This week on Herding Code, the guys talk to John Sheehan about the recent launch of his new API developer tools company, Runscope.

Download / Listen:

Herding Code 168: John Sheehan on Runscope

Show Notes:

• Intro
  • (00:30) "What is Runscope and why should I care?"
  • (00:55) Runscope is the ultimate API integrator developer’s toolbox. It helps you solve the problems you encounter in dealing with API’s from a consumption standpoint. It takes invisible API traffic and makes it visible, then helping you do all sorts of things with it: debugging, sharing, retry a request from the website, testing features like response playback without hitting the API, webhook debugging, etc. When you rely on an API, you’re not just taking on a service dependency – it’s code code that’s running on someone else’s service, and you should treat it like it’s code that’s under your control. You should apply the same testing rigor and should have the same debugging facilities.
  • (03:25) Jon asks about the launch. Anyone can try it out now at runscope.com. John talks about the internal preview (shoutout to Kevin Dente, the first beta tester) and the launch at GlueCon and press at TechCrunch and TheNextWeb.
• (04:35) Overview of features:
  • Traffic Inspector
    • (04:55) In your code, instead of calling an API directly, you create a Runscope URL by including a Runscope bucket key and replacing dots with dashes. Essentially you’re pointing your API calls at Runscope, which then extracts the hostname and makes the API request for you. A lot of other tools require you to change your API calls by modifying your authentication, adding parameters, etc. Runscope doesn’t require any changes outside of the hostname, and all of your original headers and request parameters stay intact. This means you can just flip it on by changing your hostname and turn it off when done. You can then view all your requests in the Runscope website, filter to only show errors, All your requests show up in
    • (07:45) Scott says this is essentially a reverse proxy. John agrees that’s technically correct, but they avoid the term because they’re doing a lot more.
    • (08:13) Scott asks if Runscope adds headers to allow filtering or other things. John says the only modification they make is to add a Runscope message id header to allow lookup. They’re thinking of some things in the future like caching credentials to apply to a lot of requests and other features that benefit performance, security, etc.
    • (09:27) Jon asks about the security concerns, as Runscope is kind of like a man in the middle. John says they’re very concerned with security, and points to https://www.runscope.com/docs/security for a lot more information about their security practices. They’re looking at future things like encrypted storage, and currently if you make an SSL request to Runscope they will forward it over SSL to the API provider.
    • (11:45) Jon asks about cases like multi-legged auth. John says everything just flows through Runscope, with one exception – if a response comes back with a location header then Runscope will modify the location to a Runscope url so if the client follows it it’ll be captured.
    • (12:40) Scott asks about how geolocation works, since Runscope is making the request from a different location. John says that currently they’re making requests from US East Coast, but in the future they want to allow requests from specific geographic areas.
    • (14:10) Scott asks about a current app he’s working on which requires a custom certificate to connect to an API and asks if that would be supported. John says that they’re looking at both support for custom certificates as well as on -premises installations to support those scenarios.
    • (15:35) Scott asks about support for non-standard ports. John says they support that using a Runscope request port header.
  • Request Editor
    • (16:09) Jon asks about the Request Editor. John explains that they really wanted to make it possible to edit and create requests as easily as any other code. Their original inspiration was the hurl.it site. Jon interjects that he loves using hurl.it to see where shortened or dodgy urls will take him before clicking on them. John says they’ve taken the idea of hurl.it and really filled it out to include storage, advanced editing, etc. They also built in some helpers for basic auth, digest authentication, OAuth 1, OAuth 2 token generators, etc.
    • (19:45) Scott asks if they’ve looked at integrating OWASP tests to run some automated security inspection for things like SQL injection, XSS, redirect attacks, etc. John says he’d like to let people create collections and share them with others.
  • Shared Requests
    • (21:11) Jon says that when he was testing during the beta and hit a question, John just had him share the request with him. John says that he really wanted that feature when he was at Twilio, and they currently use it all the time internally.
    • (22:39) Jon asks if there’s a way to download or otherwise privately share a request. John says the best way to do that now is use team account, which allows for privately share requests within the team. They’re also looking at allowing redacting some fields in shared requests, so you can share a request without revealing your password or other sensitive information.
  • Passageway
    • (22:48) Passageway was based on the localtunnel project. It installs an agent on your local machine which forwards requests to a specific port to Runscope, and Runscope then creates a public URL. You can use Passageway to show off code running on your local machine, but you can also use it for debugging webhooks and testing API’s used in a mobile application (by pointing it at the public Runscope URL). Scott says he sees this as being useful in a continuous integration environment, and John says that a current customer is already doing this.
    • (27:33) Jon asks about the installation via pip, and John explains how pip relates to other package managers. They plan to provider other installers, and later the agent will do more than just Passageway – right now it also supports automatically creating Runscope urls for requests.
    • (29:27) Jon says that Passageway is the first place on the site where he sees something about paid accounts and asks John how they’re going to get rich. John says there are three reasons (access to passageway, team sharing and volume) to upgrade from a free account to a starter or team account. Jon asks about the naming of the starter account, and John says that naming and pricing are really hard. Scott offers some advice on enterprise friendly pricing.
• Starting a business
  • (32:47) Jon asks about the experience of moving from being a developer to founding a company. John says he’s started several small companies, and writing software has always been a way to solve problems for businesses. He tells his recent job history at Twilio and IFFT and how he and his co-founder Frank got really fed up with the lack of good API developer tools and how they got started, funded, and launched. Getting funded was both a finish line and a starting line.
  • (41:33) Scott and Jon talk about positive response they saw to the GlueCon launch: John spent the majority of the time describing the problem, then unveiled the solution. Scott compares John to Steve Jobs.
• What’s next
  • (43:05) Jon asks what’s next. John says they’re first focusing on dev-time troubleshooting. Next they’ll be focused on production use, especially high volume use cases. Long term they’re thinking about mitigating problems – handling or proactively monitoring for problems.
• Python
  • (45:14) Jon asks about John’s experiences building Runscope in Python and how he compares it to .NET. John says he’s really come around to significant whitespace and standard
  • (46:59) Scott asks if John’s noticed that there are fewer ways to solve a problem, as opposed to C# or JavaScript. John says that’s true for the most part. He comments on how he likes the small libraries and ecosystem.
• Runscope vs. other network tools like Fiddler and Wireshark
  • (49:19) Scott asks why you’d use Runscope rather than use things like Fiddler, Wireshark, etc. John explains proxies and applications modify the way the application works and doesn’t work well on servers – it’s cloud-native. It’s also social – sharing is built in. Thirdly, it’s not a desktop application.
  • (52:30) John says he’d like to write a Fiddler plugin to make the two work well together. Scott says that there’s one advantage to desktop applications – it can interact directly with the network stack. John agrees that developers need tools that work at all layers of the stack. Scott recounts a harrowing tale in which Fiddler had to be installed on a server for an application to work.
  • (55:20) Jon says he was wondering about integrating with Glimpse but that would require an API – does Runscope have an API? John says one’s on the way soon.
• Lightning Round inspired by John’s Traffic and Weather podcast (with Steve Marx)
  • (57:00) Jon says he’s really been enjoying the Traffic and Weather podcast, and the John and Steve have convinced him that API’s really can be interesting.
  • (57:50) JSON API – what is it, and is it good?
  • (59:34) What are webhooks, and why have you been talking about them?
  • (1:01:52) Should we stop writing REST SDK clients?
  • (1:04:29) Where is API security going? Is it OAuth 2 from here on out?
  • (1:05:21) Eric Williams (@motowilliams) asks "Ping Pong or Foosball? #gooooooaaaaaallll"
  • (1:06:17) Where are you speaking next (answer: API Days and API World, both in San Francisco)
  • (1:07:32) Do you support the HTTP 418 teapot response?

Show Links:

• John Sheehan (@johnsheehan, http://john-sheehan.com/)
• Runscope
• TechCrunch: Runscope Lands $1.1M From True Ventures And Andreessen Horowitz For Tools That Address The Broken API Plague
• TheNextWeb: Runscope raises $1.1m to help developers that rely on 3rd-party APIs
• localtunnel
• hurl.it
• Traffic and Weather podcast
• JSON API
• Zapier (REST hooks discussion on Traffic and Weather ep 11)
• Hyper Text Coffee Pot Control Protocol and the HTTP 418 (I’m a teapot) response

This week on Herding Code, the guys talk to Tomasz Janczuk about running .NET code in Node.js using Edge.js.

Download / Listen:

Herding Code 166: Tomasz Janczuk on Edge.js

Show Notes:

• Intro and background on Edge.js
• (00:40) Tomasz has been focusing on Node.js at Microsoft for the past 3 years. He’s been working on making Node.js run well on Windows. He’s also worked on hosting Node.js on Windows Azure with IISNode.
• (02:08) Jon asks about Edge.js’s original name, Owin. Tomasz explains how that made sense with the original scope – connect middleware and express handlers – but it’s grown since then so it needed a more generic name.
• (02:45) Edge.js lets you run Node.js and .NET code in one process and provides interop mechanisms between the two.
• (03:05) Jon asks why that’s useful. Tomasz says you can do pretty much anything in either Node.js or .NET, but some things work a lot better on one platform. He gives examples like using ADO.NET to connect to SQL Server and running CPU bound computations as multi-threaded .NET code from the single-threaded Node.js event loop. There are two classes of scenarios: things that work better on one platform, or writing native extensions to Node.js without having to drop all the way down to raw C and native OS mechanisms.
• (06:11) Jon brings up two questions from Twitter about Mono support (Jason Denizac @_jden "when’s mono support coming?" and Kevin Swiber "Mono support? Can we do legit Node modules in C#? Are grilled hotdogs really better than boiled?" Tomasz says not yet, but it’s high on the list. There are some complications to implement that support since Edge.js uses C++ CLI, which isn’t available on Mono.
• Getting started and samples
• (07:57) Jon asks what’s involved in setting it up. He says he ran npm install edge, then npm install edge-cs. Tomasz explains why he didn’t need to install edge-cs – C# support is built in, other language support plugs in.
• (08:43) Jon asks about the samples. Tomasz explains the different ways of integrating CLR code into Node.js and talks about how the samples show these approaches.
• (10:36) Jon says he liked how the samples progressed from very basic to pretty complex. Tomasz says you can do just about anything in Edge.js, but there’s a specific interface you need to follow in order to work smoothly between the Node.js async model and many synchronous operations in .NET. Every function in Edge.js uses an async function delegate, so you end up using small wrapper functions in some cases.
• Marshalling and interop
• (13:08) Kevin says this reminds him of COM / .NET interop and issues with object lifetime, garbage collection, etc. Tomasz says that that the async function delegate solves the threading models. Object lifetimes are controlled because everything is marshalled by value.
• (16:22) Kevin asks if the marshal by value prevents working directly with the CLR object. Tomasz says that you can handle this using function proxies to create closures over CLR states.
• (17:45) Scott K. asks if structs eliminate the serialiazation issues. Tomasz clarifies that the marshalling process is reflecting over the objects in .NET and recreating a synonymous JavaScript. Scott says this sounds like thunking from days of old.
• (19:27) Jon says that he saw one sample that allows for debugging inline .NET code in a JavaScript file. Tomasz explains that this is done using the codedom compiler to create an in-memory assembly with debugging information, which can be attached to from Visual Studio.
• (21:25) Jon says he thinks this sounds useful for using a NuGet package in a Node.js application and asks if there’s support for pulling in a NuGet package. Tomasz says that at this point it’s up to you how you’d get the assembly downloaded and set up, but that there’s an open issue to get script-cs integration going and that would handle this.
• Overhead and performance
• (23:06) Jon asks about the overhead of running two virtual machines and marshalling. Tomasz says there is some overhead, but it’s better than running two different processes. Edge.js is built for solving some specific scenarios, and it’s fast in those
• (24:55) Kevin asks if there’s a delay when Edge.js spins up. Tomasz says that happens when you require Edge, but it’s not really noticeable.
• Misc questions
• (25:55) Jon asks what was the hardest part of implementing Edge.js. Tomasz says the function proxies to handle lifetimes and reconciling threading models.
• (27:45) Scott says this sounds useful for authentication or using a legacy .NET library. Tomasz lists several more.
• (29:20) Kevin asks how exceptions are handled. Tomasz explains how the exceptions are marshalled and thrown across VM boundaries.
• (30:15) Kevin asks if it’s tied to specific Node.js versions. Tomasz says it works on all current stable versions.
• (31:30) Question from Twitter: @jeremydmiller "I’ve seen a lot of samples of hosting . Net in node, but how about running node in a .net process?" Tomasz talks about an open issue, Mission Double Edge which would handle that. He explains that the challenge is that Node.js doesn’t have a hosting model.
• (33:20) Jon says he saw several of the samples had the C# script named with .CSX extension and asks about that. Tomasz says that this is partly done to follow Roslyn conventions, including specifying assemblies as references in code using #r.
• Future plans and next steps for listeners
• (34:25) Jon asks what’s planned going forward. Tomasz talks about Mono support and adding support for additional languages, including F# (note: this has been added http://tjanczuk.github.io/edge/#/3) . Jon asks what’s involved in adding language support.
• (36:30) Jon asks about the relationship with OWIN. Tomasz says there’s a separate module which allows you to plug any OWIN compatible .NET application and plug it into an Express.js pipeline. Jon says this reminds him of the Edge name and Tomasz explains that the idea is that mathematically an edge connects two nodes, so Edge.js connects differe.
• (38:25) Jon asks about next steps for people to get started.
• (38:55) Jon asks if this is a Microsoft project. Tomasz says it’s his own separate open source project that’s inspired by his day job, and this allows him some more flexibility to work with the community. He lists some of the community contributions they’ve seen so far.

Show Links:

• Tomasz Janczuk (@tjanczuk, blog)
• Official Edge.js site: http://tjanczuk.github.io/edge/#/
• Edge.js on GitHub: https://github.com/tjanczuk/edge

This week on Herding Code, the guys talk to Louis DeJardin about OWIN – the Open Web Interface for .NET – and Katana, an open source OWIN implementation for ASP.NET and IIS.

Download / Listen:

Herding Code 164: OWIN and Katana with Louis DeJardin

Show Notes:

• Intro
• (00:44) Scott and Louis explain what OWIN is.
• (01:33) Louis explains the difference between OWIN (the community standard) and Katana (actual bits – an implementation of the OWIN standard for ASP.NET).
• (03:18) Jon asks if this is similar to the distinction between HTTP / HTML standards and browser implementations. Louis explains what’s required for an implementer to participate in a request. Each request calls a simple func with an IDictionary<string> which returns a task.
• The killer app: middleware
• (04:54) Scott talks about how the pipeline might not sound like much, but it can support a lot of really useful middleware scenarios like static caching and domain splitting – especially in a way that’s common across frameworks.
• (06:05) Louis talks about the challenge they’ve had in describing the benefit of OWIN in non-academic terms, and that it’s not until you want to apply cross-framework concerns like authentication that OWIN really shines.
• (07:52) Scott says that previously these kinds of concerns – logging, etc. – were wrapped up in System.Web, and they had performance implications regardless of whether you used them. The pipeline model lets you avoid those hits unless you explicitly want the features.
• (10:03) Scott mentions some of the frameworks which have implemented OWIN, including NancyFx, Fubu, ServiceStack.
• (10:50) Kevin says that the current implementation examples are full web frameworks rather than middleware. Louis says that probably because ASP.NET and IIS already had pipeline implementations so there’s less of a forcing function than there was with Node and Ruby. Scott says that since the current implementations already have full stacks, there’s less need to plug in modular solutions. Jon says he thinks that the late arrival of NuGet and other open modular systems like this mean it’ll take a while to get traction.
• (14:40) Louis says we’ll need a killer app, and HttpListener hosting alone isn’t that. Jon asks if you’d host Katana under IIS to manage the process. Louis says yes, and until there are other hosts than IIS he doesn’t see the hosting as a big draw – he thinks auth is probably it.
• 1640 Scott says he could see auth frameworks and scaling middleware. Louis says that David Fowler updated JabbR to run on OWIN, and was able to move some of the scale pieces into OWIN middleware.
• (18:25) Jon asks if he can take an existing ASP.NET application to start taking advantage of middleware without rewriting the application. Louis says that if you add the Microsoft.Owin.Host.SystemWeb NuGet package, you can put an OWIN pipeline on the route table. You can also use an IHttpHandler to plug in middleware. They’re looking at third option – an integrated pipeline module which will delegate to the application if an OWIN handler doesn’t pick it up.
• (22:22) Jon asks Louis has some other ideas for middleware, and Louis lists several (static file handlers, authentication, etc.) and points to Rack and Node as examples. He lists another example – anti-bot  protection that returns an HTTP 200 for a URL pattern.
• (23:50) Jon asks if it’s possible to plug things in at runtime. Louis talks about the Startup class – it’s a POCO class so you can easily work with it via IoC, plug things in whenever – it’s just code.
• (25:05) Scott says he looked at implementing URL rewriting in middleware. Louis explains how this works perfectly with the pipeline and describes how you could also use this to monitor 404s.
• (26:45) Scott says hosters could implement middleware to set ETAGS, enforce things, etc.
• (27:40) Louis explains why it’s really powerful to have middleware that’s not coupled to a specific implementation like ASP.NET MVC.
• (28:35) Jon asks if it’s possible that some of this middleware could run on hardware. Louis says it is, and gives an example with a reverse proxy.
• (29:57) Scott talks about breaking middleware into application and networking uses and talks of some optimizations that could be done in middleware.
• Next
• (31:48) Scott asks where we go from here – are done? What’s the next goal? Louis says the current 1.0 version of Katana has IIS hosting; the 1.1 version will add production grade HttpListener and self host story, and after that it’s about supporting emerging standards and looking for synergies. Louis says documentation would be nice, but Scott says that the model is so simple that there’s not a lot to document.
• (34:50) Scott and Louis talk about how this will affect the ecosystem in general, with an example of how smoothly the SignalR implementation worked.
• (35:25) Jon asks about the future for hosters like Azure, AppHarbor, etc. Louis talks about an example for  supporting zip file based deployment, Mono hosting.
• Getting involved
• (37:05) Louis talks about what’s available in the Katana Project, including sample code and pre-release packages. The Google Group – net-http-abstractions – is the best place to discus OWIN.
• (38:15) Jon asks if the Katana project takes pull requests. Louis says it’s run under the MS Open Tech organization and is clear to take pull requests from developers who have signed a contributor license agreement. Jon asks for areas where they’d like help. Scott says he’d like to see lots of middleware; Louis he’d love to see an OWIN Contrib project emerge.
• Questions from Twitter
  • (41:05) Sean Massa (@endangeredmassa): Is it possible to use the DLR?
  • (41:45) Eric Hexter (@ehexter): what do MVC and Web Forms look like on OWIN. Louis says there are two exciting things there – you can have an Owin pipeline running in front of your application, or you can use self hosting to put an application inside of your own process (not supported but fun!).

Show Links:

• Louis DeJardin (@loudej, blog)
• OWIN – Open Web Interface for .NET
• Katana Project on CodePlex
• Google Group: .NET HTTP Abstractions
• NuGet package: Microsoft.Owin.Host.SystemWeb
• GitHub: ServiceStack.Owin
• NuGet: Nancy.Hosting.Owin
• NuGet: FubuMVC.Katana
• Herding Code 60: Spark View Engine with Louis DeJardin