, and filing a feature request: http://new.crbug.com/ as your best bet.

Client-Server Model

I would like to develop a webpage (using any technology) with these conditions:
When client A types the web address on his browser, they automatically receive a remote IP (no other data)
With this IP, Client A automatically request some data from that IP (Client B)
Client B sends the requested information to Client A.
Which technology and libraries could I use to develop this webpage? (Javascript, Applets, browser plugin...) I think is some kind of P2P, so it should be possible to develop it.
Let's put one example.
Imagine that the webpage I have to program is www.hi.com/test.html.
I type it on my browser and receive automatically this IP: 212.22.62.106
My browser automatically request data to 212.22.62.106, which is another client of www.hi.com/test.html
This second client sends me the requested information, which is the only one is shown on my browser.
THANKS
Just about everything in browser security is going to fight this model - Ajax, javascript in general, applets, cookies - they're all tied to the current domain.
To do this, you're going to need to get something onto the desktop, if only in the form of an ActiveX control, which will severely limit your browser-base.
I think you're barking up the wrong tree - maybe if you could pop up one level of abstraction and tell us what you're trying to accomplish with this model?
This is not possible with web page, you're looking in the wrong direction.
You'll have to build your own application which by the way sounds really similar to eMule.. :)