Our new tool finds “hidden” WordPress pages exposed by just released WP REST API

In December WordPress 4.7 was released. The most cool part of this release was the inclusion of the WordPress REST API. In development for quite some time it was finally included in core.

The WordPress REST API is great for developers because it makes it very easy to get all pages, posts and users from a WordPress site and use them in any way they want, using JavaScript or PHP or basically any programming language.

Did we say all pages? Yup, that’s right. All Most of your posts, pages and users are exposed to the public with this API. That includes pages that have no public links to them and pages that are not available in any menus on your website.

So some of the WP devs here at Earth People got curious about the API and what exposed stuff we could find on those websites on the internet that had updated to 4.7. We figured that an easy way to test this was to create a Google Chrome extension.

Hello there WP Content Discovery Chrome Extension

So we made the the extension and we called it WP Content Discovery.

Here’s how it works:
It adds an icon to your chrome toolbar. By default it only displays the letter “w” as in WordPress. When you visit a WordPress powered website and it detects the API is lightens up and displays “API” in blue.

The extension icon in action. On the first site no API is detected. On the second site the API is detected and the icon shows a blue API text.

Now the fun starts: click the icon to get get a list of pages, posts and users on that website!

Here is an example from the website of admin activity logger Simple History:

Here we can see that the extension indeed did find some pages on the website we tried it on…

Please try the extension. And please let us know what you think here in the comments!

One last thing… the API may freak some people out…

Even if all the data that you can get publicly from the REST API is already available somewhere in WordPress, it does freak some people out that it actually is possible to get the content so easily.

It is however pretty easy to disable the API if you find it to scary.

 

Making a silly game using Google Cloud Vision and Instagram

I was recently invited to the first alpha release of Google Cloud Vision, which is a game changing new API from Google. I can programmatically upload any picture and get this kind of stuff back:

  • Face detection, with pixel annotations of the corner of the mouth etc, plus unexpected values like sorrowLikelihood
  • Landmark detection, with LatLon polygon boundaries to real world landmarks
  • Logo detection
  • Text detection
  • Safe search detection, which can detect medical, nude and violent content

I wanted to dig right in, and decided to build a really silly little game. I call it Game Of Cats, and has nothing to do with Game of Thrones at all.

A user logs in using their Instagram credentials. My game engine starts polling all recent pictures from the people the user follows, and awards a point for every cat picture that occurs. The game goes on forever, without any interaction.

Screenshot 2015-12-08 22.35.28

I won’t bore you with details about how Instagram handles OAUTH, but you might be interested in how Google Cloud Vision wants to talk to an app like this? I built this quick and dirty as it should be, in PHP.

I would love to have the energy to build a WordPress plugin that adds a taxonomy to the media library, and automatically tags all uploaded images using Google Cloud Vision, but I don’t. Someone else will, and they write better code than I do anyway.

/Peder

Note: I can’t post the URL to the actual game, yet. The alpha’s terms and conditions prohibits me from deploying to production.

 

Hooking up the voice intercom to Slack

The intercom from the street to our office was connected to an old GSM phone, and letting people in required us to pick up the phone and press the digit 5. Simple, sure, but it doesn’t feel like 2015. I had also been meaning to try the Twilio API for some time.

Task: Connect the Intercom to Slack.

The Twilio API is great, so it was actually really easy to accomplish. I bought a local number and asked our landlord to forward the Intercom to it. Then I set up this simple TwiML script on a web server:

<Response>
  <Say>Welcome to Earth People. Please stand by.</Say>
  <Enqueue waitUrl="http://x.urtp.pl/slack/service_porttelefon_wait.php"> </Enqueue>
</Response>

What happens here is that Twilio will pick up the call and greet the intercom user using Twilio’s text to speech service. It will then put the “call” into a new phone queue. Twilio will generate a phone queue id and pass it via POST to the waitUrl, below:

<?php
header("content-type: text/xml");
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
file_put_contents('input_porttelefon.txt', $_POST['QueueSid']);
# curl post to slack
$data = array(
  "channel" => "#general",
  "username" => "Intercom",
  "text" => "Meep Meep! Open the door with 'Intercom'",
  "icon_emoji" => ":door:"
);
$url_send = "https://hooks.slack.com/services/xxx/xxx/xxx";
$str_data = json_encode($data);
$ch = curl_init($url_send);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $str_data);
curl_exec($ch);
curl_close($ch);
?>
<Response>
  <Play>http://x.urtp.pl/slack/DrOctagon_EarthPeople.mp3</Play>
</Response>

The waitUrl will save the phone queue id to a text file, make an incoming webhook to Slack and of course play a funky tune to the intercom user. Now Twilio will play the funky tune until it ends, or an incoming HTTP-request is made to the Twilio REST API, using the queue id.

Slack is set up to make an outgoing webhook to a URL. This URL just pops the only call in the queue to the front of the queue.

<?php
# when incoming hook: read call sid from file and call twilio.
$QueueSid = file_get_contents('input_porttelefon.txt');
if(strlen($QueueSid)>2){
  require_once('TwilioPHP/Twilio.php');
  $sid = "xxx";
  $token = "xxx";
  $client = new Services_Twilio($sid, $token);
  $member = $client->account->queues->get($QueueSid)->members->get("Front");
  $member->update(array(
    "Url" => "http://x.urtp.pl/slack/service_porttelefon_dtmf.xml",
    "Method" => "GET"
  ));
  file_put_contents('input_porttelefon.txt', '');
  echo '{"text": "Ok, opened."}';
}else{
  echo '{"text": "No one is at the door."}';
}

The last step is to have Twilio play the sound of the digit 5, which opens the door, using the same kind of XML as step 1. Easy!

Next up is to let intercom users, which we don’t let in for some reason, leave a voice message which is posted to Slack. Totally doable, but not we’re quite there yet.

/Peder

Integrera Swish i egna tjänster

I’ll write this in Swedish because it only applies to Swedes.

Swish är ju en väldigt lyckad tjänst. Den har, liksom t.ex. Uber, förändrat ett beteende. Över 2 millioner svenskar använder appen. Självklart borde man göra något smart på Internet med detta, nu när nästan hela Sverige har appen i fickan. Dock har Swish inget publikt API, vilket förmodligen är anledningen till att det inte hänt så mycket ännu.

Det man vill uppnå är att låta en egen tjänst/kampanj/server veta när en viss användare skickat pengar till ett visst Swishanslutet nummer. Och genom att använda lite tveksamma metoder gick det vägen.

Koden är alldeles för risig för att dela med sig av, men ett första proof of concept funkar. Här t.ex. skickar min vän Bruno 1 krona:

foto_2015-01-07_10_41_12

…och här tar jag emot den på vår utvecklingsserver:

apidump

Känns såklart lite olustigt att haxa fulkod mot sina egna banktjänster, men det kändes viktigt att komma i mål. Får se vad det blir för projekt av detta, men kul att det går iaf. Puss.

/peder

 

Let Slack nag you that it’s time to return that commuter pass

Another week, and yet another Slack integration here at Earth People.

This time we’ve added an integration to the public transport system here in Stockholm.

At Earth People we like to use public transportation when going to meetings with clients. That’s why we have bought a couple of commuter passes that we can use whenever we need to go to a meeting.

It works great. But there is one problem however: we only have a few cards, so when you return from the meeting you must remember to return the card so others can use it. And that’s were our latest integration comes into play:

Screenshot showing a message posted to a slack channel, with the date and time of a journey Yup, shortly after the card has been used, a message from the card will appear in our slack channel. That works pretty good as a reminder.

And as a plus feature it also shows how much cash that is left on the card, so we will also know when it’s time to refill the card.

There you have it: another super useful integration for Slack.

Oh! And thanks to mysl for their API-wrapper for “Mitt SL”, that led us into the right direction when researching the API.