$30 off During Our Annual Pro Sale. View Details »

Rails API-only considerations

Rails API-only considerations

How to use the --api flag in Rails and what to consider when migrating a Rails application to an API-only version of it.

I gave this talk at the Ruby Frankfurt Meetup: https://www.meetup.com/de-DE/Frankfurt-Ruby-Meetup/events/256159202

Christian Bäuerlein

November 15, 2018
Tweet

More Decks by Christian Bäuerlein

Other Decks in Programming

Transcript

  1. RAILS API-ONLY
    RAILS API-ONLY
    CONSIDERATIONS
    CONSIDERATIONS
    1 . 1

    View Slide

  2. WELCOME
    WELCOME
    Christian Bäuerlein
    @fabrik42
    Backend Engineer at ioki.com (yes, we are hiring!)
    2 . 1

    View Slide

  3. RAILS API-ONLY
    RAILS API-ONLY
    CONSIDERATIONS
    CONSIDERATIONS
    3 . 1

    View Slide

  4. WHAT THIS TALK IS
    WHAT THIS TALK IS NOT
    NOT ABOUT
    ABOUT
    4 . 1

    View Slide

  5. WHAT THIS TALK IS
    WHAT THIS TALK IS NOT
    NOT ABOUT
    ABOUT
    Are SPAs a good idea?
    4 . 1

    View Slide

  6. WHAT THIS TALK IS
    WHAT THIS TALK IS NOT
    NOT ABOUT
    ABOUT
    Are SPAs a good idea?
    Are Microservices a good idea?
    4 . 1

    View Slide

  7. WHAT THIS TALK IS
    WHAT THIS TALK IS NOT
    NOT ABOUT
    ABOUT
    Are SPAs a good idea?
    Are Microservices a good idea?
    API best practices
    4 . 1

    View Slide

  8. WHAT THIS TALK
    WHAT THIS TALK IS
    IS ABOUT
    ABOUT
    5 . 1

    View Slide

  9. WHAT THIS TALK
    WHAT THIS TALK IS
    IS ABOUT
    ABOUT
    How to use the api flag
    5 . 1

    View Slide

  10. WHAT THIS TALK
    WHAT THIS TALK IS
    IS ABOUT
    ABOUT
    How to use the api flag
    Considerations when going API-only
    5 . 1

    View Slide

  11. WHAT THIS TALK
    WHAT THIS TALK IS
    IS ABOUT
    ABOUT
    How to use the api flag
    Considerations when going API-only
    Create more questions than answers
    5 . 1

    View Slide

  12. WHY RAILS
    WHY RAILS

    View Slide

  13. 6 . 1

    View Slide

  14. WHY RAILS
    WHY RAILS
    Middleware, Logging, Instrumentation, Caching
    Code-reloading, Environments
    Security
    Parameters, Error handling
    Rails console!
    Convention over Configuration
    7 . 1

    View Slide

  15. WHAT IS
    WHAT IS --api
    --api?
    ?
    Since Rails 5.0
    rails new --api
    Sane defaults for API-only applications
    8 . 1

    View Slide

  16. WHAT DOES
    WHAT DOES --api
    --api?
    ?
    9 . 1

    View Slide

  17. WHAT DOES
    WHAT DOES --api
    --api?
    ?
    No Views/Assets incl. configured Generators
    9 . 1

    View Slide

  18. WHAT DOES
    WHAT DOES --api
    --api?
    ?
    No Views/Assets incl. configured Generators
    Adjust Controller modules
    9 . 1

    View Slide

  19. WHAT DOES
    WHAT DOES --api
    --api?
    ?
    No Views/Assets incl. configured Generators
    Adjust Controller modules
    ActionController::API instead of
    ActionController::Base
    9 . 1

    View Slide

  20. WHAT DOES
    WHAT DOES --api
    --api?
    ?
    No Views/Assets incl. configured Generators
    Adjust Controller modules
    ActionController::API instead of
    ActionController::Base
    Adjust Rack Middleware
    9 . 1

    View Slide

  21. SELECTED MIDDLEWARES
    SELECTED MIDDLEWARES
    Rack::Sendfile, ActionDispatch::Static
    AD::Executor, AD::Reloader
    AD::RemoteIp
    AD::ShowExceptions, AD::DebugExceptions
    ActiveRecord::Migration::CheckPending
    Rails::Rack::Logger, Rack::Runtime, AD::RequestId
    Rack::ConditionalGet, Rack::ETag

    10 . 1

    View Slide

  22. REJECTED MIDDLEWARES
    REJECTED MIDDLEWARES
    Rack::MethodOverride
    Asset/Sprocket-related
    Cookies, Flash-related

    11 . 1

    View Slide

  23. SELECTED CONTROLLER MODULES
    SELECTED CONTROLLER MODULES
    ActionController::StrongParameters
    AbstractController::Callbacks
    ActionController::Rescue
    AbstractController::Rendering
    ActionController::Instrumentation
    ActionController::UrlFor

    12 . 1

    View Slide

  24. REJECTED CONTROLLER MODULES
    REJECTED CONTROLLER MODULES
    AbstractController::Translation
    ActionController::MimeResponds
    ActionController::Cookies

    13 . 1

    View Slide

  25. SHOULD I USE
    SHOULD I USE --api
    --api?
    ?
    14 . 1

    View Slide

  26. SHOULD I USE
    SHOULD I USE --api
    --api?
    ?
    Guide: Using Rails for API-only Applications
    14 . 1

    View Slide

  27. SHOULD I USE
    SHOULD I USE --api
    --api?
    ?
    Guide:
    Opinion: The guide provides more value than the
    actual cli flag
    Using Rails for API-only Applications
    14 . 1

    View Slide

  28. SHOULD I USE
    SHOULD I USE --api
    --api?
    ?
    Guide:
    Opinion: The guide provides more value than the
    actual cli flag
    Use flag or not: Manual config work is necessary!
    Example: remove SendFile, add
    Translation
    Using Rails for API-only Applications
    14 . 1

    View Slide

  29. SHOULD I USE
    SHOULD I USE --api
    --api?
    ?
    Guide:
    Opinion: The guide provides more value than the
    actual cli flag
    Use flag or not: Manual config work is necessary!
    Example: remove SendFile, add
    Translation
    Easy reverse-engineering: No need to generate a
    new app to use it!
    Using Rails for API-only Applications
    14 . 1

    View Slide

  30. MORE OPTIONS FOR
    MORE OPTIONS FOR rails new
    rails new
    --skip-yarn
    --skip-sprockets
    --skip-action-mailer
    --skip-active-storage
    --skip-action-cable
    --skip-active-record

    15 . 1

    View Slide

  31. EXAMPLE FOR
    EXAMPLE FOR rails new
    rails new
    rails new --api --skip-active-storage
    --skip-action-mailer --skip-active-
    record --skip-action-cable ApiExample
    Pro tip: Evaluating the Middleware, Controller-includes
    and building blocks makes sense for every kind of
    Rails app!
    16 . 1

    View Slide

  32. THE SACRED DREAM OF THE
    THE SACRED DREAM OF THE
    HTTP-ONLY LEAN, MEAN REST
    HTTP-ONLY LEAN, MEAN REST
    API SERVER.
    API SERVER.
    17 . 1

    View Slide

  33. LIVING THE BACKEND DEV
    LIVING THE BACKEND DEV
    DREAM
    DREAM
    Stateless
    Unaware about the rest of the world
    Pure data channelled through HTTP
    18 . 1

    View Slide

  34. THE REAL SCOPE OF YOUR
    THE REAL SCOPE OF YOUR
    APPLICATION
    APPLICATION
    Your app is usually more than a public facing API.
    19 . 1

    View Slide

  35. CONSIDER FOR BROWSER CLIENTS
    CONSIDER FOR BROWSER CLIENTS
    You might need CORS. Do you need it for every
    route?
    What does this mean for SEO, your crawl budget?
    20 . 1

    View Slide

  36. WHICH KIND OF AUTH FOR THE
    WHICH KIND OF AUTH FOR THE
    BROWSER?
    BROWSER?
    Session, e.g. via wildcard cookies
    Good: HTTP only, SSL only
    Bad: Danger of Request Forgery, not suitable for
    mobile
    API Tokens:
    Good: No CSRF attacks
    Bad: Accessible via JS, offloads some Security to
    SPA, no more session store
    21 . 1

    View Slide

  37. STATIC PAGES -
    STATIC PAGES -
    PagesController#home
    PagesController#home
    Do you need to host static pages?
    e.g. for mobile clients, imprint for app stores
    Are your current static pages really static?
    Where will this content come from? A CMS? Static
    from the SPA?
    Is it really independent from the API platform?
    22 . 1

    View Slide

  38. ADMIN UI
    ADMIN UI
    Productivity: Ransack, Kaminari, Devise,
    SimpleForm, etc.
    Its own SPA?
    Admin API?
    Admin API Docs?
    Another Rails app as a client? (ActiveResource-style)
    23 . 1

    View Slide

  39. EMBEDDED OTHER WEB APPS?
    EMBEDDED OTHER WEB APPS?
    Mail preview renderings
    Sidekiq/Resque web interfaces
    Keep authentication in mind!
    24 . 1

    View Slide

  40. MORE COMPLICATED WORKFLOWS
    MORE COMPLICATED WORKFLOWS
    OAuth provider
    Email workflow (confirmation)
    API Server must know URL of SPA?
    25 . 1

    View Slide

  41. :O
    :O
    26 . 1

    View Slide

  42. WILL THIS PAY OFF?
    WILL THIS PAY OFF?
    27 . 1

    View Slide

  43. WILL THIS PAY OFF?
    WILL THIS PAY OFF?
    Rails is not only easy to configure…
    27 . 1

    View Slide

  44. WILL THIS PAY OFF?
    WILL THIS PAY OFF?
    Rails is not only easy to configure…
    …it is also easy to tear apart!
    27 . 1

    View Slide

  45. WILL THIS PAY OFF?
    WILL THIS PAY OFF?
    Rails is not only easy to configure…
    …it is also easy to tear apart!
    Startup, testing, will be much faster.
    27 . 1

    View Slide

  46. WILL THIS PAY OFF?
    WILL THIS PAY OFF?
    Rails is not only easy to configure…
    …it is also easy to tear apart!
    Startup, testing, will be much faster.
    But: Really important to determine the scope of
    necessary changes.
    27 . 1

    View Slide

  47. WILL THIS PAY OFF?
    WILL THIS PAY OFF?
    Rails is not only easy to configure…
    …it is also easy to tear apart!
    Startup, testing, will be much faster.
    But: Really important to determine the scope of
    necessary changes.
    Check not only technical effort, but also your
    workflow.
    27 . 1

    View Slide

  48. THANK YOU!
    THANK YOU!
    Christian Bäuerlein
    @fabrik42
    Backend Engineer at ioki.com (yes, we are hiring!)
    28 . 1

    View Slide

  49. SOURCES
    SOURCES
    Using Rails for API-only Applications
    Rails CSRF protection for SPA
    How to Build Rails APIs Following the json:api Spec
    Building a JSON API with Rails 5
    Building the Perfect Rails 5 API Only App
    Master Ruby Web APIs - Devblast
    29 . 1

    View Slide