REST in Peace

REST in Peace
API DEVELOPMENT IN DRUPAL

Kate Marshalkina
Konstantin Komelin
Drupal Consultant from Moscow who fell in
love with Drupal in 2011.
Interested in i18n, distributions and Drupal 8.
Path Breadcrumbs co-maintainer.
@kalabro
Drupal Consultant from Saint Petersburg
Co-founder of local Drupal Community
Drupal Trainer at MorningCurve
@kkomelin

Resource
Representation
GET /items
POST /items
GET /items/1
PUT /items/1
DELETE /items/1
Methods
REpresentational State Transfer

Services RestWS RESTful Endpoint Drupal 8
Popularity
Documentation
Extensibility
Authentication
Performance
Auto API Docs
Versioning

Services
https://www.drupal.org/project/services
“A standardized solution of integrating
external applications with Drupal.”
37,085 sites use this module.
Popularity: ★★★★★

RESTful Web Services
https://www.drupal.org/project/restws
“Builds upon the Entity API, to provide support for all entity types out of the box.”
4,746 sites use this module.
Popularity: ★★★

RESTful
https://www.drupal.org/project/restful
https://github.com/RESTful-Drupal/restful
“This module allows Drupal to be operated via
RESTful HTTP requests, using best practices for
security, performance, and usability.”
“Audience is developers and not site builders.”
395 sites use this module.
Popularity: ★★

Endpoint
https://www.drupal.org/project/endpoint
“Endpoint is really light, fast and flexible, that makes it a good solution
for projects where Drupal role is mobile backend and single-page app
backend.”
7 sites use this module.
Popularity: ★
REST-focused alternative to High-performance JavaScript callback handler
https://www.drupal.org/project/js

Drupal 8 REST
Core + https://www.drupal.org/project/restui
“In Drupal 8 core, interactions with content
entities are supported via a REST interface.
The REST module is extensible, and
modules that wish to offer other services
can implement Resource Plugins.”
Popularity: ★★

Project docs API docs (hooks) UI Examples Videos
Services ★★★ ★★★★ ★★★★ ★★★ ★★★★
RestWS ★★★ ★★★★ ★ ★★★★ ★
RESTful ★★★★★ ★★★★★ ★★ ★★★★★ ★★
Endpoint ★★ ★★ ★ ★ ★
Drupal 8 ★★★ ★★★ ★★★ ★★★ ★★★
Documentation & Quick Start

Total lines of PHP code
Without comments, tests
and whitespace
Hooks
Services 15,000 6,000 18
RestWS 3,000 1,000 7
RESTful 18,000 6,000 1
Endpoint 300 300 -
Drupal 8 5,000 1 3
Code Statistics

Services
Custom architecture, ~18 hooks (13 — alter)
To create a custom resource:
1. Implement hook_services_resources()
2. Write custom callbacks

RestWS
Entity API + 7 hooks
1. Implement hook_restws_resource_info()
2. Create controller class on top of RestWSResourceControllerInterface

RESTful
Ctools plugins, Entity API, OOP
1. Implement hook_ctools_plugin_directory ()
2. Create controller class on top of RestfulEntityBase / RestfulInterface

Endpoint
Custom routing function.
1. Create /api.php with an array of endpoints.
2. Call endpoint_route() from that file.

Drupal 8 REST
Plugin Manager, Config Manager, Routes, Annotations etc.
1. Create controller on top of ResourceBase / ResourceInterface.
2. Save it as src/Plugin/rest/resource/MyCustomResource.php inside your module.
To enable endpoint for existing resource:
1. Write/paste resource settings into rest.settings.yml.
2. Create config/install/rest.settings.yml inside your module.

Security & Authentication
0. X-CSRF-Token
1. Cookie Auth
2. HTTP Basic Auth
3. Token Auth
4. OAuth
5. Oauth2

X-CSRF-Token
HTTP Header to prevent Cross-Site Request Forgery for session based authentication.
For writing methods: POST, PUT, PATCH, DELETE.
✔️ ✔️ ✔️ ✖️ ✔️
services/session/tok
en
restws/session/
token
api/session/
token
rest/session/
token

Cookie Auth
Drupal build-in auth mechanism.
1. Client sends auth request (user / password).
2. Server returns session cookie in Set-Cookie header.
3. Client makes further requests with Cookie: SESSb7f18cc=pvOhLNLdNNs7BkwbX8… header.
✔️ ✔️ ✔️ ✔️ ✔️

HTTP Basic Auth
Username and password are sent on every request (base64):
Authorization: Basic aHR0cHdhdGNoOmY=
✔️ ✔️ ✔️ ✖️ ✔️

Token Auth
Server returns token instead of Set-Cookie.
{ access_token: "7P1bwJtBTSKm-f_UHZFa6m2VWtyLNA8jHRiKUbhNwMQ",
type: "Bearer",
expires_in: 39584,
refresh_token: "Ch9p0Q4KZjisw-vGDzjAQW583bj6He6eiRZOp1ovFLQ" }
(Example from Restful).
Solves some cookies problems with CDNs, session store, CSRF, CORS.
✖️ ✖️ ✔️ ✖️ ✖️
See #1494132

OAuth implementations in Drupal:
1. OAuth 1.0: https://www.drupal.org/project/oauth
2. OAuth 2.0: https://www.drupal.org/project/oauth2_server
OAuth & OAuth2
OAuth ✔️ ✖️ ✖️ ✖️ ✖️*
OAuth2 Server ✔️ ✖️ ✔️ ✖️ ✖️

How did we count?
• Ubuntu 14.04, Nginx 1.8.0, Mariadb 10.0.20, PHP 5.5.9 with php5-fpm, 1GB RAM
• Minimal Drupal Profile
• Node with just Title and Body
• Disabled Drupal cache
• Anonymous requests
• HTTP POST to create entities
• Apache Benchmark (ab)
• Clean database after each ab run

Services Documentation API
https://www.drupal.org/project/services_documentation

Self Documenting REST API
https://www.drupal.org/project/rest_api_doc (7.x)

Self Documenting REST API
https://www.drupal.org/project/rest_api_doc (8.x)

1. Versioning API
2. Multiple endpoints: /api/v1, /api/v2/
Versioning in Services

Built-in resource versioning.
Versioning in RESTful

Better to make a difference
together than make it
different alone

Leave feedback
through Picback
http://promokids.github.io/picback
konstantin@komelin.com
@kkomelin
marshalkina@gmail.com
@kalabro

Bonus: Drupal as an API Client
1. drupal_http_request()/ curl_exec()
2. RESTClient — Wrapper for 1.
3. Guzzle — PHP HTTP client
4. Feeds — for GET only
5. Clients — Pluggable client, supports Services endpoints
6. Remote Entity — Entity API + Clients
7. WSData — Alternative to Remote Entity
8. Integration with popular APIs: Twitter, Facebook, Dropbox etc.
9. Saucier — A Node.JS framework for Drupal API consumption.

REST in Peace

More Related Content

What's hot

Viewers also liked

Similar to REST in Peace

More from Kate Marshalkina

Recently uploaded

REST in Peace