Rails API-only considerations

Rails API-only considerations

How to use the --api flag in Rails and what to consider when migrating a Rails application to an API-only version of it.

I gave this talk at the Ruby Frankfurt Meetup: https://www.meetup.com/de-DE/Frankfurt-Ruby-Meetup/events/256159202

37df158edd0f4ca5fc2fff2e87f43487?s=128

Christian Bäuerlein

November 15, 2018
Tweet

Transcript

  1. RAILS API-ONLY RAILS API-ONLY CONSIDERATIONS CONSIDERATIONS 1 . 1

  2. WELCOME WELCOME Christian Bäuerlein @fabrik42 Backend Engineer at ioki.com (yes,

    we are hiring!) 2 . 1
  3. RAILS API-ONLY RAILS API-ONLY CONSIDERATIONS CONSIDERATIONS 3 . 1

  4. WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT

    ABOUT ABOUT 4 . 1
  5. WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT

    ABOUT ABOUT Are SPAs a good idea? 4 . 1
  6. WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT

    ABOUT ABOUT Are SPAs a good idea? Are Microservices a good idea? 4 . 1
  7. WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT

    ABOUT ABOUT Are SPAs a good idea? Are Microservices a good idea? API best practices 4 . 1
  8. WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT

    5 . 1
  9. WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT

    How to use the api flag 5 . 1
  10. WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT

    How to use the api flag Considerations when going API-only 5 . 1
  11. WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT

    How to use the api flag Considerations when going API-only Create more questions than answers 5 . 1
  12. WHY RAILS WHY RAILS

  13. 6 . 1

  14. WHY RAILS WHY RAILS Middleware, Logging, Instrumentation, Caching Code-reloading, Environments

    Security Parameters, Error handling Rails console! Convention over Configuration 7 . 1
  15. WHAT IS WHAT IS --api --api? ? Since Rails 5.0

    rails new --api Sane defaults for API-only applications 8 . 1
  16. WHAT DOES WHAT DOES --api --api? ? 9 . 1

  17. WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl.

    configured Generators 9 . 1
  18. WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl.

    configured Generators Adjust Controller modules 9 . 1
  19. WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl.

    configured Generators Adjust Controller modules ActionController::API instead of ActionController::Base 9 . 1
  20. WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl.

    configured Generators Adjust Controller modules ActionController::API instead of ActionController::Base Adjust Rack Middleware 9 . 1
  21. SELECTED MIDDLEWARES SELECTED MIDDLEWARES Rack::Sendfile, ActionDispatch::Static AD::Executor, AD::Reloader AD::RemoteIp AD::ShowExceptions,

    AD::DebugExceptions ActiveRecord::Migration::CheckPending Rails::Rack::Logger, Rack::Runtime, AD::RequestId Rack::ConditionalGet, Rack::ETag … 10 . 1
  22. REJECTED MIDDLEWARES REJECTED MIDDLEWARES Rack::MethodOverride Asset/Sprocket-related Cookies, Flash-related … 11

    . 1
  23. SELECTED CONTROLLER MODULES SELECTED CONTROLLER MODULES ActionController::StrongParameters AbstractController::Callbacks ActionController::Rescue AbstractController::Rendering

    ActionController::Instrumentation ActionController::UrlFor … 12 . 1
  24. REJECTED CONTROLLER MODULES REJECTED CONTROLLER MODULES AbstractController::Translation ActionController::MimeResponds ActionController::Cookies …

    13 . 1
  25. SHOULD I USE SHOULD I USE --api --api? ? 14

    . 1
  26. SHOULD I USE SHOULD I USE --api --api? ? Guide:

    Using Rails for API-only Applications 14 . 1
  27. SHOULD I USE SHOULD I USE --api --api? ? Guide:

    Opinion: The guide provides more value than the actual cli flag Using Rails for API-only Applications 14 . 1
  28. SHOULD I USE SHOULD I USE --api --api? ? Guide:

    Opinion: The guide provides more value than the actual cli flag Use flag or not: Manual config work is necessary! Example: remove SendFile, add Translation Using Rails for API-only Applications 14 . 1
  29. SHOULD I USE SHOULD I USE --api --api? ? Guide:

    Opinion: The guide provides more value than the actual cli flag Use flag or not: Manual config work is necessary! Example: remove SendFile, add Translation Easy reverse-engineering: No need to generate a new app to use it! Using Rails for API-only Applications 14 . 1
  30. MORE OPTIONS FOR MORE OPTIONS FOR rails new rails new

    --skip-yarn --skip-sprockets --skip-action-mailer --skip-active-storage --skip-action-cable --skip-active-record … 15 . 1
  31. EXAMPLE FOR EXAMPLE FOR rails new rails new rails new

    --api --skip-active-storage --skip-action-mailer --skip-active- record --skip-action-cable ApiExample Pro tip: Evaluating the Middleware, Controller-includes and building blocks makes sense for every kind of Rails app! 16 . 1
  32. THE SACRED DREAM OF THE THE SACRED DREAM OF THE

    HTTP-ONLY LEAN, MEAN REST HTTP-ONLY LEAN, MEAN REST API SERVER. API SERVER. 17 . 1
  33. LIVING THE BACKEND DEV LIVING THE BACKEND DEV DREAM DREAM

    Stateless Unaware about the rest of the world Pure data channelled through HTTP 18 . 1
  34. THE REAL SCOPE OF YOUR THE REAL SCOPE OF YOUR

    APPLICATION APPLICATION Your app is usually more than a public facing API. 19 . 1
  35. CONSIDER FOR BROWSER CLIENTS CONSIDER FOR BROWSER CLIENTS You might

    need CORS. Do you need it for every route? What does this mean for SEO, your crawl budget? 20 . 1
  36. WHICH KIND OF AUTH FOR THE WHICH KIND OF AUTH

    FOR THE BROWSER? BROWSER? Session, e.g. via wildcard cookies Good: HTTP only, SSL only Bad: Danger of Request Forgery, not suitable for mobile API Tokens: Good: No CSRF attacks Bad: Accessible via JS, offloads some Security to SPA, no more session store 21 . 1
  37. STATIC PAGES - STATIC PAGES - PagesController#home PagesController#home Do you

    need to host static pages? e.g. for mobile clients, imprint for app stores Are your current static pages really static? Where will this content come from? A CMS? Static from the SPA? Is it really independent from the API platform? 22 . 1
  38. ADMIN UI ADMIN UI Productivity: Ransack, Kaminari, Devise, SimpleForm, etc.

    Its own SPA? Admin API? Admin API Docs? Another Rails app as a client? (ActiveResource-style) 23 . 1
  39. EMBEDDED OTHER WEB APPS? EMBEDDED OTHER WEB APPS? Mail preview

    renderings Sidekiq/Resque web interfaces Keep authentication in mind! 24 . 1
  40. MORE COMPLICATED WORKFLOWS MORE COMPLICATED WORKFLOWS OAuth provider Email workflow

    (confirmation) API Server must know URL of SPA? 25 . 1
  41. :O :O 26 . 1

  42. WILL THIS PAY OFF? WILL THIS PAY OFF? 27 .

    1
  43. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… 27 . 1
  44. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… …it is also easy to tear apart! 27 . 1
  45. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… …it is also easy to tear apart! Startup, testing, will be much faster. 27 . 1
  46. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… …it is also easy to tear apart! Startup, testing, will be much faster. But: Really important to determine the scope of necessary changes. 27 . 1
  47. WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is

    not only easy to configure… …it is also easy to tear apart! Startup, testing, will be much faster. But: Really important to determine the scope of necessary changes. Check not only technical effort, but also your workflow. 27 . 1
  48. THANK YOU! THANK YOU! Christian Bäuerlein @fabrik42 Backend Engineer at

    ioki.com (yes, we are hiring!) 28 . 1
  49. SOURCES SOURCES Using Rails for API-only Applications Rails CSRF protection

    for SPA How to Build Rails APIs Following the json:api Spec Building a JSON API with Rails 5 Building the Perfect Rails 5 API Only App Master Ruby Web APIs - Devblast 29 . 1