I have been messing around with trying to get data to make meaningful “product pages”. After stepping through the code in “bolt_graph.js” I’ve found a pretty easy way to get tabular data back via JSON. It looks like there is an internal undocumented API. I decided to query this for a bit just to mess with the data in a way that allowed me to deal directly with the JSON.
Anyhow, I got curious and decided to mess with some of the parameters in the call. I came to find out that I could use any device id to get data. Just changing the id’s by hand I was able to get back various test data. I thought maybe that was because there was some authorization as to what I could query. I tried querying from a incognito environment where there was no active session. I was able to get data back for my project! I was also able to get metadata back about the project!
If my assumptions hold true I could write a simple script that would go through various bolt IDs and try to get meta-data.This could expose all developers projects’ data externally.
While I feel that the API that was discovered would be great for use by developers I feel that regardless of its use it needs to be secured. An API key needs to be passed or a session token needs to be sent (bearer or something).
I just wanted to bring this to everyone’s attention.
EDIT and UPDATE:
It looks like a lot of debug data is emitted via the console.
I really like the idea of the method I found. I could build my own graphs etc. I could use a charting framework that I like (amCharts). However, I can confirm I’ve been able to find data on other bolt devices using different device ids without being authenticated.