REST API Design & Development
Download as PPTX, PDF6 likes2,566 views
The document discusses demystifying APIs. It begins with an introduction to APIs, including their evolution and benefits. It then discusses RESTful APIs and their key aspects like uniform interface and use of HTTP methods. The document outlines best practices for API design, development, and challenges. It provides examples of designing APIs using Node.js and Hapi.js and discusses challenges like security, authentication, rate limiting, and scalability. Tools mentioned include Express, Swagger, Postman, and Kong.
REST API Design & Development
- 2. Ashok Gautam
- 3. Agenda API Introduction RESTFul paradigm Design, Development & Challenges Best practices Tools Resources Q&A
- 5. Introduction API stands for Application Programming Interface. API is a set of functions and procedures allowing the creation of applications that access the features or data of an operating system, application, or other service. API is a software intermediary that allows two applications to talk to each other.
- 6. APIs have existed for a long time. Since the first computer programs were written, APIs have been providing “contracts” for information exchange between programs. XML-RPC SOAP RESTful GraphQL OS APIs Platform APIs Application APIs Web APIs Evolution
- 9. Why should you have API Efficiency Flexibility Integrations Security Metered Usages
- 10. RESTful A RESTful API is an application program interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data.
- 12. Design, Development & Challenges
- 13. Design Use nouns and NOT the verbs Use of right HTTP methods Use Plurals Use parameters Use proper HTTP codes Versioning Use Pagination Supported Formats Use Proper Error Messages https://hackernoon.com/restful-api-design-step-by-step-guide-2f2c9f9fcdbf OAS https://swagger.io/resources/open-api/
- 15. Hello World https://medium.com/@purposenigeria/build-a-restful-api-with-node-js-and-express-js-d7e59c7a3dfb import express from 'express';import db from './db/db'; // Set up the express app const app = express(); // get all todos app.get('/api/v1/hello', (req, res) => { res.status(200).send({ success: 'true', message: 'Hello World', todos: db })}); const PORT = 5000; app.listen(PORT, () => { console.log(`server running on port ${PORT}`) });
- 16. 'use strict'; const Hapi=require('hapi'); // Create a server with a host and port const server=Hapi.server({ host:'localhost', port:8000 }); // Add the route server.route({ method:'GET', path:'/hello', handler:function(request,h) { return'hello world'; }}); // Start the server const start = async function() { try { await server.start(); } catch (err) { console.log(err); process.exit(1); } console.log('Server running at:', server.info.uri); }; start();
- 17. Kong ● Cloud-Native ● Dynamic Load Balancing ● Hash-based Load Balancing ● Circuit-Breaker ● Health Checks ● Service Discovery ● Serverless ● WebSockets ● OAuth2.0 ● Logging ● Security ● Syslog ● SSL ● Monitoring ● Forward Proxy ● Authentications ● Rate-limiting. ● Transformations ● Caching ● CLI ● REST API ● Geo-Replicated ● Failure Detection & Recovery ● Clustering ● Scalability ● Performance ● Plugins
- 18. Challenges Security Authentication & Authorization Rate Limit Scalability
- 19. Security HTTPS Access Control Restrict HTTP methods Input validation Validate content types Management endpoints Error handling Audit logs Security headers CORS Sensitive information in HTTP requests ● Parameters Exploitation ● Identity Theft ● Abusing authorization system ● Man-In-The-Middle ● DOS & DDOS
- 20. Security
- 21. Authentication & Authorization API keys OAuth access tokens JSON Web Tokens https://zapier.com/engineering/apikey -oauth-jwt/ ● Use API keys if you expect developers to build internal applications that don’t need to access more than a single user’s data. ● Use OAuth access tokens if you want users to easily provide authorization to applications without needing to share private data or dig through developer documentation. ● Use JWT in concert with OAuth if you want to limit database lookups and you don’t require the ability to immediately revoke access.https://blog.restcase.com/restful- api-authentication-basics/
- 23. Rate Limit User rate limits IP/Network rate limits Server rate limits Regional data limits Resource specific rate limits Dynamic rate limits Leaky Bucket Fixed Window Sliding Log Sliding Window express-rate-limit hapi-ratelimiter flask-limiter
- 24. Rate Limit const rateLimit = require("express-rate-limit"); app.enable("trust proxy"); // only if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc) const apiLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100 }); app.use("/api/", apiLimiter);
- 25. Scaling CDN Application level caching Database Caching Cloudflare/ Cloudfront/Akamai Varnish/NGINX Redis/Memcache