Rails API-only considerations

Slide 1

Slide 1 text

RAILS API-ONLY RAILS API-ONLY CONSIDERATIONS CONSIDERATIONS 1 . 1

Slide 2

Slide 2 text

WELCOME WELCOME Christian Bäuerlein @fabrik42 Backend Engineer at ioki.com (yes, we are hiring!) 2 . 1

Slide 3

Slide 3 text

RAILS API-ONLY RAILS API-ONLY CONSIDERATIONS CONSIDERATIONS 3 . 1

Slide 4

Slide 4 text

WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT ABOUT ABOUT 4 . 1

Slide 5

Slide 5 text

WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT ABOUT ABOUT Are SPAs a good idea? 4 . 1

Slide 6

Slide 6 text

WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT ABOUT ABOUT Are SPAs a good idea? Are Microservices a good idea? 4 . 1

Slide 7

Slide 7 text

WHAT THIS TALK IS WHAT THIS TALK IS NOT NOT ABOUT ABOUT Are SPAs a good idea? Are Microservices a good idea? API best practices 4 . 1

Slide 8

Slide 8 text

WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT 5 . 1

Slide 9

Slide 9 text

WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT How to use the api flag 5 . 1

Slide 10

Slide 10 text

WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT How to use the api flag Considerations when going API-only 5 . 1

Slide 11

Slide 11 text

WHAT THIS TALK WHAT THIS TALK IS IS ABOUT ABOUT How to use the api flag Considerations when going API-only Create more questions than answers 5 . 1

Slide 12

Slide 12 text

WHY RAILS WHY RAILS

Slide 13

Slide 13 text

6 . 1

Slide 14

Slide 14 text

WHY RAILS WHY RAILS Middleware, Logging, Instrumentation, Caching Code-reloading, Environments Security Parameters, Error handling Rails console! Convention over Configuration 7 . 1

Slide 15

Slide 15 text

WHAT IS WHAT IS --api --api? ? Since Rails 5.0 rails new --api Sane defaults for API-only applications 8 . 1

Slide 16

Slide 16 text

WHAT DOES WHAT DOES --api --api? ? 9 . 1

Slide 17

Slide 17 text

WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl. configured Generators 9 . 1

Slide 18

Slide 18 text

WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl. configured Generators Adjust Controller modules 9 . 1

Slide 19

Slide 19 text

WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl. configured Generators Adjust Controller modules ActionController::API instead of ActionController::Base 9 . 1

Slide 20

Slide 20 text

WHAT DOES WHAT DOES --api --api? ? No Views/Assets incl. configured Generators Adjust Controller modules ActionController::API instead of ActionController::Base Adjust Rack Middleware 9 . 1

Slide 21

Slide 21 text

SELECTED MIDDLEWARES SELECTED MIDDLEWARES Rack::Sendfile, ActionDispatch::Static AD::Executor, AD::Reloader AD::RemoteIp AD::ShowExceptions, AD::DebugExceptions ActiveRecord::Migration::CheckPending Rails::Rack::Logger, Rack::Runtime, AD::RequestId Rack::ConditionalGet, Rack::ETag … 10 . 1

Slide 22

Slide 22 text

REJECTED MIDDLEWARES REJECTED MIDDLEWARES Rack::MethodOverride Asset/Sprocket-related Cookies, Flash-related … 11 . 1

Slide 23

Slide 23 text

SELECTED CONTROLLER MODULES SELECTED CONTROLLER MODULES ActionController::StrongParameters AbstractController::Callbacks ActionController::Rescue AbstractController::Rendering ActionController::Instrumentation ActionController::UrlFor … 12 . 1

Slide 24

Slide 24 text

REJECTED CONTROLLER MODULES REJECTED CONTROLLER MODULES AbstractController::Translation ActionController::MimeResponds ActionController::Cookies … 13 . 1

Slide 25

Slide 25 text

SHOULD I USE SHOULD I USE --api --api? ? 14 . 1

Slide 26

Slide 26 text

SHOULD I USE SHOULD I USE --api --api? ? Guide: Using Rails for API-only Applications 14 . 1

Slide 27

Slide 27 text

SHOULD I USE SHOULD I USE --api --api? ? Guide: Opinion: The guide provides more value than the actual cli flag Using Rails for API-only Applications 14 . 1

Slide 28

Slide 28 text

SHOULD I USE SHOULD I USE --api --api? ? Guide: Opinion: The guide provides more value than the actual cli flag Use flag or not: Manual config work is necessary! Example: remove SendFile, add Translation Using Rails for API-only Applications 14 . 1

Slide 29

Slide 29 text

Slide 30

Slide 30 text

MORE OPTIONS FOR MORE OPTIONS FOR rails new rails new --skip-yarn --skip-sprockets --skip-action-mailer --skip-active-storage --skip-action-cable --skip-active-record … 15 . 1

Slide 31

Slide 31 text

EXAMPLE FOR EXAMPLE FOR rails new rails new rails new --api --skip-active-storage --skip-action-mailer --skip-activerecord --skip-action-cable ApiExample Pro tip: Evaluating the Middleware, Controller-includes and building blocks makes sense for every kind of Rails app! 16 . 1

Slide 32

Slide 32 text

THE SACRED DREAM OF THE THE SACRED DREAM OF THE HTTP-ONLY LEAN, MEAN REST HTTP-ONLY LEAN, MEAN REST API SERVER. API SERVER. 17 . 1

Slide 33

Slide 33 text

LIVING THE BACKEND DEV LIVING THE BACKEND DEV DREAM DREAM Stateless Unaware about the rest of the world Pure data channelled through HTTP 18 . 1

Slide 34

Slide 34 text

THE REAL SCOPE OF YOUR THE REAL SCOPE OF YOUR APPLICATION APPLICATION Your app is usually more than a public facing API. 19 . 1

Slide 35

Slide 35 text

CONSIDER FOR BROWSER CLIENTS CONSIDER FOR BROWSER CLIENTS You might need CORS. Do you need it for every route? What does this mean for SEO, your crawl budget? 20 . 1

Slide 36

Slide 36 text

WHICH KIND OF AUTH FOR THE WHICH KIND OF AUTH FOR THE BROWSER? BROWSER? Session, e.g. via wildcard cookies Good: HTTP only, SSL only Bad: Danger of Request Forgery, not suitable for mobile API Tokens: Good: No CSRF attacks Bad: Accessible via JS, oﬀloads some Security to SPA, no more session store 21 . 1

Slide 37

Slide 37 text

STATIC PAGES - STATIC PAGES - PagesController#home PagesController#home Do you need to host static pages? e.g. for mobile clients, imprint for app stores Are your current static pages really static? Where will this content come from? A CMS? Static from the SPA? Is it really independent from the API platform? 22 . 1

Slide 38

Slide 38 text

ADMIN UI ADMIN UI Productivity: Ransack, Kaminari, Devise, SimpleForm, etc. Its own SPA? Admin API? Admin API Docs? Another Rails app as a client? (ActiveResource-style) 23 . 1

Slide 39

Slide 39 text

EMBEDDED OTHER WEB APPS? EMBEDDED OTHER WEB APPS? Mail preview renderings Sidekiq/Resque web interfaces Keep authentication in mind! 24 . 1

Slide 40

Slide 40 text

MORE COMPLICATED WORKFLOWS MORE COMPLICATED WORKFLOWS OAuth provider Email workflow (confirmation) API Server must know URL of SPA? 25 . 1

Slide 41

Slide 41 text

:O :O 26 . 1

Slide 42

Slide 42 text

WILL THIS PAY OFF? WILL THIS PAY OFF? 27 . 1

Slide 43

Slide 43 text

WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is not only easy to configure… 27 . 1

Slide 44

Slide 44 text

WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is not only easy to configure… …it is also easy to tear apart! 27 . 1

Slide 45

Slide 45 text

WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is not only easy to configure… …it is also easy to tear apart! Startup, testing, will be much faster. 27 . 1

Slide 46

Slide 46 text

WILL THIS PAY OFF? WILL THIS PAY OFF? Rails is not only easy to configure… …it is also easy to tear apart! Startup, testing, will be much faster. But: Really important to determine the scope of necessary changes. 27 . 1

Slide 47

Slide 47 text

Slide 48

Slide 48 text

THANK YOU! THANK YOU! Christian Bäuerlein @fabrik42 Backend Engineer at ioki.com (yes, we are hiring!) 28 . 1

Slide 49

Slide 49 text

SOURCES SOURCES Using Rails for API-only Applications Rails CSRF protection for SPA How to Build Rails APIs Following the json:api Spec Building a JSON API with Rails 5 Building the Perfect Rails 5 API Only App Master Ruby Web APIs - Devblast 29 . 1