Validating a manually written import file

[kjurl]

Firstly, thanks to the dev for this awesome app.

Objective

I am planning a pretty advanced flow, where I can commit the desired shortcuts.json (not as is- maybe some code that generates one) file and then the app on my phone pulls the file from the server through the automatic import feature.

Process

Working back from the solution to the initial steps:

1. The app already has an auto-import feature: wherein you can have a server serve a zip file (with a shortcuts.json inside with properties like: version, categories and variables). Question: Is there a predefined schema for the shortcuts.json
2. I now need a shortcuts.json file: most of my shortcuts use the custom scripting feature, so writing them on pc, then pulling them on phone, then exporting them back to my website-project, commiting to git, then deoploying; is quite cumbersome to say the least.
3. I'd rather have some way (I have no problem exporting once, reading the exported-shortcuts.json file and understanding what each property is for) where I can edit the json properties (via- code or manually) and then construct the shorcuts.json file, and somehow validating the file through a schema of sorts so I know before hand if there is a problem with the file somewhere.

Question: If I go with this approach, is there a way to obfuscate (encode is a better word) some of my session tokens used by requests, so it isn't readable by all?
Question: Can the webeditor export a json file?

Hey, I tried my best explaining my problem and am willing to answer more questions about the issue. Cheers <3

[Waboodoo]

Question: Is there a predefined schema for the shortcuts.json

There is no official documentation or schema for this. The format is designed be hackable and reverse-engineerable though. I recommend to just create an export and inspect the JSON file within. Much of the fields should be guessable what they do. Some useful bits of information though:

• When using the normal export feature or the automatic export feature, the app produces a JSON file which only contains the essential information, while all fields that are set to the default value are stripped. However, if you use the "Edit on Computer" feature, the app does not strip anything. So if you go to the web editor and open your browser's inspection/developer tools, you should see that it makes a request to https://http-shortcuts.rmy.ch/editor/api/files/. This file contains the full JSON of your shortcuts, including all the default values.
• The "version" and "compatibilityVersion" fields in the JSON indicate the schema version. I recommend you leave them as they are, as the app uses them to support backwards compatibility for older schema versions.
• All the "id" fields use UUID v4. If you need to generate new ones, you can use something like https://www.uuidgenerator.net/ or an appropriate library
• The app's models for reading and writing the export file can be found here: https://github.com/Waboodoo/HTTP-Shortcuts/tree/develop/HTTPShortcuts/app/src/main/kotlin/ch/rmy/android/http_shortcuts/import_export/models . The entrypoint is the ImportExportBase.kt file. If you're not familiar with Kotlin, all you need to look for is the lines that start with val and that type information ending in a ? means that this is an optional/nullable field.

If I go with this approach, is there a way to obfuscate (encode is a better word) some of my session tokens used by requests, so it isn't readable by all?

Ultimately, the app needs to be able to read it, so there's only so much protection you can do. The recommended approach is to make use of HTTPS, such that your file is encrypted in transit, and to configure basic auth with a secure username and password, such that only those who know the credentials can access your file. Beyond this, the app doesn't offer any protection mechanisms.

Can the webeditor export a json file?

Sort of. When you save your changes in the web editor, they get pushed to a file on the server. You can technically access this file using your browser or a script. The URL is https://http-shortcuts.rmy.ch/editor/api/files/, and it requires basic auth using your device ID as the username and the password that you used to access the web editor.