View
4.956
Download
3
Category
Preview:
DESCRIPTION
Presented at djangocon 2011. Covers best practices for designing/ building RESTful APIs. Discusses the enhanced version of django-piston used by PBS Education.
Citation preview
RESTful APIs
Promises & Lies
Tareque (täreɪk)
what do all these companies have in
common?
they thrive in their businessusing APIs
in fact, all of them provide RESTful APIs
all of them secure their APIs using Oauth
these facts are not coincidental
these companies made a choice
they chose to do their APIs right
so what is this talk about?
it’s about Web APIs
it’s about how we build APIs nowadays
nice & solid
we all have been building APIs for some time now
till this date, there are hardly any resource available
that tell you how to build APIs right
standards
best practices
we all learn them hard way
+
= magical API
Not really..
but you can make APIs magical
ask questions
is your API RESTful?
. stateless
. cacheable
. HTTP methods
take action depending on the type of HTTP request
GET - retrievePOST - createPUT - updateDELETE - destroy
using these verbs API clients act on resources
your API is only as good as the resources it delivers
are your resources well defined?
say you have a django project
it has a lot of models
attractive models
resource != model
resource = unit of information
that you ownand everyone else wants a piece
define them with care
class Book (Model):title = Charfield(...)summary = Charfield(...)isbn10 = Charfield(...)isbn13 = Charfield(...)authors =
ManyToManyField(...)created =
DateTimeField(...)
{‘title’ : ‘...’,‘summary’ : ‘...’,‘authors’ : [‘...’,
‘...’],‘editions’ : [{
‘number’ : ‘...’,
‘publisher’ : ‘...’,‘date_published’: ‘...’,}],
‘is_favorite’ : true,}
class Book (Model):title = Charfield(...)summary = Charfield(...)isbn10 = Charfield(...)isbn13 = Charfield(...)authors = ManyToManyField(...)created = DateTimeField(...)
{‘title’ : ‘...’,‘summary’ : ‘...’,‘authors’ : [‘...’, ‘...’],‘editions’ : [{
‘number’ : ‘...’,‘publisher’ : ‘...’,‘date_published’: ‘...’,}],
‘is_favorite’ : true,}
resource != model
concise & complete
but are resources the only thing you send in API responses?
resource structures vary wildly
API responses should be predictable
API responses should be parsable
API responses should be uniform
wrap them in envelopes
APIRESPONSE
add metadata about response
. HTTP status code
. error code & message. pagination data
{‘status’ : 200,‘errors’ : [],‘data’ : {
‘title’ : ‘...’,‘isbn10’ : ‘...’,‘summary’ : ‘...’, ‘authors’ : [‘...’,
‘...’],}
}
{‘status’ : 400,‘errors’ : [{
‘code’ : 5,‘message’ : ‘OMG form
errors!’,‘data’ : {‘title’: [‘Field
required’],}
}],‘data’ : {},}
{‘status’ : 200,‘errors’ : [],‘data’ : {
‘pagination’: {‘count’ : 134,‘pages’ : 7,}
‘results’: [...],}
}
now that you have uniform responses
ask yourself
would you support different serialization formats?
the world is moving towards json
it’s a greener alternative to XML
but you might want to support jsonp
or XML
more formats = more testing
more formats =
more support requests
it’s cool if you can accommodate
serialization parameters != coolformat=xml
client can add .json or .xml at end of URL
http://api.domain.com/v1.0/books/game-of-
thrones.xml
Now you see it..
http://api.domain.com/v1.0/books/game-
of-thrones
Now you don’t..
in absence of specified format return default
then it’s all good
http://api.domain.com/v1.0/books/game-
of-thrones
Did you notice that?
versioning your API is cool
6 days of beer in Portland
your pants might not fit
6 months of deployment in production
your APIs might not fit
version your API
http://api.domain.com/v1.0/books/game-
of-thrones
Why hello there!
save URL namespace
now to one of the most important questions..
Is the anomaly systemic, creating
fluctuations in even the most
simplistic equations?
always hated that guy
the question we are looking for is..
Is your API secure?
some endpoints need to be secure
private user data
resources that bring revenue
to protect resources, use anauthentication scheme
use Oauth
use Oauth 1.0
use Oauth 2.0
use 2-legged Oauth for applications directly accessing resources
use 3-legged Oauth for applications accessing resources on behalf of users
use HTTPS for calls to protected resources
using Oauth might get a little complex
how to minimize that complexity?
what’s the easiest route to securing your API?
and making your API comply with the concepts we discussed?
bring us to the next question..
do you use any API frameworks?
django-piston
tastypie
django-rest-framework
dj-webmachine
take your pick
none of these frameworks will do everything for you
make them work for you
to build
we used django-piston
piston has built in Oauth support
and a flexible architecture using pluggable components
pluggable resource handlers
pluggable emitters (serializers)
pluggable authentication
we enhanced django-piston
. pluggable envelopes
. form error feedbacks
. anonymous tokens
added
resource definitionsubsystem
class BookDetailedView (PistonView): fields = [
‘title’,‘isbn10’,‘pages’,Field(
‘’,lambda x: [y.name for y in
x.authors.all()],destination=‘authors’,),
]
return BookDetailedView(book)
{‘title’ : ‘...’,‘isbn10’ : ‘...’,‘pages’ : 357, ‘authors’ : [‘...’,
‘...’],}
http://github.com/pbs-education/
django-piston
again, you have quite a few choices
. django-piston
. tastypie
. django-rest-framework. dj-webmachine
take your pick
make them work for you
build your API right
join the party
thank you
tarequeh- slideshare.net- twitter- .com
Recommended