Rails API-only considerations

Transcript

1. RAILS API-ONLY RAILS API-ONLY CONSIDERATIONS CONSIDERATIONS 1 . 1

2. WELCOME WELCOME Christian Bäuerlein @fabrik42 Backend Engineer at ioki.com (yes,

   we are hiring!) 2 . 1

3. RAILS API-ONLY RAILS API-ONLY CONSIDERATIONS CONSIDERATIONS 3 . 1

4. WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT

   ABOUT ABOUT 4 . 1

5. WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT

   ABOUT ABOUT Are SPAs a good idea? 4 . 1

6. WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT

   ABOUT ABOUT Are SPAs a good idea? Are Microservices a good idea? 4 . 1

7. WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT

   ABOUT ABOUT Are SPAs a good idea? Are Microservices a good idea? API best practices 4 . 1

8. WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT

   5 . 1

9. WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT

   How to use the api flag 5 . 1

10. WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT

    How to use the api flag Considerations when going API-only 5 . 1

11. WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT

    How to use the api flag Considerations when going API-only Create more questions than answers 5 . 1

12. WHY RAILS WHY RAILS

13. 6 . 1

14. WHY RAILS WHY RAILS Middleware, Logging, Instrumentation, Caching Code-reloading, Environments

    Security Parameters, Error handling Rails console! Convention over Configuration 7 . 1

15. WHAT IS WHAT IS --api --api? ? Since Rails 5.0

    rails new --api Sane defaults for API-only applications 8 . 1

16. WHAT DOES WHAT DOES --api --api? ? 9 . 1

17. WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl.

    configured Generators 9 . 1

18. WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl.

    configured Generators Adjust Controller modules 9 . 1

19. WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl.

    configured Generators Adjust Controller modules ActionController::API instead of ActionController::Base 9 . 1

20. WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl.

    configured Generators Adjust Controller modules ActionController::API instead of ActionController::Base Adjust Rack Middleware 9 . 1

21. SELECTED MIDDLEWARES SELECTED MIDDLEWARES Rack::Sendfile, ActionDispatch::Static AD::Executor, AD::Reloader AD::RemoteIp AD::ShowExceptions,

    AD::DebugExceptions ActiveRecord::Migration::CheckPending Rails::Rack::Logger, Rack::Runtime, AD::RequestId Rack::ConditionalGet, Rack::ETag … 10 . 1

22. REJECTED MIDDLEWARES REJECTED MIDDLEWARES Rack::MethodOverride Asset/Sprocket-related Cookies, Flash-related … 11

    . 1

23. SELECTED CONTROLLER MODULES SELECTED CONTROLLER MODULES ActionController::StrongParameters AbstractController::Callbacks ActionController::Rescue AbstractController::Rendering

    ActionController::Instrumentation ActionController::UrlFor … 12 . 1

24. REJECTED CONTROLLER MODULES REJECTED CONTROLLER MODULES AbstractController::Translation ActionController::MimeResponds ActionController::Cookies …

    13 . 1

25. SHOULD I USE SHOULD I USE --api --api? ? 14

    . 1

26. SHOULD I USE SHOULD I USE --api --api? ? Guide:

    Using Rails for API-only Applications 14 . 1

27. SHOULD I USE SHOULD I USE --api --api? ? Guide:

    Opinion: The guide provides more value than the actual cli flag Using Rails for API-only Applications 14 . 1

28. SHOULD I USE SHOULD I USE --api --api? ? Guide:

    Opinion: The guide provides more value than the actual cli flag Use flag or not: Manual config work is necessary! Example: remove SendFile, add Translation Using Rails for API-only Applications 14 . 1

29. SHOULD I USE SHOULD I USE --api --api? ? Guide:

    Opinion: The guide provides more value than the actual cli flag Use flag or not: Manual config work is necessary! Example: remove SendFile, add Translation Easy reverse-engineering: No need to generate a new app to use it! Using Rails for API-only Applications 14 . 1

30. MORE OPTIONS FOR MORE OPTIONS FOR rails new rails new

    --skip-yarn --skip-sprockets --skip-action-mailer --skip-active-storage --skip-action-cable --skip-active-record … 15 . 1

31. EXAMPLE FOR EXAMPLE FOR rails new rails new rails new

    --api --skip-active-storage --skip-action-mailer --skip-active- record --skip-action-cable ApiExample Pro tip: Evaluating the Middleware, Controller-includes and building blocks makes sense for every kind of Rails app! 16 . 1

32. THE SACRED DREAM OF THE THE SACRED DREAM OF THE

    HTTP-ONLY LEAN, MEAN REST HTTP-ONLY LEAN, MEAN REST API SERVER. API SERVER. 17 . 1

33. LIVING THE BACKEND DEV LIVING THE BACKEND DEV DREAM DREAM

    Stateless Unaware about the rest of the world Pure data channelled through HTTP 18 . 1

34. THE REAL SCOPE OF YOUR THE REAL SCOPE OF YOUR

    APPLICATION APPLICATION Your app is usually more than a public facing API. 19 . 1

35. CONSIDER FOR BROWSER CLIENTS CONSIDER FOR BROWSER CLIENTS You might

    need CORS. Do you need it for every route? What does this mean for SEO, your crawl budget? 20 . 1

36. WHICH KIND OF AUTH FOR THE WHICH KIND OF AUTH

    FOR THE BROWSER? BROWSER? Session, e.g. via wildcard cookies Good: HTTP only, SSL only Bad: Danger of Request Forgery, not suitable for mobile API Tokens: Good: No CSRF attacks Bad: Accessible via JS, offloads some Security to SPA, no more session store 21 . 1

37. STATIC PAGES - STATIC PAGES - PagesController#home PagesController#home Do you

    need to host static pages? e.g. for mobile clients, imprint for app stores Are your current static pages really static? Where will this content come from? A CMS? Static from the SPA? Is it really independent from the API platform? 22 . 1

38. ADMIN UI ADMIN UI Productivity: Ransack, Kaminari, Devise, SimpleForm, etc.

    Its own SPA? Admin API? Admin API Docs? Another Rails app as a client? (ActiveResource-style) 23 . 1

39. EMBEDDED OTHER WEB APPS? EMBEDDED OTHER WEB APPS? Mail preview

    renderings Sidekiq/Resque web interfaces Keep authentication in mind! 24 . 1

40. MORE COMPLICATED WORKFLOWS MORE COMPLICATED WORKFLOWS OAuth provider Email workflow

    (confirmation) API Server must know URL of SPA? 25 . 1

41. :O :O 26 . 1

42. WILL THIS PAY OFF? WILL THIS PAY OFF? 27 .

    1

43. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… 27 . 1

44. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… …it is also easy to tear apart! 27 . 1

45. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… …it is also easy to tear apart! Startup, testing, will be much faster. 27 . 1

46. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… …it is also easy to tear apart! Startup, testing, will be much faster. But: Really important to determine the scope of necessary changes. 27 . 1

47. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… …it is also easy to tear apart! Startup, testing, will be much faster. But: Really important to determine the scope of necessary changes. Check not only technical effort, but also your workflow. 27 . 1

48. THANK YOU! THANK YOU! Christian Bäuerlein @fabrik42 Backend Engineer at

    ioki.com (yes, we are hiring!) 28 . 1

49. SOURCES SOURCES Using Rails for API-only Applications Rails CSRF protection

    for SPA How to Build Rails APIs Following the json:api Spec Building a JSON API with Rails 5 Building the Perfect Rails 5 API Only App Master Ruby Web APIs - Devblast 29 . 1