Breaking Changes – Here They Come!

Question: What’s significant about this Saturday – March 12, 2011?

Answer: Time to set your clocks ahead for Daylight Savings Time. *

Answer: Barbara Feldon’s birthday **

Answer: IFrame apps will be accessed through HTTP POST instead of GET.

That’s right kids, as Facebook has been telling us for some time now, your IFrame apps will be accessed from your customer’s clients by a POST instead of a GET. This is significant because it is most definitely a breaking change, e.g. one that has the potential to make your application stop working if you aren’t careful, so pay attention.

So why is Facebook doing this? Well, it has to do with a little something we call privacy. The problem is that a customer’s Facebook userid used to be passed in the URL (as part of a GET) so that the application could know which user a request was coming from. The problem is that subsequent calls would retain this userid in the HTTP Referrer header, and possibly allow third parties to get access to it. Privacy advocates rightfully have a problem with this, so Facebook looked for ways to fix the problem.

The solution to the problem is not to use a GET but rather a POST and pass the customer’s userid as a POST parameter. If all access happens over a secure channel (like Facebook now allows us to do) there’s no fear of exposing userids to third parties. Good solution, except for the fact that if your application expects a GET and receives a POST instead, you’re hosed.

So what to do if you have an IFrame application? Well, test it before Saturday comes lest things break. To do this, you must go into your application’s settings and enable the POST for Canvas selection.

Once this is done, Facebook will provide different HTML to the client’s browser so that your application is accessed through POST instead of GET. Be very careful though if your application is already live. If your application is broken by this change, then selecting this will effectively knock your app off of Facebook. So to be safe, register a test application and use that instead.

More technical information about this change can be found here. Facebook offers some simple solutions for how to do this migration on popular development platforms. There’s also some feedback from developers who’ve experienced some problems, so it’s a good place to start if you find problems yourself.

Good luck.

* Yeah, technically this happens on March 13, but better do it before you forget.

** We loves us some Agent 99 so much we won’t give away her age.

Facebook acknowledges testers exist!

Yesterday, Facebook made a pretty significant announcement for developers of Facebook applications. The announcement involved assigning roles for people on the application development team, and defining what they can and cannot do. As far as I know, it’s the first real acknowledgement by Facebook that Platform application development has moved mainstream and is no longer solely being done by guys in their basements (or lofts – this is Facebook after all). Traditional development teams building Facebook apps using traditional software lifecycle concepts are popping up everywhere. I’ve even see teams build apps on the .NET platform, as unlikely as that seems.

Facebook application development teams have always needed to register who was on the team with Facebook, so that those people could access, build, and test the application before it was released to the greater public. The problem was that belonging to the team was binary – you were either in or out, and only those that were in could access the pre-released app. However, all of the team members could view and modify the Application Secret, change the app’s URL, or throw everyone else on the team off. It didn’t matter what your actual job was, if you were on the list you had absolute authority.

The new Developer's Role dialog

Facebook has now changed that by allowing you to define the roles for the people on your dev team, and thereby limit what they can and can’t do. Here’s a list of the roles you can assign:

• Administrator – complete access to the application and all its settings
• Developer – can modify all technical settings and access Insights but cannot reset secret key, delete application, or add additional users
• Tester – can test the application in sandbox mode but cannot modify the application
• Insights User – can access Insights but cannot modify the application

This is great news, and is a step in the right direction to show that Facebook application development is growing up. I’ve done some consulting on testing Facebook apps, and have always been uneasy when I’ve been added as an applications “Developer”. I always felt uneasy about getting exposure and access to a company’s crown jewels, and asked to be taken off the list as soon as the gig was up. Now, I can be added as a “Tester” and gain access to only those priveleges that I need.

So let’s hope Facebook continues along this thread and provides more tools and services that acknowledge that Facebook application development is being done by teams that have real needs. For example, a real development team will want to stage any code changes before making them live (just like what Facebook does with the Beta Tier). Unfortunately, the only way to test this beta code is to register another application with Facebook so that the production and beta code can run in parallel. But registering a new application will cause a new Application ID/Secret to be created. This means that once the beta code is proven to be good it will have to be modified in order to be run as production. Bad bad idea, but it’s the only way that Facebook will let you do it. It would be nice if Facebook would provide some easy ways to deal with things like this, as well as other difficulties that large dev teams certainly encounter. Facebook – give me a call, I have lots of other ideas.

So what would you change to help your development team interact with the Facebook Platform more easily. Leave a comment to let us know.

Monitoring your Facebook application for regression – Part 1

A few days ago there was a post in the Facebook Developers Blog entitled Testing Using The Beta Tier, which is important to read and to understand its implications. The gist of the post is that the developers at Facebook are pretty busy and are constantly modifying the Facebook Platform. They push out updates on a weekly basis and all of us in the Facebook Platform ecosystem are affected by this whether we like it or not (and whether we know it or not). Fortunately, as this post explains, you can get access to the beta version of these updates before they go live to ensure that your application plays well with it. This is a valuable service that Facebook is providing, and it’s important to understand why.

Let’s contrast a Facebook app with a plain old Web Application. Imagine you’ve just finished designing and building your great new Web App. Before deployment you test every possible thing that could go wrong and you feel really confident about its stability and robustness. You’re so confident that it won’t break that you decide to relax and spend the next two weeks in Bora Bora without even a laptop. Things may go wrong, but if your app is really well-written, then all of the problems will be operational problems. Someone tripped over a power cord and knocked out a router, or spilled coffee into a server.  Things that are certainly problems, but they don’t need you the programmer to fix them. Go get yourself another drink and don’t worry about your app.

But Facebook development isn’t like that. You still need a good operations team to make sure your app stays online, but the stability and reliability of your Facebook app also depends on the invisible hand of Facebook, something that you have no control over. Before booking your flight to Bora Bora you’ll need to come to grips with the possibility that Facebook could very easily push out an update that changes an API in a way that breaks your application. If/when that happens to you, then you the programmer will need to do something about it to get your app back up and running again, even if it means getting up from the beach. And that’s the important point here: Facebook applications can and will experience regression even when they aren’t being changed because Facebook is always changing.

The first step to dealing with a problem like this is knowing that there is a problem. If you have a general Web App, knowing that it isn’t working isn’t so hard to do. You can simply set up a monitoring system to periodically hit the app and make sure that it responds properly. There are many inexpensive commercial services that make this really easy to do.

But what about Facebook applications? You can monitor the application to ensure it is up and running, but that won’t tell you if Facebook has done something to break it. That’s why Facebook’s Beta Tier is so valuable – you can find and fix potential problems before they get seen by users.

But how can we do this automatically? It would be great if we could set up an automated way to know that the next Facebook update will break your application. In our next post we’ll look at some strategies for how we can do this. In the meantime, leave a comment if you think this would be a good idea, and any thoughts you have about it.

How does Facebook get tested?

The focus of this blog has always been to talk about testing Facebook applications. There are plenty of places to read about software testing or Facebook, but this is the one place to get that intersection. With this in mind I’m going to stray from our charter and talk about testing Facebook. No, not how to test your Facebook app, but how does Facebook test Facebook.

That’s right. Have you ever thought about how Facebook tests its own product? Well wonder no more as the good people at Quora have already asked that question, and Steven Grimm, Facebook’s test engineering tech lead has provided quite a good answer.

A few interesting take-aways:

• For a company that’s so grounded in PHP, it’s interesting to see that they’re so heavily invested in Watir, a tool from the Ruby world.
• “Facebook has no dedicated QA team.” Now for many people, this will come as no surprise. For others from a more traditional development background, no dedicated QA for something as large and mission critical as Facebook seems like a really bad idea.
• They don’t talk about load testing. From what we can tell, they probably don’t even do it. In a lot of respects, a proper load test of Facebook is probably far more trouble than it’s worth.