APIful Blog We're obsessed with Web APIs


Statically Checking Web API Requests in JavaScript

Feb 13, 2017 •

Programming in the Stone-age

Writing JavaScript applications that perform HTTP requests to web APIs relies on the request URL, HTTP method, and request data to be constructed corrected via string operations. This can feel like going back to the stone-age, especially if you are a fan of statically-typed languages: you often ask “where is my beloved compiler”? Traditional compile-time error checking, such as calling a non-existent method in Java, is not available for checking whether such requests in JavaScript code. In this blog post, I am sharing with you our research prototype that can potentially rescue us from this situation, a static checker on web API requests in JavaScript. Thanks to the amazing co-authors Erik Wittern, Yunhui Zheng, Julian Dolby, and Jim Laredo, this work (see the full paper) has been accepted to the International Conference in Software Engineering (ICSE) this year.

Simple checks like on non-existent endpoints are not available!

On GitHub, we found code that mistakenly attempts to make a request to https://api. spotify.com/v1/seach, as opposed to invoking the correct URL ending with /search.
This is what I mean by stone-age – why don’t we have more static support on checking stupid errors like that!

A programmer wishing to avoid such errors can manually assess the correctness of web API requests by consulting the API’s (online) documentation or formal web API specifications. Such specifications, like the OpenAPI Specification (or formerly known as Swagger), can be created by API providers or third parties to document valid URLs, HTTP methods, as well as inputs and outputs that a web API expects.

Getting out the stone-age: our static checker on web API requests

In essence, our tool automates this manual process by doing two things:

  • First, our approach extracts a request’s URL string, HTTP method, and the corresponding request data using an inter-procedural string analysis
    This task is not super easy task because we need an inter-procedural static program analysis capable of extracting strings. Yunhui has described the magic behind this analysis.

  • Making use of available Swagger specifications for the definitions of valid URLs, HTTP methods, and data. Our approach checks whether the request extracted from the first step conforms to given web API specifications. Erik has shared some interesting insights about these specifications in a previous post.

Our check is quite precise!

We evaluated our approach by checking whether web API requests in JavaScript files mined from GitHub are consistent or inconsistent with publicly available API specifications. From the 6575 requests we examined from GitHub, this is what we found:

  • Our approach determined whether the request’s URL and HTTP method was consistent or inconsistent with web API specifications with a precision of 96.0%.
  • Our approach also correctly determined whether extracted request data was consistent or inconsistent with the data requirements with a precision of 87.9% for payload data and 99.9% for query data.
  • In a systematic analysis of the inconsistent cases, we found that many of them were due to errors in the client code.

If you ask me, this numbers mean that we are ready to deploy our approach!

Atom plug-in

And we have! Our checker is already integrated as a plug-in in Atom, as described in Erik’s previous post! It can also be integrated with continuous integration tools to warn programmers about code containing potentially erroneous requests.

Please find the full paper here and, as always, connect with us on Twitter @apiHarmony. Is there any other similar stong-age annoyance from a language like JavaScript that maybe we can help with static analysis?

Share via a Tweet or follow us for everything APIs!