Figuring out the Goo.gl API

December 15, 2009 By in Google, Hacks, Mozilla 20 Comments

UPDATE: ‘Fatalis’ has pointed out in the comments that the POST should be made to http://goo.gl/api/url with User-agent set to ‘toolbar’. The code now works, Yay!

Google just announced their own URL shortening service. Their service can only be used from the toolbar or FeedBurner, and I don’t particularly like adding extra toolbars to my browser. Maybe I can figure out a way to use their service from the command line?

I downloaded the toolbar XPI, unzipped it and peeked inside. Horribly indented JS awaited me. Nothing jsbeautifier couldn’t fix though. Few minutes later, I arrived at this readable JS function:

var getUrlShorteningRequestParams = function (b) {
    function c() {
        for (var l = 0, m = 0; m  0 ? l : l + 4294967296);
        for (var o = 0, n = false, p = m.length - 1; p >= 0; --p) {
            var q = Number(m.charAt(p));
            if (n) {
                q *= 2;
                o += Math.floor(q / 10) + q % 10
            } else o += q;
            n = !n
        }
        m = m = o % 10;
        o = 0;
        if (m != 0) {
            o = 10 - m;
            if (l.length % 2 == 1) {
                if (o % 2 == 1) o += 9;
                o /= 2
            }
        }
        m = String(o);
        m += l;
        return l = m
    }
    function e(l) {
        for (var m = 5381, o = 0; o < l.length; o++)
            m = c(m << 5, m, l.charCodeAt(o));
        return m
    }
    function f(l) {
        for (var m = 0, o = 0; o < l.length; o++)
            m = c(l.charCodeAt(o), m << 6, m << 16, -m);
        return m
    }

    var i = e(b);
    i = i >> 2 & 1073741823;
    i = i >> 4 & 67108800 | i & 63;
    i = i >> 4 & 4193280 | i & 1023;
    i = i >> 4 & 245760 | i & 16383;

    var h = f(b);
    var k = (i >> 2 & 15) << 4 | h & 15;
    k |= (i >> 6 & 15) << 12 | (h >> 8 & 15) << 8;
    k |= (i >> 10 & 15) << 20 | (h >> 16 & 15) << 16;
    k |= (i >> 14 & 15) << 28 | (h >> 24 & 15) << 24;
    j = "7" + d(k);

    i = "user=toolbar@google.com&url=";
    i += encodeURIComponent(b);
    i += "&auth_token=";
    i += j;
    return i
};

So, I call getUrlShorteningRequestParams("http://www.kix.in/"); to get "user=toolbar@google.com&url=http%3A%2F%2Fwww.kix.in%2F&auth_token=78925814685". I see in their code that they do a POST request to the service to obtain a JSON return value that would contain the short URL. I punch it in using cURL:

$ curl -v -d\
   "user=toolbar@google.com&url=http%3A%2F%2Fwww.kix.in%2F&;\
   auth_token=78925814685" http://goo.gl/
* About to connect() to goo.gl port 80 (#0)
*   Trying 74.125.19.102... connected
* Connected to goo.gl (74.125.19.102) port 80 (#0)
> POST / HTTP/1.1
> User-Agent: curl/7.19.7 (i386-apple-darwin10.2.0) libcurl/7.19.7
> Host: goo.gl
> Accept: */*
> Content-Length: 77
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 405 HTTP method POST is not supported by this URL

Oops! Well, not really, the URL shortener from the toolbar doesn’t work either, I just get the full URL whenever I try to “share” something. Has anybody actually generated a real goo.gl short URL yet?

Their auth_token parameter seems completely superfluous to me as it is generated from the URL itself. Don’t we all know security by obscurity doesn’t work :)

About these ads

20 Responses

  2. Dan, that’s a good guess. However, it doesn’t check out. No matter what the URL (and no matter whether you use curl, wget, or the toolbar) you get the 405 POST not allowed response and thus no short URL.

    Reply

  7. Just wanted to know I submitted a bug email, and they replied and acknowledged the problem. They say they’re going to put out a new version of the toolbar, which means they’ve elected to change the client code rather than (or in addition to) the server. It will be interesting to see if they delve further into the security through obscurity realm. Alternatively, they may just bow to the inevitable and release a simple public API.

    Reply

  8. This is what you need to do:

    curl -A “toolbar” -v -d “&user=toolbar@google.com&url=http%3a%2f%2fwww.bing.com%2fsearch%3fq%3dtest%26FORM%3dMSNH11%26qs%3dn&auth_token=71875998484″ http://goo.gl/api/url

    However, the auth_token that gets generated by the javascript in toolbar.js is wrong. I think they released it with a bug. Have tried on mac and on windows.

    Reply

  9. Pingback: » Figuring out the Goo.gl API h… Thej Live

  10. One of your simplifications to the (deliberately) unreadable function breaks it:

    d(l) in the original starts with:

    function d(l){l=l=String(l>0?l:l+4294967296);var m;m=l;

    Beautified this is:

    function d(l) {
    l = l = String(l > 0 ? l : l + 4294967296);
    var m;
    m = l;

    You have above:

    function d(l) {
    var m = String(l > 0 ? l : l + 4294967296);

    You never reset l, but it is used later in d. This took me a while to figure out, because it only matters on certain URLs, and sometimes only slightly changes the token (but close only counts in horse-shoes and hand-grenades). I recommend:

    function d(l) {
    var m;
    m = l = String(l > 0 ? l : l + 4294967296);

    Reply

  14. Pingback: Figure out Google URL shortener – goo.gl « Android's Avatar

  15. Pingback: goo.gl URL Shortener Bookmarklet via YQL

  19. Pingback: Como integrar Goo.gl en tu web en 5 minutos | Timersys - Tutoriales, recursos web, JQuery y PHP, Wordpress , twitter y muchos recursos más

  20. Pingback: NewsGrange » Google’s Superfast URL Shortener Gets an API: Coming to an App Near You Soon

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.