Why REST
§ Web services are especially popular
§ Cross-language support
§ Users know how to use it
§ Reduce documentation
§ Reduce coding of a separate API/UI path
Slide 3
Slide 3 text
Things To Watch
For
§ Consistency in URLS, Error Codes, Search, Pagination
§ Id/URL as primary identifier
§ Discoverability
§ Security: Authorization, Authentication, Privacy
§ Testing
Slide 4
Slide 4 text
History
§ XMLRPC 1998, Dave Winer – Userland/Microsoft
§ SOAP 1998, Winer/various – Microsoft
§ REST 2000, Roy Fielding, UC Irvine
Slide 5
Slide 5 text
When
§ YES: External Facing Services
§ MAYBE: Internal Services
§ But Also:
§ Message Buses/Queues
§ gRPC/other
General Error
Codes
§ 200-299 Ok
§ 300-399 Redirects
§ 400-499 User Error
§ 500-599 Server Error
Slide 19
Slide 19 text
Specific Error
Codes
§ 200 OK
§ 201 Created OK
§ 204 Deleted OK
§ 302 Redirect
§ 400 Bad Request
§ 401 Unauthorized
§ 403 Forbidden
§ 404 Not Found
§ 409 Conflict
§ 500 Internal Server Error
Slide 20
Slide 20 text
Authentication
(Humans)
§ POST /api/v1/login
§ { “user” : “bob”, “password” : “12345” }
§ => { ”session-ID” : “ABCDEFGABCDEFG” }
§ GET /api/v1/something_restricted
§ HEADER:
§ X-SESSION-ID: “ABCDEFGABCDEFG”
§ Backend looks for headers
§ Session table keeps track of last time token was used
§ Sessions not used for ~30 minutes may expire (auto-log-
out)
§ Client handles re-login or keep-alive as needed
Slide 21
Slide 21 text
Authentication
(Machines)
§ Use X-API-KEY from separate table
Slide 22
Slide 22 text
Authorization
§ Because you are logged in does not mean you can get
something
§ Backend code must HTTP 403 as appropriate
Slide 23
Slide 23 text
Filtering
§ Private records
§ If not admin, maybe /api/v1/users should only return you
§ Private fields
§ Don’t return passwords
Slide 24
Slide 24 text
Testing
§ Most REST frameworks should allow
§ Run database setup
§ Call some method that simulates a JSON
GET/PUT/POST/DELETE
§ Use database methods to see if rows are present
§ Check error codes
§ For each URL
§ Check all verbs/methods
§ Unauthorized user
§ Authorized user
§ Forbidden user
§ Invalid inputs
§ Valid inputs, correct results
Slide 25
Slide 25 text
Finishing Up
§ How To Tell If It’s Good
§ Discoverability, Consistency
§ Everything Is Paginated
§ UI can render any page of O(1), not O(n)
§ Actions and Weird Verbs
§ Jobs & Job Templates
§ Complex Endpoints for UI Simplicity
§ (Whiteboard Discussion)
Slide 26
Slide 26 text
Database Tips
§ Go to Ignacio’s Lecture!
§ Index any field you may search by
Slide 27
Slide 27 text
Questions/
Example?
§ Questions?
§ Let’s lay out an app?