Backpack API: Backpack is now a web service 17 May 2005

24 comments Latest by GOETT8

For Backpack’s 1-week anniversary we launched Backpack Mobile. To celebrate week 2, how about a shiny new Backpack API?

So, who’s going to be first to develop a killer Backpack Dashboard Widget for Tiger?

24 comments so far (Jump to latest)

JP 17 May 05

Now it’s getting interesting….

Jeremy Boles 17 May 05

I’d be all for it if I could figure out what is making the widget that is currently in my development queue crash at random times. Very frustrating.

mh 17 May 05

I’ve been wondering since before the launch when there will be a Quicksilver plugin for Backpack…

bitserf 17 May 05

Just out of curiousity, why did you decide to go the route of implementing your own data representation format?

I can understand it from the point of view of simplicity of implementation or wanting human-readable XML requestt/response messages, but it places the burden on the developer to special case support for yet another API :)

For example, I can’t use your API at work because I’m behind a proxy that strips off non-standard client submitted headers for privacy reasons.

Brad 17 May 05

Okay, an exercise in clarity is needed, or at least a simple definition: in 20 words or fewer, what is an API and why is it useful?

jpack 17 May 05

Make sure to clear your .bash_history if you’re passing your token to curl over command line like in the example.
Otherwise anyone that could read your history file could grab your token.

jpack 17 May 05

Ok, so maybe that’s a bit paranoid, i just hate running things like that command-line because not only can other people on the machine see you run it as but it leaves a trail afterwards.

Eric 17 May 05

jpack’s concern is valid. But .bash_history can have permissions set so that other users won’t have access to it.

Also, I think the command-line examples really are examples to demonstrate functionality, and a client using the API would likely not be using the command-line.

But there are some serious problems that I see. If they’re in fact not problems, I’d welcome being corrected.

1. Your account token (think password) is being sent in the clear.

2. I haven’t verified this, but if you retrieve your account token from the backpack web page it too will be sent in the clear.

3. Irrespective of the API, when logging into via the web your account password is sent in the clear (i.e., not using a secure web page).

So, what are the implications? The biggest danger may be with using your Backpack account via the web at a public hotspot. The danger would also exist if using a client that took advantage of the API. In those scenarios an attacker could get either your password or your token.

Once at attacker has either, s/he could a) add items to your Backpack, b) delete items from your Backpack, or c) subtley alter items in your Backpack.

What if someone changed you due dates or flight times so you would miss deadlines or flights?

Would anyone care to confirm/disconfirm the 3 problems I outlines above?

David Heinemeier Hansson 17 May 05

Most web-based services not running on SSL is susceptible to this. So is standard POP3 email if you don’t tunnel it. So is FTP. So is the metaWeblog API that people use to blog with.

That doesn’t mean it’s not a real problem. It is. We’ll be introducing SSL on the upper Backpack levels shortly to help address that.

So. Don’t store the launch codes in Backpack just yet. Or ever, really.

jpack 17 May 05

SSL would be very welcome here. I wouldn’t personally use the service w/o it for anything of substance, but then again I’ve already established my paranoia level.

Props for using sha1 rather than md5 too.

ozmm 17 May 05

I’d use Backpack over SSL if I could. Because, why not?

Ruy 17 May 05

Is something like this on the drawing board for Basecamp? Maybe it’s because I spend so much time with it, but it seems there are even more applications that would make use of an API in Basecamp then in Backpack…

vanilla gorilla 17 May 05

So, who�s going to be first to develop a killer Backpack Dashboard Widget for Tiger?

You are?

JF 17 May 05

We do plan on introducing an API for Basecamp, but far more complex and touches a lot more data. We’re also working on the next version of Basecamp right now so we want to get the new foundation in place before we allow API hooks. But it’s planned for sure.

pb 17 May 05

A dead simple API described in full on one web page. Amen.

So, you made it look easy to produce the API. Was it truly that easy? Did Ruby (on Rails) help out quite a bit?

Adam 18 May 05

Hey guys.

what is an API?
what is it for (in this instance)?
and why does it help?

Alex King 18 May 05

Hmm… neat. Has anyone figured out how to use this with .NET yet?

Daniel Lakier 19 May 05

I played with this a tad from .net and it works fairly well. Email me if you would like an assembly with classes to access the api.

Liang Zhang 01 Jun 05

can’t find the plug-in though.