2017-09-02

Note: Last time I did web development was in 2010 or thereabouts. At the time I was up to my ass in JSP, servlets, beans, rice, J2EE, jQuery, etc. So I’ve been out of the game for a bit. I certainly hope that I’m missing something. Some sort of piece of underlying logic that ties all of the nonsense together and converts it from “uhmmm this is kind of bulshit” to “oh ok that makes perfect sense”.

Revision C of the board has been received and I have been working on populating it. Despite fixes to the previous oopsies the only new thing is input and output protection. I have added diodes to the digital outputs, diodes to the analog power supply outputs, a TVS diode to the power input, which by being single-directional gives me reverse polarity protection as a happy little bonus, and I have replaced the BAT41 clamping diodes on the analog inputs with diode arrays that give me over AND under voltage protection. Fancy schmancy.

Since I forgot one crucial part, the MIC5013 driver IC, which is positioned in such a way that I need to solder it in before the rest of the board is populated, I decided to do some house keeping work. This consisted mostly of cleaning up the schematic and cleaning up/updating/verifying the BOM. Saturday morning was spent switching between virtual desktops between KiCad, two instances of LibreOffice Calc, a terminal window, and about a million web browser tabs. That sucks and was way slower than I liked so I decided that I need to automate some of it. Specifically, I want to take the generated BOM and run it through a script that will:

1. Verify stock, and if needed lookup direct substitutes.
2. Verify footprint in the schematic with the footprint of the component based on part number.
3. Calculate BOM cost based on quantity-one and the next price break quantity. Not that I’m going into full scale production, but the passives get a massive price break if bought in quantity even if it’s a small quantity of 100.
4. Compare the BOM with my inventory and tell me what I need to order.

Simple stuff. Since I am a Digi-Key fanboy it seemed a natural fit that I would use their APIs. My mental model of the setup was something along the lines of:

1. Call remote procedure supplying login and password in exchange for some sort of session ID.
2. Use that session ID for all subsequent API invocations.
3. Roll that into a Python script.

How naive Vic was.

• Go to https://api-portal.digikey.com. Seems perfectly normal to have to log in. Oh the login name/password is not the same as the one I buy stuff with. Well that’s irritating.
• Create an “app”. This will be a local script thing so I guess I don’t need a redirect URL.
• Wrong. You need a redirect URL. As punishment we’ve cleared all of the other, valid fields, on the form.
• Put in http://localhost as a URL. Hit go.
• Wrong. The redirect URL must use the https protocol. For being such a stupid we’ve cleared all of the other fields for you again.
• Finally have an app setup. Need to note some sort of “client secret” that will only be displayed ONCE. Never again. Just ONCE during the CREATION of the app. Guess I better save that in a text file somewhere. The client ID is plain text though? So I’m guess the “client secret” is a password type thing? Whatever it is it’s some super secret squirrel stuff for sure. It must be the magic that makes everything work.
• I have to “subscribe” to an API for the “app”? Okey dokey. There is only one option. Seems that would just be the default. Whatever.
• Oh look, finally some sunshine. API documentation with a button to test it out in the browser right next to the documentation. What a great idea!

401 Unauthorized
content-type: application/json
{
"httpCode": "401",
"httpMessage": "Unauthorized",
"moreInformation": "Access Token validation failed. The token provided was invalid or expired."
}

This is starting to get old.

• Do I put some magic shit into the ‘Authorization’ field I guess? I mean I’m already logged into all of my accounts. Shouldn’t that do something for me?
• None of the magic shit I have is the right magic shit. Need to brew up some more, different, magic shit.
• Concoct a magic URL based magic strings and enter that into the address field of the browser.
• Login using a Digi-Key account that I buy stuff with.
• “Authorize” my fake testing app.
• This is from the documentation, I shit you not: fish out a response header value from the above step using dev tools in the browser.
• Surely this magic string is the magic bean that will grow the stalk that will allow me to climb into THE CLOUD. Yeah you’d think so.
• Concoct another magic string and pass that as a parameter to cURL that spits out a JSON bit with YET ANOTHER SET OF MAGIC STRINGS.
• So THIS is the magic string that will make all of the other magic work

400 Bad Request
content-type: text/plain; charset=utf-8
x-global-transaction-id: 58e41a6559ab54ec0199faf1
x-ratelimit-limit: name=rate-limit-1,1000;
x-ratelimit-remaining: name=rate-limit-1,994;

ARE YOU FUCKING KIDDING ME?!

So to recap:

1. I had to create a whole separate account (that’s two magic strings: login name and password).
2. Then I had to create two more magic strings. One of them so secret that I can never ever be allowed to see it again. We’re up to four magic strings.
3. I then have to jump through flaming hoops, while creating intermediate temporary magic strings, in order to get yet another magic string. We’re up to five magic strings.
4. I then have to use that latest magic string in order to get one last one magic string that makes everything happen.
5. In addition to the final magic string there is also a secondary magic string that I can use to keep the previous magic string valid so that I don’t have to jump through as many hoops when I want to use the magic string.
6. Using the secondary magic string does change the final magic string to a different value. Why? Because fuck you, that’s why.

I have lost the number of magic strings in play here since I lost all my toes in the great war. This must be a new security paradigm – security through annoyance. Why not just replace all those magic strings with one very long magic string? Because unless you’re creating a dozen requests to get a simple thing done that’s not webscale.