REST API MANUAL Honza Javorek, 11/2013 Based on Steve Klabnik's great article Haters gonna HATEOAS http://timelessrepo.com/haters-gonna-hateoas 

Honza Javorek? 1/154 

honzajavorek.cz 2/154 

Learn how to avoid “Bro, that's not really RESTful.” 3/154 

REST = Representational State Transfer Fielding, Roy Thomas (2000), Architectural Styles and the Design of Network-based Software Architectures, Doctoral dissertation, University of California, Irvine no implementation details goals constraints → REST + HTTP REST × SOAP et al. 4/154 

REST constraints ● client-server ● stateless state of the resource ● cacheable ● layered system load balancing, cache, etc. ● uniform interface guiding principles 5/154 

uniform interface guiding principles ? 6/154 

REST guiding principles ● identification of resources URIs ● manipulation of resources through these representations representation and it's metadata = enough information to manipulate it ● self-descriptive messages each message = enough information to process it (MIME, cache, ...) ● hypermedia as the engine of application state HATEOAS, hyperlinks, hypertext 7/154 

Leonard Richardson's Maturity Model http://martinfowler.com/articles/richardsonMaturityModel.html 4 steps toward the glory of REST 8/154 

4 levels of “REST support” 1. “The Swamp of POX” You’re using HTTP to make RPC calls. HTTP is only really used as a tunnel. 2.Resources Rather than making every call to a service endpoint, you have multiple endpoints that are used to represent resources, and you’re talking to them. 3.HTTP verbs You interact with resources using HTTP verbs, rather than always using POST. 4.HATEOAS Hypermedia Controls. HATEOAS. You’re 100% REST compliant. 9/154 

HTTP REST ≠ 10/154 

HTTP REST ≠ 10/154 

HTTP REST ≠ čím víc bludišťáků, tím víc RESTful 10/154 

REST can be provided over any protocol. Boring fact: Everyone implementing REST uses HTTP. HTTP REST architecture You want your API to be here 11/154 

resources RPC ≠ 12/154 

POST /photos.getInfo POST /photos.comments.addComment POST /photos.comments.deleteComment POST /photos.comments.editComment 13/154 

POST /photos.getInfo POST /photos.comments.addComment POST /photos.comments.deleteComment POST /photos.comments.editComment 13/154 

RESOURCES, MOTHERFUCKER! 

POST /photos/add POST /comments/add POST /comments/42/delete 

CRUD HTTP verbs → 

POST /photos/add POST /photos/1/delete 

VERBS, MOTHERFUCKER! 

GET /photos/ POST /photos/ GET /photos/1 PUT /photos/1 PATCH /photos/1 DELETE /photos/1 

Content negotiation 

GET /photos.xml GET /photos.json GET /v1/photos.json 

HEADERS, MOTHERFUCKER! 

No content

Content negotiation as we know it Accept-Language: de; q=1.0, en; q=0.5 Accept: text/html; q=1.0, text/*; q=0.8, image/gif; q=0.6, image/jpeg; q=0.6, image/*; q=0.5, */*; q=0.1 

Content negotiation & API formats Accept: application/json {'body': {'nipples': 2, 'legs': 2}} Accept: application/xml 2 2 

Content negotiation & API versions Accept: application/json {'body': {'nipples': 2, 'legs': 2}} Accept: application/mattel.v1+json {'body': {'nipples': 2}} http://barelyenough.org/blog/2008/05/versioning-rest-web-services/ 

Content negotiation & language Accept-Language: en {'name': 'Barbie', 'body': ...} Accept-Language: cs {'name': 'Barbie', 'body': ...} 

Content negotiation & language Accept-Language: en {'title': 'The Good Soldier Švejk'} Accept-Language: cs {'title': 'Osudy dobrého vojáka Švejka za světové války'} 

HATEOAS 

HATEOAS ● Hypertext As The Engine Of Application State ● hypertext ● engine ● application state 

Your application is just a big state machine. se stim smiř 

HATEOAS ● single entry endpoint to your API ● you can do whatever you need just by inspecting the API ● transitions are made by hyperlinks – URIs ● abstracting away implementation details iOS apps Sounds familiar? Yes, it's exactly how HTML and websites work. 

GET /author/10 { 'id': 10, 'name': 'Gargamel', } GET /author/10/posts/ [ {'id': 3, 'title': 'How to cook smurfs', ...}, {'id': 2, 'title': 'How to chase smurfs', ...}, ] GET /author/10/comments/ [ {'id': 12293, 'text': 'I hate you.'}, {'id': 49939, 'text': 'Smurfs are idiots.'}, ] 

STATE TRANSITIONS, MOTHERFUCKER! 

GET /author/10 { 'uri': '/author/10', 'name': 'Gargamel', 'posts': '/author/10/posts/', 'comments': '/author/10/comments/', } GET /author/10/posts/ [ {'uri': '/posts/3', 'title': 'How to...', ...}, {'uri': '/posts/2', 'title': 'How to...', ...}, ] GET /author/10/comments/ [ {'uri': '/comments/12293', 'text': 'I hate you.'}, {'uri': '/comments/49939', 'text': 'Smurfs...'}, ] 

These are nice, but... really, why should I bother? 

RESTful API pros & cons ● Beautifully consistent and usable. API clients will love you. Look at Django REST framework's browsable APIs. ● It is the future. (Everyone says it, so it must be true.) HTTP2.0 solves the biggest flaws. HTTP2.0 async, multiplexing, compression, pipelining, etc. → ● Designed for scale. Everything is designed for massive caching and counts with presence of middleware. ● Change tolerant. Change business logic in a single place! Without the links the client must implement logic for building links. If you put this code inside your iPhone or Android clients you cannot change the URI structure on the server without breaking existing clients. If a link is present the client can follow the link. A client application does not have to repeat the business logic for deciding if a book can be purchased or downloaded. ● URIs are implementation detail. Choose a URI naming scheme that fits whatever framework or coding conventions that we find useful. 150/154 

Conclusion ● stick to HTTP ● ensure that everything is a resource ● implement CRUD as HTTP verbs ● use content negotiation instead of crippling your URIs ● use the old mighty hypertext instead of juggling with IDs on client side 151/154 

Other suff – best practices ● HTTP status codes ● caching ● authorization ● rate limiting ● OPTIONS ● error handling ● ... 152/154 

whatever you use, make your API OPINIONATED & CONSISTENT 153/154 

cast: