@IvanVanderbyl github.com/ivanvanderbyl ivan.ly Wednesday, 15 August 12 The last time I did a presentation at rorosyd was two and half years ago, it went terribly.
Authentication ‣ State transitions ‣ Asynchronous state representation Wednesday, 15 August 12 OrionVM gave me the simple brief of: Keep it simple, and make it fast. When we set out to architect the API we had some very basic goals in mind, but they quickly grew and I'll share some of most valuable points: - Every bit of customer interaction with the Orion platform had to be possible through the API - This included not only the typical CRUD operations I'm sure you're all aware off that you get out of the box with Rails, but also the state transitions associated with physical resources — it is stopped, running, shutting down? - We made a concerted effort to version the API from day one, to ensure we could change the schema without affecting our, now quite notable, clients. - While I was building this we had the third largest telco building a Node.js client to connect with their new cloud platform. - One of the mistakes we made with the first platform's API was using account login details to authenticate the API — this nearly never represents the ideal real world use case — the API is not being accessed by a user, rather by a machine, these machines should have their own authentication with your service through API tokens. - Representing the state of transient resources like Instances, Disks and Network interfaces is tricky with a stateless API, we solved this in two ways, one, by using a caching layer to allow multiple repeated requests to resource state, and two by implementing a callback API using web hooks to allow external services to be told about state changes, instead of asking.
big lesson was don't assume you made the right design decision because it looked good at the time, actually use your own API as you build it, I learnt this one really early on in the piece and decided to build the web frontend which would later become our management console at the same time as building the API — for this I chose Ember.js and designed it to run completely standalone to the API server, while utilising all the features of the API - The other 'client' we used was good old curl, if your queries are well structured you form a certain closeness with the use of curl, you can't get much more bare bones than that.
Wednesday, 15 August 12 The next big lesson was don't assume you made the right design decision because it looked good at the time, actually use your own API as you build it, I learnt this one really early on in the piece and decided to build the web frontend which would later become our management console at the same time as building the API — for this I chose Ember.js and designed it to run completely standalone to the API server, while utilising all the features of the API - The other 'client' we used was good old curl, if your queries are well structured you form a certain closeness with the use of curl, you can't get much more bare bones than that.
Document everything, every endpoint, every header, every supported parameter, every response value, and better yet make your API documentation interactive, we're yet to do this but it is on the way. Writing documentation for APIs is painful, it is even more painful when you have to do it afterwards. We found a nice balance, define a simple markdown format that represents what we want, then get into the rhythm of documenting endpoints as you write them. Have a one command deployment solution to deploying documentation, we use a simple git hook on a remote server to compile the site from markdown using nanoc then point the web server to the new source.
json_spec Wednesday, 15 August 12 If your method for testing the API you're building involved reloading curl or a web browser, you are doing things seriously wrong. With a few simple tools you can test the JSON responses from you API with very little code, and I'll show you an example at the end.
mount InstancesAPI => '/api' Wednesday, 15 August 12 At the core of it, every Grape app is just rack middleware, you can subclass it, initialise it, and mount it within rack, or an existing Rails app with ease, and it just works.
=> "v" end http://localhost:9292/instances?v=v1 Parameter based versioning Wednesday, 15 August 12 Grape comes with three built in versioning mechanisms, you can use parameter based version, that is, when you specify the version as http parameter. The second is path based, which is common with services like github, foursquare and twitter, but considered by many to be a messy and limiting approach, which can in some cased require extra work to use certain client libraries, especially if the library is out of date and you want to update it. We chose to use header based versioning, this is by far the simplest and most flexible, if you don't specify a version it assumes you want the latest version, and if you request a specific version it gives it to you. It also means we can change the response schema without changing the endpoints, which again is very useful if we decide we want to add an attribute, or change something drastically to meet our needs without affecting existing users.
http://localhost:9292/v1/instances Path based versioning Wednesday, 15 August 12 Grape comes with three built in versioning mechanisms, you can use parameter based version, that is, when you specify the version as http parameter. The second is path based, which is common with services like github, foursquare and twitter, but considered by many to be a messy and limiting approach, which can in some cased require extra work to use certain client libraries, especially if the library is out of date and you want to update it. We chose to use header based versioning, this is by far the simplest and most flexible, if you don't specify a version it assumes you want the latest version, and if you request a specific version it gives it to you. It also means we can change the response schema without changing the endpoints, which again is very useful if we decide we want to add an attribute, or change something drastically to meet our needs without affecting existing users.
=> 'orion-vm' end "Accept=application/vnd.orion-‐vm-‐v1+json" Header based versioning Wednesday, 15 August 12 Grape comes with three built in versioning mechanisms, you can use parameter based version, that is, when you specify the version as http parameter. The second is path based, which is common with services like github, foursquare and twitter, but considered by many to be a messy and limiting approach, which can in some cased require extra work to use certain client libraries, especially if the library is out of date and you want to update it. We chose to use header based versioning, this is by far the simplest and most flexible, if you don't specify a version it assumes you want the latest version, and if you request a specific version it gives it to you. It also means we can change the response schema without changing the endpoints, which again is very useful if we decide we want to add an attribute, or change something drastically to meet our needs without affecting existing users.
instances" get do current_account.instances.all end desc "Update a resource" put "/:id" do instance.update_attributes(params[:instance]) end end end Defining Endpoints Wednesday, 15 August 12 This will automatically return a JSON representation of the return value of the proc, so in this case we get an array of instances at the index method, and a singular object representing the updated instance
resource" params do requires :instance, :type => Hash, :desc => "The Instance" end put "/:id" do instance.update_attributes(params[:instance]) end end end Validating params Wednesday, 15 August 12 Grape also provides built in validations for attributes, and will automatically send back the correct response when the request arguments are invalid, including a 400 bad request status code, and a message formatted in JSON
'returns an array of instances' do get "/api/instances" last_response.should be_ok last_response.should have_json_path('instances/0/hostname') end end end Testing Endpoints Wednesday, 15 August 12 Let me talk you through what is happening here, I'm sure you all the the rspec syntax so I won't delve into that, first I've included Rack Test methods, this is a simple gem for testing http requests made within rack apps, and in this case grape.
'returns an array of instances' do get "/api/instances" last_response.should be_ok last_response.should have_json_path('instances/0/hostname') end end end Testing Endpoints Wednesday, 15 August 12 The next part is simply describing, in a somewhat verbose way, what the endpoint we should do, this will help anyone else that works on this codebase know exactly what this example should do.
'returns an array of instances' do get "/api/instances" last_response.should be_ok last_response.should have_json_path('instances/0/hostname') end end end Testing Endpoints Wednesday, 15 August 12 Rack test gives as similar methods to RSpec's controller test integration, so we can simply make a get request at this endpoint and it will capture the response for us.
'returns an array of instances' do get "/api/instances" last_response.should be_ok last_response.should have_json_path('instances/0/hostname') end end end Testing Endpoints Wednesday, 15 August 12 And lastly, we check that the response had a 200 OK response, and that the returned JSON contains the path instances, which is an array, and the first item has the key hostname.
objects What sort of object is this? Wednesday, 15 August 12 You might think JSON is JSON, so allow me to point out some fine nuances of JSON responses. Let's take the single object approach, we have an object, pretty simple, and we have a collection of objects, pretty simple again. Now what is this object?
Collection of Instances Always include a root element Wednesday, 15 August 12 Always include a root element, root elements identify to your machines what sort of object they are consuming
Collection of Instances No Object root element in collections {"instances": [{"instance"{"id":1}}} Collection of Instances Don't do this Wednesday, 15 August 12 Always include a root element, root elements identify to your machines what sort of object they are consuming
active_count: 1 page: 1 total: 10 } Don't do this! Wednesday, 15 August 12 Please don't include counts in your response, they are not needed. Arrays provide this natively. If you need to provide paging, use the Link header
So, once we went beyond creating and destroying records in our database we had to create endpoints for starting and stopping resources, this is a very nonstandard use of REST, it is akin to providing endpoints to control a toaster — "I can't turn on unless I have bread etc"
GET /instances/:id Fetch an Instance HTTP METHODS Wednesday, 15 August 12 Lets talk about methods, HTTP has a bunch of them, you've probably all seen these ones, they have become pretty much the standard interface of the web these days
an Instance GET /instances/:id Fetch an Instance PUT /instances/:id Replace an Instance DELETE /instances/:id Destroy all Instance PATCH /instances/:id Update an Instance HEAD /instances/:id Return headers only OPTIONS /instances Supported methods TRACE /instances Echo CONNECT /instances Mad Hax Wednesday, 15 August 12 But what about these ones, defined in RFC 2116, surely we could make use of a few of these.
/instances/:id 200 OK PUT /instances/:id 200 OK DELETE /instances/:id 204 No Content PATCH /instances/:id 200 OK Status codes tell machines how to handle the response. Wednesday, 15 August 12 You may have noticed on my previous slide about testing that I was asserting the correct status code was being returned, this is important as it tells machines how they should handle the response.
Basic/Digest ‣ OAuth / OAuth2 ‣ X-Auth ‣ Multi-factor SSL shared key Wednesday, 15 August 12 If your method for testing the API you're building involved reloading curl or a web browser, you are doing things seriously wrong. With a few simple tools you can test the JSON responses from you API with very little code, and I'll show you an example at the end.
ivanvanderbyl
akidon0000
kuroppe1819
quramy
77web
kj455
pyama86
ryukobayashi
o0h
1wedge_one
ikumatadokoro
memory1994
teamlab
thekraken
afnizarnur
colly
ddemaree
andyhume
lauravandoore
pedronauck
marcelosomers
reverentgeek
cherdarchuk
bkeepers
cassininazir
![{"id":1} Structuring responses [{"id":1}, {"id":2}, {"id":3}] Single object Collection of](https://files.speakerdeck.com/presentations/502ae643967088000200c34b/slide_20.jpg){kind=link}
![{"instance": {"id":1}} Structuring responses {"instances": [{"id":1}, {"id":2}, {"id":3}]} Single Instance](https://files.speakerdeck.com/presentations/502ae643967088000200c34b/slide_21.jpg){kind=link}
![{"instance": {"id":1}} Structuring responses {"instances": [{"id":1}, {"id":2}, {"id":3}]} Single Instance](https://files.speakerdeck.com/presentations/502ae643967088000200c34b/slide_22.jpg){kind=link}
![Random meta data { "people": [{"id":1}, {"id":2}, {"id":3}], count: 3,](https://files.speakerdeck.com/presentations/502ae643967088000200c34b/slide_23.jpg){kind=link}
