Statically Checking Web API Requests in JavaScript

Many JavaScript applications perform HTTP requests to web APIs, relying on the request URL, HTTP method, and request data to be constructed correctly by string operations. Traditional compile-time error checking, such as calling a non-existent method in Java, are not available for checking whether such requests comply with the requirements of a web API. In this paper, we propose an approach to statically check web API requests in JavaScript. Our approach first extracts a request's URL string, HTTP method, and the corresponding request data using an inter-procedural string analysis, and then checks whether the request conforms to given web API specifications. We evaluated our approach by checking whether web API requests in JavaScript files mined from GitHub are consistent or inconsistent with publicly available API specifications. From the 6575 requests in scope, our approach determined whether the request's URL and HTTP method was consistent or inconsistent with web API specifications with a precision of 96.0%. Our approach also correctly determined whether extracted request data was consistent or inconsistent with the data requirements with a precision of 87.9% for payload data and 99.9% for query data. In a systematic analysis of the inconsistent cases, we found that many of them were due to errors in the client code. The here proposed checker can be integrated with code editors or with continuous integration tools to warn programmers about code containing potentially erroneous requests.Comment: International Conference on Software Engineering, 201

Towards property-based testing of RESTful web services

Developing APIs as Web Services over HTTP implies adding an extra layer to software, compared to the ones that we would need to develop an API distributed as, for example, a library. This additional layer must be included in testing too, but this implies that the software under test has an additional complexity due both to the need to use an intermediate protocol in tests and to the need to test compliance with the constraints imposed by that protocol: in this case the constraints defined by the REST architectural style. On the other hand, these requirements are common to all the Web Services, and because of that, we should be able to abstract this aspect of the testing model so that we can reuse it in testing any Web Service. In this paper, as a first step towards automating the testing of Web Services over HTTP, we describe a practical mechanism and model for testing RESTful Web Services without side effects and give an example of how we successfully adapted that mechanism to test two different existing Web Services: Storage Room by Thriventures and Google Tasks by Google. For this task we have used Erlang together with state machine models in the property-based testing tool Quviq QuickCheck, implemented using the statem module. 1

Granular confidentiality and integrity of JSON messages

Modern web and mobile-based applications exchange information with each other and with other services, through specific APIs that extend the applications multipart functionality and enable interoperable information exchange. Currently these mechanisms are implemented through the usage of RESTful APIs and data interchange is performed using the JSON format over the HTTP or HTTPS protocol. Most of the times, due to specific security requirements, the SSL/TLS protocol is used to create a secure authenticated channel between the two- communicating service end-points, where all the content is encrypted. This is an important security feature if the sender and the receptor are the only communicating parties, however this may not be the case. In this paper, a granular mechanism for selectively offering confidentiality and integrity to JSON messages, through the usage of public-key cryptography is presented. The proposed mechanism, as take in to consideration already existing mechanisms, such as XML security, to best fit developers’ acquaintance. In this paper, we will present the proposal of the syntax for the secure JSON format (SecJSON) and present a prototype implementation of that particular specification that was created to offer developers, written in Javascript and Node.JS, the possibility to offer this security mechanism into their own services and applications

User friendly knowledge acquisition system for medical devices actuation

Dissertação para obtenção do Grau de Mestre em Engenharia BiomédicaInternet provides a new environment to develop a variety of applications. Hence, large amounts of data, increasing every day, are stored and transferred through the internet. These data are normally weakly structured making information disperse, uncorrelated, non-transparent and difficult to access and share. Semantic Web, proposed by theWorldWideWeb Consortium (W3C), addresses this problem by promoting semantic structured data, like ontologies, enabling machines to perform more work involved in finding, combining, and acting upon information on theWeb. Pursuing this vision, a Knowledge Acquisition System (KAS) was created, written in JavaScript using JavaScript Object Notation (JSON) as the data structure and JSON Schema to define that structure. It grants new ways to acquire and store knowledge semantically structured and human readable. Plus, structuring data with a Schema generates a software robust and error – free. A novel Human Computer Interaction (HCI) framework was constructed employing this KAS, allowing the end user to configure and control medical devices. To demonstrate the potential of this tool, we present the configuration and control of an electrostimulator. Nowadays, most of the software for Electrostimulation is made with specific purposes, and in some cases they have complicated user interfaces and large, bulky designs that deter usability and acceptability. The HCI concedes the opportunity to configure and control an electrostimulator that surpasses the specific use of several electrostimulator software. In the configuration the user is able to compile different types of electrical impulses (modes) in a temporal session, automating the control, making it simple and user-friendly