RuhrJS 2016: The dirty little secrets of building large, highly available, scalable HTTP APIs

Slide 1

Slide 1 text

The dirty little secrets of building large, highly available, scalable HTTP APIs by @dschenkelman

Slide 2

Slide 2 text

Topic 1

Slide 3

Slide 3 text

Topic 2

Slide 4

Slide 4 text

Topic 3

Slide 5

Slide 5 text

Why? var express = require('express'); var app = express(); app.get('/', function (req, res) { res.send('Hello World!'); }); var server = app.listen(3000, function () { var host = server.address().address; var port = server.address().port; console.log('Example app listening at http://%s:%s', host, port); });

Slide 6

Slide 6 text

Developers

Slide 7

Slide 7 text

Evolution

Slide 8

Slide 8 text

Pillars

Slide 9

Slide 9 text

Validation

Slide 10

Slide 10 text

enabled: true

Slide 11

Slide 11 text

enabled: 1

Slide 12

Slide 12 text

enabled: 1.0

Slide 13

Slide 13 text

enabled: "false"

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

JSON Schemas "enabled": { "type": "boolean" }

Slide 16

Slide 16 text

Errors for developers { "statusCode": 400, "error": "Bad Request", "message": "Payload validation error: 'Expected type boolean but found type string' on property enabled (true if the rule is enabled, false otherwise).", "errorCode": "invalid_body" }

Slide 17

Slide 17 text

ratify const ZSchemaErrors = require('z-schema-errors'); const errorReporters = ['headers', 'query', 'path', 'payload'].reduce((current, part) => { current[part] = ZSchemaErrors.init({/*...*/}); return current; }, {}); plugins.push({ register: require('ratify'), options: { errorReporters: errorReporters, /*...*/ } });

Slide 18

Slide 18 text

Documentation

Slide 19

Slide 19 text

Old API Explorer

Slide 20

Slide 20 text

Auto-generate docs

Slide 21

Slide 21 text

Swagger

Slide 22

Slide 22 text

Leverage validation "enabled": { "type": "boolean", "description": "true if the connection is enabled, false (default) otherwise" }

Slide 23

Slide 23 text

Customize

Slide 24

Slide 24 text

AuthN & AuthZ

Slide 25

Slide 25 text

Token Exchange API Client API Server 1. Credentials 2. API Token 3. Requests

Slide 26

Slide 26 text

Granular Security

Slide 27

Slide 27 text

Decentralized Issuance

Slide 28

Slide 28 text

Expiration Control

Slide 29

Slide 29 text

Debuggability

Slide 30

Slide 30 text

JSON Web Token JWT

Slide 31

Slide 31 text

Authenticate For all endpoints

Slide 32

Slide 32 text

Authorize Per endpoint

Slide 33

Slide 33 text

Route { method: 'GET', path: '/api/v2/clients/{id}', config: { auth: { strategy: 'jwt', scope: ['read:clients', 'read:client_keys'] }, } }

Slide 34

Slide 34 text

Blacklisting

Slide 35

Slide 35 text

Badgers

Slide 36

Slide 36 text

Stress tests

Slide 37

Slide 37 text

Faith unsigned long income;

Slide 38

Slide 38 text

Engineers Stress

Slide 39

Slide 39 text

What to do…

Slide 40

Slide 40 text

Rate Limiting

Slide 41

Slide 41 text

Token Bucket

Slide 42

Slide 42 text

limitd #port to listen on port: 9001 #db path db: /var/limitd/database #define the bucket types buckets: customers: size: 10 per_second: 10

Slide 43

Slide 43 text

429 X-RateLimit-Limit Maximum amount X-RateLimit-Remaining How many there are left X-RateLimit-Reset When will bucket be full again

Slide 44

Slide 44 text

patova plugins.push({ register: require('patova'), options: { event: 'onPostAuth', // when to perform the limit check type: 'tenant', // bucket address: env.LIMITD_SERVER, extractKey: function(request, reply, done){ const key = request.auth.credentials.__tenant; done(null, key); } } });

Slide 45

Slide 45 text

Geo Redundancy

Slide 46

Slide 46 text

Data Center Failure

Slide 47

Slide 47 text

Natural Disasters

Slide 48

Slide 48 text

Cloud Provider Failure

Slide 49

Slide 49 text

Our Setup

Slide 50

Slide 50 text

Our Setup App Instances MongoDB Elastic Search App Instances MongoDB Elastic Search MongoDB

Slide 51

Slide 51 text

The switch

Slide 52

Slide 52 text

Changes

Slide 53

Slide 53 text

Experiments

Slide 54

Slide 54 text

feature-change const feature_change = require('feature-change'); var options = { expected: function(cb){ mongo_search(mongo_opts, cb); }, actual: function(cb){ es_search(es_opts, cb); }, logAction: function(current_result, new_result){ // invoked when there is a difference in the results // (useful for logging) } }; feature_change(options, function(err, result){ // this is the original callback you were using for mongo // err and result always come from mongo_search });

Slide 55

Slide 55 text

Iron out differences

Slide 56

Slide 56 text

Wrap up

Slide 57

Slide 57 text

Shipping is important

Slide 58

Slide 58 text

Remember: evolve

Slide 59

Slide 59 text

Validation & Docs • http://json-schema.org • http://swagger.io • https://auth0.com/docs/api/v2 (example of branded auto-generated docs) • https://github.com/mac-/ratify

Slide 60

Slide 60 text

AuthN & AuthZ • https://tools.ietf.org/html/rfc7519 • http://jwt.io/ • https://auth0.com/blog/2014/12/02/using-json- web-tokens-as-api-keys/ • https://auth0.com/blog/2015/03/10/blacklist-json- web-token-api-keys/ • https://github.com/auth0/hapi-auth-jwt

Slide 61

Slide 61 text

Rate limiting • http://tools.ietf.org/html/rfc6585 • https://github.com/limitd • https://github.com/dschenkelman/patova

Slide 62

Slide 62 text

BaaS • http://security.stackexchange.com/a/83382 • http://www.brendangregg.com/FlameGraphs/ cpuﬂamegraphs.html • https://github.com/thlorenz/v8-perf/issues/4 • https://github.com/auth0/node-baas • http://docs.aws.amazon.com/AutoScaling/latest/ DeveloperGuide/US_SetUpASLBApp.html

Slide 63

Slide 63 text

Geo Redundancy • http://highscalability.com/blog/2014/12/1/auth0- architecture-running-in-multiple-cloud-providers- and-r.html • https://auth0.com/availability-trust • http://docs.mongodb.org/master/tutorial/deploy- geographically-distributed-replica-set/

Slide 64

Slide 64 text

Feature Changes • http://zachholman.com/talk/move-fast-break- nothing/ • https://auth0.com/blog/2015/10/27/feature- changes-at-auth0/ • https://github.com/dschenkelman/feature- change

Slide 65

Slide 65 text

Thanks https://github.com/dschenkelman/api-secrets-talk @dschenkelman npm i dschenkelman