LARACON_2013.pdf

Simple API Development with Laravel Aaron Kuzemchak Laracon 2013 –
Washington, D.C. kuzemchak.net • @akuzemchak • github.com/akuzemchak

Who am I?

Where to find me online Blog: http://kuzemchak.net/ Twitter: @akuzemchak Github:
akuzemchak

Why am I here today?

I’m in love with Laravel Have been since v2

I’m here to hang out with you... the Laravel community
AKA: The “I used to be with CodeIgniter and met Laravel at the funeral” community

I’m here to talk to you about building REST APIs

What we’ll be going over today

1. Foundation & best practices

2. Authentication

3. Rate limits

Why Laravel?

“The perfect merger of simplicity and power” — me

REST is part of the foundation

Filters & events keep things clean

And also...

Laravel is perhaps Arkansas’ greatest export since Walmart

Well, except for my wife ... and my dog ...
and my college degree No, I’m not from there!

Anywho...

Let’s talk about REST

What is it?

“Representational State Transfer (REST) is a style of so!ware architecture
for distributed systems such as the World Wide Web …” “REST has emerged as a predominant Web service design model. The REST architectural style was developed in parallel with HTTP/1.1, based on the existing design of HTTP/1.0 ...” “REST exemplifies how the Web's architecture emerged by characterizing and constraining the macro-interactions of the four components of the Web, namely origin servers, gateways, proxies and clients, without imposing limitations on the individual participants.” — Wikipedia

“A RESTful web service (also called a RESTful web API)
is a web service implemented using HTTP and the principles of REST. It is a collection of resources ...” — Wikipedia

REST uses standard HTTP methods to perform specific actions

GET ‛ Read POST ‛ Create PUT ‛ Update DELETE
‛ Duh

Also, it’s much cooler that other Web service protocol I’m
the king of the WSDL!

Let’s build a sample REST API

A TODO list API I know... boring but eﬀective

A few things to note before we start:

1. I assume you have basic knowledge of Laravel

2. All of the code is available on Github akuzemchak/laracon-todo-api

3. Keeping things very simple No content negotiation, HATEOAS, ETags,
or other assorted fanciness

4. These are my solutions to these problems 4.1. They
are not applicable to every developer or project

5. There is no one right way to build an
API

There are, however, a lot of wrong ways

When building a REST API, you should follow the established
guidelines/principles

KEEP REFRIGERATED

But they aren’t enforced, so it still technically works if
you don’t follow them

This means there are a lot of bad APIs out
there

Some awful stuﬀ I’ve seen:

This was considered a valid 404 response HTTP/1.1 200 OK
Content-Type: text/html Not found

So was this HTTP/1.1 200 OK Content-Type: text/html MXxNeSBmaXJzdCB0YXNrfGZhbHNlfDIwMTItMDItMTEgMjI6MzQ6MDB8MjAxMi0w Mi0xMSAyMjozNDowMAoyfE15IHNlY29uZCB0YXNrfGZhbHNlfDIwMTItMDItMTEg
MjI6MzY6MDB8MjAxMi0wMi0xMSAyMjozNjowMA==

I know...

Which brings us to:

Foundation & best practices

0. Find a good testing tool

Testing directly in the browser is frustrating

Postman for Chrome

RESTed for Mac $2.99 in App Store

HTTPie for terminal junkies

1. Session driver

Every API request will spawn a new session

Lots of junk rows/keys/files

Unnecessary cookies

Solution: Use the “array” driver

// app/config/session.php /* |-------------------------------------------------------------------------- | Default Session Driver |-------------------------------------------------------------------------- |
| This option controls the default session "driver" that will be used on | requests. By default we will use the light-weight cookie driver but | you may specify any of the other wonderful drivers provided here. | | Supported: "cookie", file", "database", "apc", | "memcached", "redis", "array" | */ 'driver' => 'array',

You can still use session features

No persistence, no cookies

2. Error handling

Setup our errors to return JSON

// app/errors.php // General HttpException handler App::error(function(Symfony\Component\HttpKernel\Exception\HttpException $e, $code) {
$headers = $e->getHeaders(); switch ($code) { case 401: $default_message = 'Invalid API key'; $headers['WWW-Authenticate'] = 'Basic realm="REST API"'; break; case 403: $default_message = 'Insufficient privileges to perform this action'; break; case 404: $default_message = 'The requested resource was not found'; break; default: $default_message = 'An error was encountered'; } return Response::json(array( 'error' => $e->getMessage() ?: $default_message, ), $code, $headers); });

// app/errors.php // ErrorMessageException handler App::error(function(ErrorMessageException $e) { $messages =
$e->getMessages()->all(); return Response::json(array( 'error' => $messages[0], ), 400); }); // NotFoundException handler App::error(function(NotFoundException $e) { $default_message = 'The requested resource was not found'; return Response::json(array( 'error' => $e->getMessage() ?: $default_message, ), 404); }); // PermissionException handler App::error(function(PermissionException $e) { $default_message = 'Insufficient privileges to perform this action'; return Response::json(array( 'error' => $e->getMessage() ?: $default_message, ), 403); });

3. URI design & routes

/{type}/{id} /{type}/{id}/{sub-type}/{id}

/lists/1 /lists/1/tasks/1

Method + URI = Action

GET /lists Get all lists GET /lists/1 Get list w/
id == 1 GET /lists/1/tasks Get all tasks for list w/ id == 1 GET /lists/1/tasks/1 Get task w/ id == 1 for list w/ id == 1

POST /lists Create new list PUT /lists/1 Update list w/
id == 1 DELETE /lists/1 Delete list w/ id == 1

POST /lists/1/tasks Create new task for list w/ id ==
1 PUT /lists/1/tasks/1 Update task w/ id == 1 DELETE /lists/1/tasks/1 Delete task w/ id == 1

While we’re on the topic of URIs...

Versioning is a very good idea

/v1/lists/1 /v1/lists/1/tasks/1

// app/routes.php Route::group(array('prefix' => 'v1', 'before' => 'api.auth|api.limit'), function() {
// Routes go here... }); Easy with route groups and prefixes

Completely re-architect later without breaking anything

So you won’t catch a beatdown for breaking your users
apps

4. Send good responses That includes headers!

Response codes tell your users what happened

{"success": false} The old way

Common response codes

200: Success! 201: Resource created 204: Success, but no content
to return 400: Request not fulfilled 401: Not authenticated 403: Refusal to respond 404: Not found 500: Other error

An example use case

// Request setup stuff up here... $response = curl_exec($ch); $code
= curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if ($code !== 200) { // Handle the error... if ($code === 404) { // Do some additional logging... } } // Continue on with code...

Let’s look at how our API responds

HTTP/1.1 200 OK Content-Type: application/json { "id": 1, "name": "Things
to do at Laracon", "created_at": "2013-02-04 18:18:52", "updated_at": "2013-02-04 18:18:52" } GET /v1/lists/1

// app/routes.php Route::get('lists/{id}', function($id) { $list = TaskList::findByOwnerAndId(Auth::user(), $id); return
Response::json($list->toArray()); })->where('id', '\d+');

// app/models/TaskList.php public static function findByOwnerAndId($owner, $id) { if (!is_numeric($owner)
&& !($owner instanceof UserInterface)) { throw new InvalidArgumentException('Owner must be either a numeric ID or an instance of UserInterface'); } $list = static::find($id); if (!$list) { throw new NotFoundException('List was not found'); } $owner_id = ($owner instanceof UserInterface) ? (int) $owner->id : (int) $owner; if ((int) $list->user_id !== $owner_id) { throw new PermissionException('Insufficient access privileges for this list'); } return $list; }

// app/models/TaskList.php public function toArray() { $data = parent::toArray(); $data['id']
= (int) $data['id']; $data['created_at'] = $this->fromDateTime($this->created_at); $data['updated_at'] = $this->fromDateTime($this->updated_at); return $data; }

GET /v1/lists/1/tasks HTTP/1.1 200 OK Content-Type: application/json []

// app/routes.php Route::get('lists/{id}/tasks', function($id) { $list = TaskList::findByOwnerAndId(Auth::user(), $id); return
Response::json($list->tasks->toArray()); })->where('id', '\d+');

POST /v1/lists/1/tasks REQUEST: description=Make+CodeIgniter+joke+during+presentation RESPONSE: HTTP/1.1 201 Created Content-Type: application/json
{ "description": "Make CodeIgniter joke during presentation", "updated_at": "2013-02-04 18:23:08", "created_at": "2013-02-04 18:23:08", "id": 1, "completed": false }

// app/routes.php Route::post('lists/{id}/tasks', function($id) { $list = TaskList::findByOwnerAndId(Auth::user(), $id); $task
= new Task(Input::get()); $task->validate(); $task->list_id = $id; if (!$task->save()) { App::abort(500, 'Task was not saved'); } return Response::json($task->toArray(), 201); })->where('id', '\d+');

HTTP/1.1 200 OK Content-Type: application/json [ { "id": 1, "description":
"Make CodeIgniter joke during presentation", "completed": false, "created_at": "2013-02-04 18:23:08", "updated_at": "2013-02-04 18:23:08" } ] GET /v1/lists/1/tasks

GET /v1/lists/1/tasks/1 HTTP/1.1 200 OK Content-Type: application/json { "id": 1,
"description": "Make CodeIgniter joke during presentation", "completed": false, "created_at": "2013-02-04 18:23:08", "updated_at": "2013-02-04 18:23:08" }

// app/routes.php Route::get('lists/{list_id}/tasks/{id}', function($list_id, $id) { $list = TaskList::findByOwnerAndId(Auth::user(), $list_id);
$task = $list->tasks()->find($id); if (!$task) { App::abort(404); } return Response::json($task->toArray()); })->where('list_id', '\d+')->where('id', '\d+');

PUT /v1/lists/1/tasks/1 REQUEST: completed=true RESPONSE: HTTP/1.1 200 OK Content-Type: application/json
{ "id": 1, "description": "Make CodeIgniter joke during presentation", "completed": true, "created_at": "2013-02-04 18:23:08", "updated_at": "2013-02-04 18:33:19" }

// app/routes.php Route::put('lists/{list_id}/tasks/{id}', function($list_id, $id) { $list = TaskList::findByOwnerAndId(Auth::user(), $list_id);
$task = $list->tasks()->find($id); if (!$task) { App::abort(404); } $task->fill(Input::get()); $task->validate(); if (!$task->save()) { App::abort(500, 'Task was not updated'); } return Response::json($task->toArray()); })->where('list_id', '\d+')->where('id', '\d+');

DELETE /v1/lists/1/tasks/1 HTTP/1.1 204 No Content

// app/routes.php Route::delete('lists/{list_id}/tasks/{id}', function($list_id, $id) { $list = TaskList::findByOwnerAndId(Auth::user(), $list_id);
$task = $list->tasks()->find($id); if (!$task) { App::abort(404); } $task->delete(); return Response::make(null, 204); })->where('list_id', '\d+')->where('id', '\d+');

What about errors?

GET /v1/bazinga HTTP/1.1 404 Not Found Content-Type: application/json { "error":
"The requested resource was not found" }

POST /v1/lists/1/tasks REQUEST: *This space intentionally left blank* RESPONSE: HTTP/1.1
400 Bad Request Content-Type: application/json { "error": "Description is required" }

To sum it up: Don’t test in the browser Use
the “array” session driver Handle errors properly Pay attention to URI design Send good responses

Authentication

Serves two primary purposes

1. Identify the user

2. Keep that user from causing trouble

Don’t reinvent the wheel

See what other APIs do

You’re probably going to see these options:

1. API key via query string Old school APIs... don’t
do this

2. HTTP authentication Secret API key or user/pass for credentials

3. OAuth Tokens, tokens, tokens!

Since we’re talking about simple, we’ll go with option #2

Specifically: API key as username over HTTP Basic auth Password
can be anything... we don’t care

We need to generate API keys for our users

// app/models/User.php public static function createApiKey() { return Str::random(32); }
// app/events.php User::creating(function($user) { $user->api_key = User::createApiKey(); });

Now we create a filter

// app/filters.php Route::filter('api.auth', function() { if (!Request::getUser()) { App::abort(401, 'A
valid API key is required'); } $user = User::where('api_key', '=', Request::getUser())->first(); if (!$user) { App::abort(401); } Auth::login($user); });

Auth w/ cURL in PHP $ch = curl_init('http://api.laracon.app/v1/lists'); curl_setopt($ch, CURLOPT_RETURNTRANSFER,
true); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_USERPWD, 'aa284e44ba20b63f880fb68157736829:x'); $response = curl_exec($ch); curl_close($ch);

Auth w/ Postman

Auth w/ RESTed

http --auth aa284e44ba20b63f880fb68157736829:x api.laracon.app/v1/lists Auth w/ HTTPie

HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="REST API" Content-Type: application/json {
"error": "A valid API key is required" } If we fail authentication

If we pass, request succeeds

Rate limits

Second line of defense against abuse Authentication is the first

Determine how and what to limit

In our case: Overall hourly limit per user

Pick a key/value storage engine Preferably an in-memory solution

•APC •Memcached •Redis

Very lightweight and fast

Automatically expire keys at specified intervals

Let’s use APC, since you should already be running it

Because there’s no way to update a value without changing
the TTL

A simple filter to do this

// app/filters.php Route::filter('api.limit', function() { $key = sprintf('api:%s', Auth::user()->api_key); //
Create the key if it doesn't exist apc_add($key, 0, 60*60); // Increment by 1 $count = apc_inc($key); // Fail if hourly requests exceeded if ($count > Config::get('api.requests_per_hour')) { App::abort(403, 'Hourly request limit exceeded'); } });

Counts will reset every hour automatically

Closing thoughts

API’s don’t need to be complicated

Please try to stick to REST principles

Utilize your resources Copy from well-designed APIs Have other developers
use it Ask if you’re not sure about something

That’s it for me! Thanks for listening kuzemchak.net • @akuzemchak
• github.com/akuzemchak

LARACON_2013.pdf

LARACON_2013.pdf

More Decks by anonymous

Other Decks in Programming

Featured

Transcript