Building Ambitious APIs with Ruby

BUILDING AMBITIOUS APIS
WITH RUBY
Dan Gebhardt
@dgeb
Burlington Ruby 2013

View Slide

DO YOU NEED AN API?

View Slide

CLIENT-SIDE JS APPLICATION?

View Slide

CLIENT-SIDE JS APPLICATION?
YOU NEED AN API

View Slide

NATIVE APPLICATION?

View Slide

NATIVE APPLICATION?
YOU NEED AN API

View Slide

3RD PARTY INTEGRATION?
Creative Commons image courtesy of
Kamil Porembiński

View Slide

3RD PARTY INTEGRATION?
YOU NEED AN API
Image credit: http://up1ter.deviantart.com/art/Twilight-Sparkle-is-ﬂying-286029311

View Slide

SCRIPTABLE?

View Slide

SCRIPTABLE?
YOU NEED AN API
@devops_borat @hipsterhacker
@neckbeardhacker

View Slide

SO DO YOU NEED AN API?

View Slide

SO DO YOU NEED AN API?
*PROBABLY*

View Slide

LET'S BUILD SOMETHING
THAT DOES

View Slide

RubyPets!

View Slide

EMBER UI

View Slide

ANDROID & IOS APPS
EMBER UI

View Slide

ANDROID & IOS APPS
EMBER UI
LOLCATS INTEGRATION

View Slide

ANDROID & IOS APPS
LOLCATS INTEGRATION
EMBER UI
NEEDS AN API

View Slide

"WE NEED A
RESTFUL API"

View Slide

"...AFTER YOU FEED ME!"

View Slide

RESTFUL API BASICS

View Slide

Your application's
NOUNS
are modeled as
RESOURCES

View Slide

OUR RESOURCES
Pets

View Slide

OUR RESOURCES
People

View Slide

Every
RESOURCE
has a URI

View Slide

OUR RESOURCES
# all pets
/pets
# each pet
/pets/123

View Slide

OUR RESOURCES
# all people
/people
# each person
/people/123

View Slide

Resources are
acted upon with
HTTP METHODS

View Slide

POST
GET
UPDATE
PATCH
DELETE
/pets/123
/pets/
/pets/123
/pets/123
/pets/123

View Slide

POST
GET
UPDATE
PATCH
DELETE
/pets/123
/pets/
/pets/123
/pets/123
/pets/123
+ MORE

View Slide

"WE NEED AN
AMBITIOUS
RESTFUL API!"

View Slide

DEFINE AMBITIOUS

View Slide

DEFINE AMBITIOUS
•Flexible

View Slide

DEFINE AMBITIOUS
•Flexible
•Consistent

View Slide

DEFINE AMBITIOUS
•Flexible
•Consistent
•Efﬁcient

View Slide

DEFINE AMBITIOUS
•Flexible
•Consistent
•Efﬁcient
•Secure

View Slide

DEFINE AMBITIOUS
•Flexible
•Consistent
•Efﬁcient
•Secure
•Discoverable

View Slide

IS THERE ANYTHING
WE WON'T DO?

View Slide

LET'S STICK WITH JSON
... AND SKIP XML

View Slide

OK, LET'S GET STARTED!

View Slide

LET'S START SIMPLE
$ rails new rubypets
$ cd rubypets
$ rails g scaffold pet name:string
$ rails g scaffold toy name:string pet:references
$ rake db:migrate
# set a default route, define relationships, etc ...

View Slide

MODELS
# /app/models/pet.rb
class Pet < ActiveRecord::Base
has_many :toys
end
# /app/models/toy.rb
class Toy < ActiveRecord::Base
belongs_to :pet
end

View Slide

CONTROLLERS
class PetsController < ApplicationController
before_action :set_pet, only: [:show, :edit, :update, :destroy]
# GET /pets
# GET /pets.json
def index
@pets = Pet.all
end
# GET /pets/1
# GET /pets/1.json
def show
end
.....
end

View Slide

JBUILDER VIEWS
# pets/index.json.jbuilder
json.array!(@pets) do |pet|
json.extract! pet, :name
json.url pet_url(pet, format: :json)
end
# pets/show.json.jbuilder
json.extract! @pet, :name, :created_at, :updated_at

View Slide

OUTPUT
# /pets.json
[
{"name":"Cashew",
"url":"http://localhost:3000/pets/1.json"},
{"name":"Ginkgo",
"url":"http://localhost:3000/pets/2.json"}
]
# /pets/2.json
{"name":"Ginkgo",
"created_at":"2013-08-02T04:03:06.958Z",
"updated_at":"2013-08-02T04:03:06.958Z"}
JSON

View Slide

OUTPUT
# /pets.json
[
{"name":"Cashew",
"url":"http://localhost:3000/pets/1.json"},
{"name":"Ginkgo",
"url":"http://localhost:3000/pets/2.json"}
]
# /pets/2.json
{"name":"Ginkgo",
"created_at":"2013-08-02T04:03:06.958Z",
"updated_at":"2013-08-02T04:03:06.958Z"}
"WE NEED CONSISTENCY !!!"
JSON

View Slide

JBUILDER VIEWS
# pets/index.json.jbuilder
json.array!(@pets) do |pet|
json.extract! pet, :name
json.url pet_url(pet, format: :json)
end
# pets/show.json.jbuilder
json.extract! @pet, :name, :created_at, :updated_at

View Slide

"CUSTOM" ISN'T ALWAYS A
GOOD THING

View Slide

WE NEED MORE
CONVENTION
AND LESS
CONFIGURATION

View Slide

View Slide

LET'S TRY IT OUT
# Gemfile
# gem 'jbuilder', '~> 1.2'
gem 'active_model_serializers'

View Slide

LET'S TRY IT OUT
# Gemfile
# gem 'jbuilder', '~> 1.2'
gem 'active_model_serializers'
$ bundle install
$ rails g serializer pet
$ rails g serializer toy

View Slide

SERIALIZERS
# app/serializers/pet_serializer.rb
class PetSerializer < ActiveModel::Serializer
attributes :id, :name, :created_at, :updated_at
end
# app/serializers/toy_serializer.rb
class ToySerializer < ActiveModel::Serializer
attributes :id, :name, :created_at, :updated_at
end

View Slide

CONTROLLERS
class PetsController < ApplicationController
before_action :set_pet, only: [:show, :edit, :update, :destroy]
# GET /pets
# GET /pets.json
def index
render json: Pet.all
end
# GET /pets/1
# GET /pets/1.json
def show
render json: @pet
end
.....
end

View Slide

OUTPUT
# /pets.json
{"pets":
[{"id":1, "name":"Cashew",
"created_at":"2013-08-02T04:02:58.467Z",
"updated_at":"2013-08-02T04:02:58.467Z"},
{"id":2, "name":"Ginkgo",
"created_at":"2013-08-02T04:03:06.958Z",
"updated_at":"2013-08-02T04:03:06.958Z"}]}
# /pets/2.json
{"pet":
"created_at":"2013-08-02T04:03:06.958Z",
"updated_at":"2013-08-02T04:03:06.958Z"}}
JSON

View Slide

OUTPUT
# /pets.json
{"pets":
[{"id":1, "name":"Cashew",
"created_at":"2013-08-02T04:02:58.467Z",
"updated_at":"2013-08-02T04:02:58.467Z"},
"created_at":"2013-08-02T04:03:06.958Z",
"updated_at":"2013-08-02T04:03:06.958Z"}]}
# /pets/2.json
{"pet":
"created_at":"2013-08-02T04:03:06.958Z",
"updated_at":"2013-08-02T04:03:06.958Z"}}
"THAT'S BETTER, BUT..."
JSON

View Slide

CUSTOM FIELDS
# app/serializers/base_serializer.rb
attributes :id, :created_at, :updated_at
# allow custom inclusion of a single field
def include_created_at?
if @options.key?(:fields)
return @options[:fields][:created_at]
end
true
end
end

View Slide

CUSTOM FIELDS
# allow custom inclusion of a single field
def include_created_at?
return @options[:fields][:created_at]
end
true
end
end
"THAT'S BETTER, BUT..."

View Slide

BASE SERIALIZER
class BaseSerializer < ActiveModel::Serializer
end
class PetSerializer < BaseSerializer
attributes :name
end
# app/serializers/toy_serializer.rb
class ToySerializer < BaseSerializer
attributes :name
end

View Slide

CUSTOM FIELDS +
# allow custom inclusion of ANY field
# via options passed in from the controller
def include?(field)
return @options[:fields][field]
end
super(field)
end
end

View Slide

ONE-TO-MANY
has_many :toys
end
attributes :name
has_many :toys
end

View Slide

OUTPUT
JSON
# /pets/2.json
{"pet":
{"id":2,
"name":"Ginkgo",
"toys":[
{"id":3,
"name":"Busy Bee"},
{"id":4,
"name":"Dan's sock"}]}}

View Slide

ONE-TO-ONE
has_many :toys
belongs_to :person
end
attributes :name
has_many :toys
has_one :person
end

View Slide

OUTPUT
JSON
# /pets/2.json
{"pet":
{"id":2,
"name":"Ginkgo",
"toys":[
{"id":3, "name":"Busy Bee"},
{"id":4, "name":"Dan's sock"}]
"person": {"id":1,"name":"Dan"}}}

View Slide

OUTPUT
JSON
# /pets.json
{"pets":
[{"id":1,
"name":"Cashew",
"toys":[...],
"person":{"id":1,"name":"Dan"}},
{"id":2,
"name":"Ginkgo",
"toys":[...],
"person":{"id":1,"name":"Dan"}}]}

View Slide

OUTPUT
JSON
# /pets.json
{"pets":
[{"id":1,
"name":"Cashew",
"toys":[...],
"person":{"id":1,"name":"Dan"}},
{"id":2,
"name":"Ginkgo",
"toys":[...],
"person":{"id":1,"name":"Dan"}}]}
"DUPLICATION!"

View Slide

BASE SERIALIZER
# sideload related data by default
embed :ids, include: true
end

View Slide

OUTPUT
JSON
# /pets.json
{"toys":[
{"id":1, "name":"BTVRuby catnip"},
{"id":2, "name":"Mr Smoochums"},
{"id":4, "name":"Dan's sock"}],
"people":[
{"id":1, "name":"Dan"}],
"pets":[
{"id":1,
"name":"Cashew",
"toy_ids":[1,2],
"person_id":1},
{"id":2,
"name":"Ginkgo",
"toy_ids":[3,4],
"person_id":1}]}

View Slide

OUTPUT
JSON
# /pets.json
{"toys":[
{"id":1, "name":"BTVRuby catnip"},
{"id":2, "name":"Mr Smoochums"},
{"id":4, "name":"Dan's sock"}],
"people":[
{"id":1, "name":"Dan"}],
"pets":[
{"id":1,
"name":"Cashew",
"toy_ids":[1,2],
"person_id":1},
{"id":2,
"name":"Ginkgo",
"toy_ids":[3,4],
"person_id":1}]}
"NO DUPLICATION...
I APPROVE."

View Slide

API DESIGN

View Slide

FILTERING DATA
/pets/cats
/pets/dogs

View Slide

FILTERING DATA
/pets/cats
/pets/dogs
~ VS. ~
/pets?type=cats
/pets?type=dogs

View Slide

FILTERING DATA
/pets/cats
/pets/dogs
~ VS. ~
/pets?type=cats
/pets?type=dogs
/pets?type=cats,dogs

View Slide

FILTERING DATA
/pets/cats
/pets/dogs
~ VS. ~
/pets?type=cats
/pets?type=dogs
/pets?type=cats,dogs
/pets?type=cats,dogs&color=red

View Slide

INCLUDING RELATIONSHIPS
Best guess inclusions
(e.g. always include toys with pets)

View Slide

INCLUDING RELATIONSHIPS
/pets?include=toys,people
Best guess inclusions
(e.g. always include toys with pets)
~ VS. ~
No inclusions by default.
Custom inclusions as requested.

View Slide

EMBEDDING RELATIONSHIPS
Always embed any related data
(i.e. JBuilder approach)

View Slide

EMBEDDING RELATIONSHIPS
Always embed any related data
(i.e. JBuilder approach)
~ VS. ~
Favor "side-loading" and embed data very
selectively (and only when it won't be shared)

View Slide

VERSIONING
One version that's never broken

View Slide

VERSIONING
One version that's never broken
~ VS. ~
Version by host or path
api.rubypets.org
v1.api.rubypets.org
rubypets.org/api/v1

View Slide

SPARSE FIELDSETS
Include all ﬁelds

View Slide

SPARSE FIELDSETS
Include all ﬁelds
~ VS. ~
Allow for custom inclusion of ﬁelds:
/pets?fields=id,name,age

View Slide

SPARSE FIELDSETS
Include all ﬁelds
~ VS. ~
Allow for custom inclusion of ﬁelds:
/pets?fields=id,name,age
/pets?include=toys,people&
pet_fields=id,name,age&
people_fields=id,name&
toy_fields=name

View Slide

SORTING
Default sort order only

View Slide

SORTING
Default sort order only
~ VS. ~
Allow for custom sort order:
/pets?sort=name # ascending
/pets?sort=-name # descending

View Slide

PAGINATION
No limits on resources

View Slide

PAGINATION
~ VS. ~
Provide a default page size, a max page size,
and allow custom requests:
/pets?page=2&per_page=100

View Slide

PAGINATION
~ VS. ~
Provide a default page size, a max page size,
and allow custom requests:
/pets?page=2&per_page=100
Opinion! JSON API should separate the primary resource from
its related resources when "side-loading" in order to clarify issues
of primacy like pagination.

View Slide

PAGINATION, CONT.
As per RFC 5988, return a LINK header to
allow for navigation:
Link: ; rel="next",
; rel="last"
Possible values for `rel`:
first, last, next, prev

View Slide

TL;DR
A Hypermedia API makes full use of HTTP and a
hypermedia content type to be as as navigable as
the web itself.
REST was a term originally invented by Roy
Fielding, but since most "REST" APIs aren't in line
with his deﬁnition, the term "Hypermedia API" was
created.
HYPERMEDIA APIS

View Slide

HYPERMEDIA APIS
Designing Hypermedia APIs
by Steve Klabnik
designinghypermediaapis.com
Recommendation:
It's not TL, so there's no reason for DR !

View Slide

HYPERMEDIA APIS
"Hypermedia designs promote scalability, allow resilience
towards future changes, and promote decoupling and
encapsulation, with all the beneﬁts those things bring. On the
downside, it is not necessarily the most latency-tolerant
design, and caches can get stale if you’re not careful. It may not
be as efﬁcient on an individual request level as other designs."
Steve Klabnik
Designing Hypermedia APIs
designinghypermediaapis.com

View Slide

SECURITY

View Slide

SECURITY
A Brief History of OAuth

View Slide

*BASIC* SECURITY
RECOMMENDATIONS
• Restrict access to particular users (e.g. non-admins) as
needed in your controller and serializer layers

View Slide

*BASIC* SECURITY
RECOMMENDATIONS
• HTTPS for all the things

View Slide

*BASIC* SECURITY
RECOMMENDATIONS
• Use token-based security

View Slide

*BASIC* SECURITY
RECOMMENDATIONS
• Use token-based security
• If you want to build an OAuth provider, don't
go it alone. Use a gem like James Coglan's
oauth2-provider:
https://github.com/songkick/oauth2-provider

View Slide

View Slide

THANKS!
@dgeb
Burlington Ruby 2013

View Slide

Building Ambitious APIs with Ruby

Building Ambitious APIs with Ruby

Dan Gebhardt

More Decks by Dan Gebhardt

Other Decks in Programming

Featured

Transcript