Nodevember 2015: The dirty secrets of building large, highly available, scalable HTTP APIs

Transcript

1. The dirty little secrets of building large, highly available, scalable

   HTTP APIs by @dschenkelman

2. Why? var  express  =  require('express');   var  app  =  express();

     app.get('/',  function  (req,  res)  {      res.send('Hello  World!');   });   var  server  =  app.listen(3000,  function  ()  {      var  host  =  server.address().address;      var  port  =  server.address().port;      console.log('Example  app  listening  at  http://%s:%s',  host,  port);   });

3. Developers

4. Evolution

5. Pillars

6. Validation

7. enabled:  true

8. enabled:  1

9. enabled:  1.0

10. enabled:  "false"

11. JSON Schemas "enabled":  {   "type":  "boolean"   }

12. Errors for developers {      "statusCode":  400,    

     "error":  "Bad  Request",      "message":  "Payload  validation  error:   'Expected  type  boolean  but  found  type   string'  on  property  enabled   (<code>true</code>  if  the  rule  is   enabled,  <code>false</code>   otherwise).",      "errorCode":  "invalid_body"   }

13. ratify const  ZSchemaErrors  =  require('z-­‐schema-­‐errors');   const  errorReporters  =  ['headers',

     'query',  'path',   'payload'].reduce((current,  part)  =>  {      current[part]  =  ZSchemaErrors.init({/*...*/});      return  current;   },  {});   plugins.push({      register:  require('ratify'),      options:  {          errorReporters:  errorReporters,          /*...*/      }   });

14. Documentation

15. Old API Explorer

16. Auto-generate docs

17. Swagger

18. Leverage validation "enabled":  {   "type":  "boolean",   "description":  "<code>true</code>

     if   the  connection  is  enabled,   <code>false</code>  (default)  otherwise"   }

19. Customize

20. AuthN & AuthZ

21. Token Exchange API Client API Server 1. Credentials 2. API

    Token 3. Requests

22. Granular Security

23. Decentralized Issuance

24. Expiration Control

25. Debuggability

26. JSON Web Token JWT

27. Authenticate For all endpoints

28. Authorize Per endpoint

29. Blacklisting

30. T-shirt time

31. Stress tests

32. Devops Stress

33. What to do…

34. Rate Limiting

35. Token Bucket

36. limitd #port  to  listen  on   port:  9001   #db

     path   db:  /var/limitd/database   #define  the  bucket  types   buckets:      customers:          size:  10          per_second:  10

37. 429 X-­‐RateLimit-­‐Limit   Maximum  amount   X-­‐RateLimit-­‐Remaining   How  many

     there  are  left   X-­‐RateLimit-­‐Reset   When  will  bucket  be  full  again

38. patova plugins.push({      register:  require('patova'),      options:  {

             event:  'onPostAuth',  //  when  to  perform  the  limit  check          type:  'tenant',  //  bucket          address:  env.LIMITD_SERVER,          extractKey:  function(request,  reply,  done){              const  key  =  request.auth.credentials.__tenant;              done(null,  key);          }      }   });

39. Geo Redundancy

40. Data Center Failure

41. Natural Disasters

42. Cloud Provider Failure

43. Our Setup

44. Our Setup App Instances MongoDB Elastic Search App Instances MongoDB

    Elastic Search MongoDB

45. The switch

46. Changes

47. Experiments

48. feature-change const  feature_change  =  require('feature-­‐change');   var  options  =  {

         expected:  function(cb){              mongo_search(mongo_opts,  cb);      },      actual:  function(cb){              es_search(es_opts,  cb);      },      logAction:  function(current_result,  new_result){              //  invoked  when  there  is  a  difference  in  the  results              //  (useful  for  logging)      }   };   feature_change(options,  function(err,  result){          //  this  is  the  original  callback  you  were  using  for  mongo          //  err  and  result  always  come  from  mongo_search   });

49. Iron out differences

50. Wrap up

51. Shipping is important

52. Remember: evolve

53. Validation & Docs • http://json-schema.org • http://swagger.io • https://auth0.com/docs/api/v2 (example

    of branded auto-generated docs) • https://github.com/mac-/ratify

54. AuthN & AuthZ • https://tools.ietf.org/html/rfc7519 • http://jwt.io/ • https://auth0.com/blog/2014/12/02/using-json- web-tokens-as-api-keys/

    • https://auth0.com/blog/2015/03/10/blacklist-json- web-token-api-keys/ • https://github.com/auth0/hapi-auth-jwt

55. Rate limiting • http://tools.ietf.org/html/rfc6585 • https://github.com/limitd • https://github.com/dschenkelman/patova

56. Geo Redundancy • http://highscalability.com/blog/2014/12/1/auth0- architecture-running-in-multiple-cloud-providers- and-r.html • https://auth0.com/availability-trust • http://docs.mongodb.org/master/tutorial/deploy-

    geographically-distributed-replica-set/

57. Feature Changes • http://zachholman.com/talk/move-fast-break- nothing/ • https://auth0.com/blog/2015/10/27/feature- changes-at-auth0/ • https://github.com/dschenkelman/feature-

    change

58. Thanks https://github.com/dschenkelman/api-secrets-talk @dschenkelman