projects /SimplyGoPal | TransitLink Chrome Extension
Project Overview
TransitLink has a $128 Adult Monthly Travel Pass for unlimited travel on Singapore's public transportation system. To find out if purchasing this pass makes sense, it's typical to try checking one's public transport expenditure on TransitLink's fare tracking app (SimplyGo).
Unfortunately, neither the mobile nor web app provide sums of transport fees within a given period. So users would need to pull out a calculator to run the math themselves. A friend of mine mentioned this frustration, and I decided to build a simple tool that would assist with this task.
Key Challenges and Learning Points
Originally, I had wanted to build a separate web app that would support user login, setting of date range, and fetching of user information. I thought of building a separate platform that could act as a dashboard with more useful/fun features (e.g. charting transport fare, visualising users' most common routes and favourite stops, etc ). However this posed many challenges.
1. Transitlink's web app is ASP.NET based and server-side rendered
Studying TransitLink's APIs through the Chrome Network tab, I quickly noticed that responses returned HTML text, rather than JSON data. This was initially tricky to work with, as I needed to find targetable patterns that would allow me to extract useful data via regex. The fares I was interested in summing were consistently wrapped in <td class="col3">$ x.xx </td> tags. Using regex.match(), I was able to generate an array of fares to sum.
Having thought that I had cleared this hurdle, I set about trying to understand the architecture of TransitLink's login/ data request APIs. This is where problem #2 showed up.
2. HTTPOnly Cookies
TransitLink relies on a set of 3-4 tokens (they've added 2 since I last tinkered in Sept 2022 👀) for authentication/ authorisation.
ASP.NET Session Token__RequestVerificationTokenAuthToken
Each of these are HTTPOnly Cookies, set by the API response header. After many hours of researching how HTTPOnly Cookies work, and attempting several methods (including HTTPS/proxy tunnelling) to see if it was possible to call TransitLink's APIs through a NodeJS server in VSCode, I still wasn't able to work around the various security measures in place and began feeling worried regarding the legality of what I was doing. So I decided to change approach instead.
3. Adjusting Goals
Since I had been able to calculate the total from the TransitLink API's html text response, I realised that I might be able to use a Chrome Extension to read the contents of the webpages in-browser, and trigger some kind of pop-up with the useful data instead. This would eliminate the need for probing TransitLink's security measures, whilst still being able to address core user frustrations.
I was able to locate an example Chrome Extension template by Dan Harper and adapt it to the final product below.
Thoughts on Chrome Manifest V3
Context: I'm mainly going to talk about YouTube in this section b/c I don't use any social media other than YT
In the process of deploying the extension, I received a warning message in-browser that SimplyGoPal was on Chrome Manifest V2 which would no longer be supported in 2023. I was advised to migrate to Chrome Manifest V3 (MV3).
I had last heard of MV3 in 2019, and looked up more recent coverage of this change via the Electronic Frontier Foundation and Mental Outlaw on YouTube.
As a long-time user of Youtube Vanced, UBlock Origin, Ghostery, and increasingly Mozilla products (Firefox, Mozilla VPN), the growing shadow that MV3 casts is threatening. I'm still unsure whether this shift spells a definitive end for ad and tracker blockers - where there's a will there's a way - on Chrome. But Google's control over so many major pieces of digital infrastracture affords them gross flex rights on other companies and developers actually working to make the Internet safer, faster, and more private.
The shutdown of YouTube Vanced, notable spikes in the number of unskippable ads on videos, and the ascendence of TikTok to the content format/algorithm meta (pun?.intended) raise questions in my mind.
Is a simple profit motive behind the crackdown on ad/tracker-blocking software, or are there other considerations at play?
Is the tiktokification of everything 🙄 going to punish creators who don't wish to make content in that format?
How can Google alternatives like Firefox/ Brave leverage the concerns around/ impact of MV3 to carve out greater mind/market share, and maybe function as a stronger counterbalance.
This said, I'm quite sure the UXers and devs at Google have intensely studied the level of irritation (ads) and fear (privacy) that users are willing to put up with before hunting for alternatives, and the changes will fly beneath these thresholds. I also think that Ad blockers/ VPN users still represent a a minority of those on the Internet - so there might not be significant outrage. But at least on a personal level, I feel worried enough that I'm likely to migrate to Firefox browser.
Ultimately, this little project was eye-opening in terms of connecting my experience as a developer to the broader context of issues regarding/ surrounding technology, and let me explore security tools like the use of HTTPOnly Cookies.