Context Sensitivity for Web APIs
In the current world of web applications, no application is an island: it is hard to imagine a web site without a like button from Facebook, a video from YouTube or a Twitter wall on the side. In order to communicate with each other, web applications need to send requests.
The functionality that web applications provide for others resides in an API. An API is a collection of entry points, where each entry point represents a piece of the functionality of the web service.
The following code snippet shows a simplified example of a request to the API of Twitter, in which we send a direct message via Twitter.
request.post(
{url: 'api.twitter.com/1.1/direct_messages/new.json',
form: {user_id: 123, text: "Hi Twitter"}},
function(error,r,result){ console.log(result) });
Some entry points of an API are meant to only be used by a certain group of users. One of the simplest examples are the endpoints for the “administration side” of a website. These should only be called by authorized persons.
Sometimes, it is not the end points that are restricted, but certain arguments of an endpoint. For example, creating a playlist using the YouTube API has certain optional arguments (“onBehalfOfContentOwner”) that can exclusively be called by “YouTube content partners”.
These are examples where the context sensitivity is very important: if the API provider does not have the necessary code to check if the request caller has the required rights, this could lead to security breaches.
In this thesis, we want to develop a static type system that ensures the context sensitivity in a web application. This can be done both at the client-side and the server-side.
At the client-side, the web developer should be able to indicate which role he has for the API he is using: API.new(context = "admin") or API.new(context = "extern"). The type system then has to verify that the developer does not use functionality of the API he has no rights to.
On the other hand, a type system can also improve the security of the implementation of the API, by verifying if the necessary security checks are performed. This way, web developers are obliged to write the necessary code to guarantee the security of context sensitive end points.
More concretely, we will take a look at state-of-the-art type systems which we can use as inspiration for this thesis. JavaScript has many dynamic features, therefore we will either start from a small subset of JavaScript or an existing typed version of JavaScript. Then, we will extend the type system to ensure context sensitivity for web APIs.
B. C. Pierce, Types and programming languages. MIT Press, 2002.