Workshop Advances Javascript

Advanced JavaScript Creating Modern Web Applications @BastianHofmann

But what will you learn?

• JavaScript Apps • CORS and OAuth2 • Local Storage
• OEmbed and Caja • WebSockets, ActivityStrea.ms and PubsubHubbub • OExchange • Integrating it in your existing Application • Web Application Architecture

Questions? Ask!

http://speakerdeck.com/u/bastianhofmann

Let‘s write a JS App

CSS Bastian

http://twitter.github.com/bootstrap

History & Bookmarking

www.example.com#Page

www.example.com/Page

http://sammyjs.org/

API Access

Same Origin Policy

Cross-Origin Resource Sharing Backend api.twitter.com Client client.net AJAX Access-Control-Allow-Origin: *
http://www.w3.org/TR/cors/

var html="<ul>"; for (var i=0; i < viewers.length; i++) {
html += "<li>" + viewers[i].displayName + "</li>"; } html += "<ul>"; document.getElementById("#div").innerHTML = html; Where is the error?

Templates

Mustache.JS https://github.com/janl/mustache.js }

https://github.com/bashofmann/js_mashup_workshop

http://git-scm.com/

$ git clone [email protected]:bashofmann/ js_mashup_workshop.git ... $ git add newFile
$ git add changedFile $ git commit -m 'message' $ git push origin master http://git-scm.com/book/en/Git-Basics-Getting-a-Git- Repository

https://c9.io/

$ git remote add upstream https:// github.com/bashofmann/ js_mashup_workshop.git $ git
reset --hard $ git clean -d -f $ git fetch upstream $ git merge upstream/master https://help.github.com/articles/syncing-a-fork

Authorization

http://tools.ietf.org/html/rfc5849

lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared
Consumer Key - Shared Consumer Secret

HTTP POST Connect with Twitter lanyrd.com

twitter.com HTTP POST Connect with Twitter HTTP GET Consumer Key
Redirect URI Signature (Consumer Secret) lanyrd.com

twitter.com HTTP POST Connect with Twitter Request Token Request Token
Secret lanyrd.com

http://twitter.com/authorize? requestToken=... HTTP Redirect lanyrd.com

HTTP GET twitter.com/ authorize

Login twitter.com/ authorize

Grant permission twitter.com/ authorize Create veriﬁer and bind it to
User and Request Token

Redirect URI?veriﬁer=...&requestToken=.. HTTP Redirect twitter.com/ authorize

HTTP GET lanyrd.com (RedirectURI? veriﬁer=...)

HTTP GET HTTP GET Consumer Key, RequestToken Veriﬁer Signature (Consumer
& Request Token Secret) twitter.com lanyrd.com

HTTP GET Access Token Access Token Secret twitter.com lanyrd.com

HTTP GET API Request Consumer Key, Access Token Signature (Consumer
& Access Token Secret) twitter.com lanyrd.com

POST /oauth/request_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131200“,
oauth_nonce=“gggg“, oauth_callback=“http%3A%2F %2Fexample.com%2Fcallback“ oauth_signature=“...“

HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=defghi&oauth_token_secret=jkl mnop&oauth_callback_confirmed=true

HTTP/1.1 302 Found Location: https://api.twitter.com/oauth/ authorization?oauth_token=defghi

HTTP/1.1 302 Found Location: http://example.com/callback? oauth_token=defghi&oauth_verifier=qrstuvw

POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“defghi“ oauth_signature_method=“HMAC-SHA1“,
oauth_timestamp=“137131201“, oauth_nonce=“hhhhh“, oauth_verifier=“qrstuvw“ oauth_signature=“...“

HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=xzyabc&oauth_token_secret=defg hijk

POST /1/statuses/update.json HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“ xzyabc“
oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131203“, oauth_nonce=“iiiiiii“, oauth_signature=“...“ status=New %20Tweet&trim_user=true&include_entities=tru e

Signatures

GET /photos/vacation.jpg? oauth_consumer_key=123&oauth_nonce= 456&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1191242096&oau th_token=789&oauth_version=1.0 HTTP/1.1 Host: photos.example.net

GET&http%3A%2F %2Fphotos.example.net%2Fphotos %2Fvacation.jpg&oauth_consumer_key %3D123%26oauth_nonce %3D456%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token %3D789%26oauth_version%3D1.0

PLAINTEXT

HMAC-SHA1 Salt: consumerSecret(&tokenSecret)

RSA-SHA1 Public/Private Key

Problems Does not work well with non web or JavaScript
based clients The „Invalid Signature“ Problem Complicated Flow, many requests

How to ﬁx it?

http://oauth.net/

http://tools.ietf.org/html/draft-ietf-oauth-v2

http://tools.ietf.org/html/draft-ietf-oauth-v2 What‘s new in OAuth2? (Draft 10) Different client proﬁles
No signatures No Token Secrets Cookie-like Bearer Token No Request Tokens Much more ﬂexible regarding extensions Mandatory TSL/SSL

Web-Server Proﬁle

lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared
Client ID - Shared Client Secret - Redirect URI

HTTP(S) POST Connect with Twitter lanyrd.com

http://twitter.com/authorize?&clientId=... HTTPS Redirect lanyrd.com

HTTPS GET twitter.com/ authorize

Login twitter.com/ authorize

Grant permission twitter.com/ authorize Create authorization code and bind it
to User and ClientID

Redirect URI?authorizationCode=... HTTPS Redirect twitter.com/ authorize

HTTPS GET lanyrd.com (RedirectURI? authorizationCode= ...)

HTTPS GET HTTPS GET Consumer Key Authorization Code Consumer Secret
twitter.com lanyrd.com

HTTPS GET Access Token (Refresh Token) twitter.com lanyrd.com

HTTPS GET HTTPS API Request Access Token twitter.com lanyrd.com

HTTPS GET HTTPS GET Consumer Key Refresh Token Consumer Secret
twitter.com lanyrd.com

HTTPS GET Access Token Refresh Token twitter.com lanyrd.com

HTTPS GET API Request with Access Token twitter.com lanyrd.com

HTTP/1.1 302 Found Location: https://api.twitter.com/oauth2/ authorize? response_type=code&client_id=abcdefg&state=x yz&scope=write

HTTP/1.1 302 Found Location: https://example.com/callback? code=ghijkl&state=xyz

POST /oauth2/token HTTP/1.1 Host: api.twitter.com Content-Type: application/x-www-form- urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl&c lient_id=12345&client_secret=7890

POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-
urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl

HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "expires_in“: 3600,
"refresh_token“: "qrstuvq“ }

GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

Refresh Token

POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-
urlencoded;charset=UTF-8 grant_type=refresh_token&code=qrstuvq

Authorization Types

Bearer Tokens

http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer

GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

SSL not possible?

Signatures

http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac

HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "token_type“: "mac“,
"expires_in“: 3600, "refresh_token“: "qrstuvq“ "mac_key":"adijq39jdlaska9asud", "mac_algorithm":"hmac-sha-1" }

GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: MAC id=“jklmno“, nonce=“274312:dj83hs“, mac=“.....“

timestamp\n nonce\n HTTP_METHOD\n HTTP Request URI\n Hostname\n Port\n (Authorization extension)

And JavaScript?

User-Agent Proﬁle

http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com

http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com HTTPS GET twitter.co m/ authorize

http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Login twitter.co m/ authorize

http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Grant Permission twitter.co m/ authorize

lanyrd.com HTTPS Redirect RedirectURI#acces sToken twitter.co m/ authorize RedirectURI# accessToken
lanyrd.com

lanyrd.com RedirectURI# accessToken Parse Access Token from Fragment Send it
to opening window Close popup lanyrd.com

Same Origin Policy

lanyrd.com HTTPS Ajax Request to API Access Token twitter.com

GET /oauth2/authorize? response_type=token&client_id=abcdefg&stat e=xyz&scope=write HTTP/1.1 Host: api.twitter.com

HTTP/1.1 302 Found Location: http://example.com/ callback#access_token=gahorha&state=xyz&exp ires_in=3600

1.<script> 2. var fragmentString = location.hash.substr(1); 3. var fragment =
{}; 4. var fragmentItemStrings = fragmentString.split('&'); 5. for (var i in fragmentItemStrings) { 6. var fragmentItem = fragmentItemStrings[i].split('='); 7. if (fragmentItem.length !== 2) { 8. continue; 9. } 10. fragment[fragmentItem[0]] = fragmentItem[1]; 11. } 12. opener.setAccessToken(fragment['access_token']); 13. window.close(); 14.</script>

Storing the access token

Local Storage http://www.w3.org/TR/webstorage/

Mash it up!

cool video: http://www.youtube.com/ watch?v=OFzkTxiwziQ

OEmbed http://oembed.com/

http://www.youtube.com/watch?v=OyJd2qsRkNk

http://www.youtube.com/oembed?url=http%3A%2F %2Fwww.youtube.com%2Fwatch%3Fv %3DOyJd2qsRkNk&maxwidth=500&format=json

{ "provider_url":"http:\/\/www.youtube.com\/", "title":"Jupiter Jones - Das Jahr in dem ich
schlief (Musik Video)", "html":"\u003cobject width=\"500\" height=\"306\"\u003e \u003cparam name=\"movie\" value=\"http:\/\/www.youtube.com\/v\/ OyJd2qsRkNk?version=3\"\u003e\u003c\/param\u003e\u003cparam name= \"allowFullScreen\" value=\"true\"\u003e\u003c\/param\u003e \u003cparam name=\"allowscriptaccess\" value=\"always\"\u003e \u003c\/param\u003e\u003cembed src=\"http:\/\/www.youtube.com\/v\/ OyJd2qsRkNk?version=3\" type=\"application\/x-shockwave-flash \" width=\"500\" height=\"306\" allowscriptaccess=\"always \" allowfullscreen=\"true\"\u003e\u003c\/embed\u003e\u003c\/object \u003e", "author_name":"St182", "height":306, "thumbnail_width":480, "width":500, "version":"1.0", "author_url":"http:\/\/www.youtube.com\/user\/Stinkfist182", "provider_name":"YouTube", "thumbnail_url":"http:\/\/i4.ytimg.com\/vi\/OyJd2qsRkNk\/ hqdefault.jpg", "type":"video", "thumbnail_height":360 }

cool video:

http://embed.ly/

this.bind('changed', function() { embeds = []; $('div.feed-item h3').embedly({ key:'...', maxWidth:
450, wmode: 'transparent', method: 'after' }); });

Caja http://code.google.com/p/google-caja/

html_sanitize(result.html);

Instant updates without reloading

PubSubHubbub retrieves Atom feed with Hub URL Hub posts sth
pings every subscriber subscribes for feed acks subscription http://code.google.com/p/pubsubhubbub/

<entry> <activity:object-type>http://activitystrea.ms/schema/1.0/ note</activity:object-type> <id>http://status.net.xyz:8061/index.php/notice/20</id> <title>hello from client</title> <content type="html">hello from
client</content> <link rel="alternate" type="text/html" href="http:// status.net.xyz:8061/index.php/notice/20"/> <activity:verb>http://activitystrea.ms/schema/1.0/post</ activity:verb> <published>2011-05-23T21:07:33+00:00</published> <updated>2011-05-23T21:07:33+00:00</updated> <link rel="ostatus:conversation" href="http://status.net.xyz: 8061/index.php/conversation/20"/> <georss:point>52.52437 13.41053</georss:point> <link rel="self" type="application/atom+xml"href="http:// status.net.xyz:8061/index.php/api/statuses/show/20.atom"/> <link rel="edit" type="application/atom+xml"href="http:// status.net.xyz:8061/index.php/api/statuses/show/20.atom"/> <statusnet:notice_info local_id="20" source="api" favorite="false"repeated="false"></statusnet:notice_info> </entry>

http://activitystrea.ms/

PubSubHubbub retrieves Atom feed with Hub URL Hub posts sth
pings every subscriber subscribes for feed acks subscription http://code.google.com/p/pubsubhubbub/

http://nodejs.org/

HTTP Server for PubsubHubbub

(Webkit) Browser Notiﬁcations

Vagrant http://vagrantup.com/

$ vagrant box add base http:// files.vagrantup.com/lucid32.box $ vagrant init
$ vagrant up

http://puppetlabs.com/

https://github.com/bashofmann/vm_js_mashup

retrieve Stream with Hub Ajax: request Subscription WebSockets: new Post
subscribe at hub challenge ack new post Notiﬁcation new post

WebSockets http://dev.w3.org/html5/websockets/

socket.io http://socket.io/

Sharing

Nascar Problem

http://www.oexchange.org/

http://www.example.com/share.php?url={URI} &title={title for the content} &description={short description of the content}&ctype=flash&swfurl={SWF
URI} &height={preferred SWF height} &width={preferred swf width} &screenshot={screenshot URI}

http://example.com/.well- known/host-meta http://tools.ietf.org/html/draft-nottingham-site-meta

<?xml version='1.0' encoding='UTF-8'?> <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0' xmlns:hm='http://host-meta.net/xrd/1.0'> <hm:Host>www.meinvz.net</hm:Host> <Link rel="http://oexchange.org/spec/0.8/rel/resident-target" type="application/xrd+xml"
href="http://www.example.com/oexchange.xrd" > </Link> </XRD>

<?xml version='1.0' encoding='UTF-8'?> <XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"> <Subject>http://www.example.com/linkeater</Subject> <Property type="http://www.oexchange.org/spec/0.8/prop/vendor"> Examples Inc.</Property>
<Property type="http://www.oexchange.org/spec/0.8/prop/title"> A Link-Accepting Service</Property> <Link rel= "icon" href="http://www.example.com/favicon.ico" type="image/vnd.microsoft.icon" /> <Link rel= "http://www.oexchange.org/spec/0.8/rel/offer" href="http://www.example.com/linkeater/offer.php" type="text/html" /> </XRD>

http://search.npmjs.org/#/oexchange

Pretty cool so far!

... but your application probably is not frontend only...

Let's talk about Application architecture

Structure

Code and component re-use

Rapid Development

Large code-bases

Frameworks to the rescue

Most Web Frameworks are incomplete

webserver HTML browser JS

e duplication de duplication ode duplication code duplication code duplication
code duplication code duplication code duplication code duplication code duplication code duplication code duplication code duplication code duplication code duplicatio code duplicat code duplic code dup code du code cod co co

Mojito http://developer.yahoo.com/cocktails/mojito/

Meteor http://www.meteor.com

https://github.com/bashofmann/meteor_shoutbox_demo

What about existing applications?

Legacy Code

Incremental Refactoring

many roads

The next SoundCloud http://backstage.soundcloud.com/2012/06/building-the- next-soundcloud/

status quo

webserver loadbalancer pgsql memcached mongodb services

webserver

Large, Old Codebase

complicated routing

PHP templates

lazy DB queries in view

Duplication and only some Code re-use

We can do better

Components

Self contained

Can be addressed and rendered separately

Server JS Browser JSON HTML HTML

JS is part of the component

Share code between server and client

Templates, Validation, Entities,...

It needs to be fast

We called them Widgets

PHP Controller Mustache Template JavaScript view class Widget Providing data
Handling browser events Displaying data

Why no models in the frontend? http://backbonejs.org/#Model

Proﬁle Publications Publication Publication Publication AboutMe LeftColumn Image Instiution Menu

Remember: self contained

Do not fetch data directly

Sssssssslllloooooowww

Account Account Account Account Account Publication1 Publication2 Publication3

Require stuff

http://www.infoq.com/presentations/Evolution-of-Code- Design-at-Facebook/

The Preparer

Requirements

Resolver

EntityRequirement

Request Cache

Multi-GET

ServiceRequirement

Required / Optional

Hides storage speciﬁc logic from controllers

Widget Widget Widget Widget Preparer Resolver Resolver Services Connector Interfaces
Connector Implementations

Widget Widget Widget Widget Preparer Fetch Requirements Resolver Resolver Services
Connector Interfaces Connector Implementations

Connector Implementations Batch requirements and pass them to resolvers

Connector Implementations Call Services as effective as possible (Multi-GET,...)

Connector Implementations Attach fetched data to Requirements and pass them back to the preparer

Connector Implementations Distribute fetched data to the widgets that required it

Requirement doesn't need to be only data

WidgetRequirement

RequestDataRequirement

Data dependencies within a widget

=> Callbacks

CALLBACK CALLBACK CALLBACK

PHP 5.5 Generators https://wiki.php.net/rfc/generators

public function collect() { yield array( new EntityRequirement( 'account', Account::class,
array('accountId' => $this->requestContect->getAccountId()) ), ); yield array( new ServiceRequirement( 'scienceDisciplines', AccountService::class, 'getScienceDisciplines', array('account' => $this->account) ) ); }

Data dependencies between Widgets

Preﬁlls

Rendering

Templates

Mustache } http://mustache.github.com/

Helper Methods

• nl2br • truncate • pluralize • wordwrap • highlight
• ...

http://pecl.php.net/package/v8js V8js

JavaScript

WidgetViews

Loading widgets from JavaScript

Rendering callbacks

Beneﬁts

Enables developers to only focus on their components

Easier Refactoring

Error Handling

EXCEPTION

Proﬁle Publications Publication Publication Publication LeftColumn Image Instiution Menu

Testing

Bandit Algorithm http://untyped.com/untyping/2011/02/11/stop-ab-testing- and-make-out-like-a-bandit/

Caching of Components

<esi:include src="..." />

Faster UX

window.history.pushState

Conclusion?

Think about your architecture

Refactor and make it better continuously

Frontend and backend are part of the same application

Don't rewrite your whole codebase in one go

h"p://twi"er.com/Bas2anHofmann h"p://proﬁles.google.com/bashofmann h"p://lanyrd.com/people/Bas2anHofmann h"p://speakerdeck.com/u/bas2anhofmann h"ps://github.com/bashofmann [email protected]

Workshop Advances Javascript

Workshop Advances Javascript

More Decks by Bastian Hofmann

Other Decks in Programming

Featured

Transcript