Going APEs Over APIs

Going APEs Over APIs An Overview with Best Practices

Going APEs Over APIs - Making the Web - 2013.10.23
@zgordon Zac Gordon Internal Tips & Tricks About APIs Talk Overview Public Facing External

Zac Gordon

@zgordon About Zac Gordon Education Middle school High school College Workshops Conferences Business WordPress Treehouse Calendrics Stripe Social stuff

About APIs

@zgordon API: Application Programming Interface About APIs Lets sites and applications do one-way and two-way communication. 3 Types: Internal, Public Facing, External

Internal APIs

@zgordon Internal APIs - Used within an application Internal APIs $args = array( 'post_type' => 'work', 'author_name' => 'zgordon', 'orderby' => 'title' ); $the_query = new WP_Query( $args ); SELECT * FROM wp_posts WHERE post_type = work AND author_name = zgordon ORDER BY title WordPress Example - Get Developer’s Work

Public Facing APIs

@zgordon Public Facing - An internal API that you open to external applications Public Facing APIs - REST architecture - API versioning - Authentication

@zgordon REST applies data endpoints using the conventional HTTP url architecture REST Architecture not exactly CRUD GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, PATCH GET /users/{username}

@zgordon REST uses a noun architecture rather than a verb architecture REST Architecture /users/{username} Noun example /users/add Verb example

@zgordon Versioning addresses updating your API while maintaining backwards compatibility API Versioning api.app.net VS api.app.net/v1 Initial launch api.app.net/v2 And then

Google Analytics Example @zgordon API Versioning

@zgordon Authentication controls who can access your API and to what extent API Authentication - Password - Tokens - OAuth

@zgordon Passwords API Authentication Tokens Pass either username and be prompted for password, or pass both together Unique identiﬁers for an app, user, level of access or single transaction

@zgordon OAuth API Authentication

External APIs

@zgordon Accessing other application APIs for use in your app External APIs - Flickr - RSS - GitHub

@zgordon External APIs

@zgordon GitHub Example - GET Repos External APIs curl https://api.github.com/users/{username}/repos [ { id: XXXXXX, name: "projectname", full_name: "username/project name" ...

@zgordon GitHub Example - GET Headers External APIs curl -i https://api.github.com/users/{username}/repos HTTP/1.1 200 OK Server: GitHub.com Date: Wed, 23 Oct 2013 18:43:28 GMT Content-Type: application/json; charset=utf-8 Status: 200 OK

@zgordon GitHub Example - Password Authentication External APIs curl -u "{username}" https://api.github.com/users/{username} curl -u "{username}:{password}" https://api.github.com/users/{username} Will request password Leaves password vulnerable

@zgordon External APIs

@zgordon GitHub Example - OAuth External APIs GET https://github.com/login/oauth/authorize POST https://github.com/login/oauth/access_token access_token=e72e16c7e42f292c6912e7710c838347ae17.. GET https://api.github.com/user?access_token=...

@zgordon GitHub Example - Create Repo External APIs curl -H 'Authorization: token e72e16c7e42f29' https:// api.github.com/users/{username}/repos -d '{ "name": "newproject", "description”: “My new project" }'

Tips and Tricks

@zgordon - Data Replay - Faking It - Reverse Proxy - Debugging Tools - Rate Limiting Tips and Tricks A Few Tips and Tricks

@zgordon Data Replay Data Replay lets you use cached data for testing API requests and responses. VCR - Caches the initial return class VCRTest < Test::Unit::TestCase def test_example_dot_com VCR.use_cassette('response') do response = Net::HTTP.get_response(URI('http://api.app.net/v1/users')) assert_match /Example domains/, response.body end end end

@zgordon Faking It “Faking It” involves creating your own requests to use instead of live requests FakeWeb - Create your own response FakeWeb.register_uri(:get, "http://api.app.net/v1/users", :body => "Everyone is here!") Net::HTTP.get(URI.parse("http://api.app.net/v1/users")) => "Everyone is here!"

@zgordon Reverse Proxy Reverse Proxy setup holds the request in memory Uses something like Varnish or Squid Helpful when cannot connect to API source

@zgordon Debugging Dev HTTP Client - Chrome extension to send/ receive/save/modify your API requests and responses

@zgordon Debugging Charles - Much more powerful API debugging tool - SSL Proxying - Bandwidth Throttling - AJAX debugging - AMF [Flash/Flex Remoting] - Repeat requests to test back-end changes - Edit requests to test different inputs - Breakpoints to intercept and edit requests/responses - Validate responses using the W3C validator

@zgordon Rate Limiting Rate Limiting controls the frequency a client can interact with the API. Done at the server level ngx_http_limit_req_module - Limits number of requests from IP in a set amount of time HAProxy - Can limit based on amount of data transferred

@zgordon Zac Gordon Internal Tips & Tricks About APIs Talk Overview Public Facing External

Going APEs Over APIs zacgordon.com

Going APEs Over APIs

Going APEs Over APIs

More Decks by Zac Gordon

Other Decks in Programming

Featured

Transcript