alulsh / dc-micromobility-by-neighborhood Goto Github PK

The Jump free bike API endpoint migrated from https://dc.jumpmobility.com/opendata/free_bike_status.json to https://gbfs.uber.com/v1/dcb/free_bike_status.json as part of Uber's acquisition of Jump.

This new Uber endpoint does not allow cross-origin resource sharing (CORS). It returns a CORS error when used in client-side JavaScript.

The Uber API does have documentation on setting an origin URI in your approved application for CORS. It's not clear whether this applies only to the Uber Riders API or also to the Jump GBFS feed though. Access to the Uber API requires approval from Uber.

https://github.com/ubahnverleih/WoBike has great documentation on Ofo's API.

Unfortunately this API requires authentication. You first have to provide your cell phone number and an OTP code to a login endpoint. In exchange you receive an authorization token that can be used to obtain bikeshare data.

This authorization token shouldn't be used in client side JavaScript as it could possibly allow an attacker to hijack your Ofo account (unsure what rights/scopes this token has access to). As a result, the Ofo API can't yet be used in this client side project.

Please comment on this issue if you know of Ofo releasing an open, publicly available API that doesn't require authentication.

The District Department of Transportation (DDOT) lists https://s3.amazonaws.com/lyft-lastmile-production-iad/lbs/dca/free_bike_status.json as a public API endpoint for Lyft scooters on its dockless API page. Lyft also lists this endpoint on their public FAQ for service in Washington, DC:

You can freely view this API endpoint in a web browser by visiting https://s3.amazonaws.com/lyft-lastmile-production-iad/lbs/dca/free_bike_status.json in a web browser:

Curl requests like curl "https://s3.amazonaws.com/lyft-lastmile-production-iad/lbs/dca/free_bike_status.json" | jq '.data.bikes[2]' also succeed with no issues:

When you try to hit this API endpoint with client-side JavaScript via fetch or XMLHttpRequest you receive a generic CORS error. As a result, this API is unusable for front end web applications.

Lyft does maintain developer documentation, but you must contact your Lyft Business contact for full access. Also, this developer portal appears to be for Lyft's traditional rideshare service, and not its micromobility services.

DDOT DC tweeted about a LimeBike API for DC on February 6th, 2018. You can obtain data with the following Curl command: curl -iH "Authorization: Bearer limebike-PMc3qGEtAAXqJa" -X GET https://lime.bike/api/partners/v1/bikes?region=Washington%20DC%20Proper

When I use client side JavaScript code to access LimeBike's API I get a CORS error.

Code:

let request = new XMLHttpRequest();
request.open('GET', 'https://lime.bike/api/partners/v1/bikes?region=Washington%20DC%20Proper');
request.setRequestHeader('Authorization', 'Bearer limebike-PMc3qGEtAAXqJa');
request.responseType = 'json';
request.send();
request.onload = () => {
  console.log(request.response);
};

Error:
Failed to load https://lime.bike/api/partners/v1/bikes?region=Washington%20DC%20Proper: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:5000' is therefore not allowed access. The response had HTTP status code 404.

If LimeBike adds Access-Control-Allow-Origin: * to their servers then I'll be able to obtain this data with client side Javascript. For now this Node.js script I wrote works locally.

Bird maintains an API endpoint for DC data in https://gbfs.bird.co/dc, which is listed on DDOT's dockless API page. Unfortunately, this API endpoint suffers from intermittent CORS errors, which makes it difficult to work with. So far I've noticed a pattern with the first request of the day experiencing a CORS error, but anecdotally in the past, I've seen the error at various points in the day.

Here's a CORS error for the first hit of the day at 8:31 UTC:

No CORS error for the second hit of the day after refreshing at 8:32 UTC:

I could still potentially add this API to this project, but it would require more robust investments in error handling and UX. There's also the risk that the CORS error could eventually turn into an intentional permanent decision and not stay an intermittent error.

Currently there is no (intentionally) publicly available Mobike API with data for Washington, D.C.

Per https://github.com/ubahnverleih/WoBike#mobike-china-italy-uk-japan it's possible to send a POST request to https://mwx.mobike.com/mobike-api/rent/nearbyBikesInfo.do and receive bike data in return. You have to change the Referer and user-agent headers to match a possible WeChat client though.

To me this is an indication that this endpoint is not intended for public use. I don't feel comfortable obtaining data from it. There's also a good chance I'd run into CORS issues trying to access it via client side JavaScript.

If anybody knows of Mobike releasing an intentionally public API please comment on this issue.