SlideShare a Scribd company logo

REST APIs in the context of single-page applications

Y
yoranbe

Presentation given during the BRUG August 2014 meetup (http://www.meetup.com/brug__/events/194138762/). Covers the topics: - introduction to REST - authentication in REST APIs - authorization - how to use HTTP status codes - JSON API initiative (jsonapi.org)

Software
1 of 38
Download to read offline
REST APIs in the context of single-page applications @YoranBrondsema August 25th 2014
About me CTO of Hstry Organizer of Belgium Ember.js meetups
A bit of background application has a Ruby on Rails REST API and an Hstry Ember.js front-end Server-client communication is all JSON API is not public: just one front-end
Today I'm talking about 1. What is REST? 2. Authentication 3. Authorization 4. HTTP status codes 5. JSON API
What is REST? Architecture for the World Wide Web
Separation of client and server
Stateless
Unique identification of resources through URIs http://www.example.com/posts/15
Standard HTTP methods GET POST PUT DELETE (PATCH)
Authentication
Implies some form of state REST is stateless so stored on client
Token-based authentication 1. At login, generate token on server 2. Return token in response 3. Client includes token with every request
Where to store token?
In memory Single-page application so no refreshes Does not persist when user closes and opens tab
Cookies Automatically sent with every request Also sends other stored information Stores text, not objects Not very RESTful
sessionStorage and localStorage Part of Web Storage specification Secure, per-domain storage Stores Javascript objects, not text Stays on client Send token through query parameter Browser support is good (caniuse.com)
All of this requires HTTPS!
Implementation in Devise, unfortunately...
Implementation vulnerable to timing attacks Maintainer provided secure implementation, not yet merged in Devise (see here)
Authorization
Deals with permissions Is User X allowed to perform Action Y? Comes after authentication
Need context-aware DSL that is expressive enough ALLOWED User with id 15 requests PUT /api/user/15/profile FORBIDDEN User with id 16 requests PUT /api/user/15/profile
Define roles e.g. admin, editor, user Specify permissions for each role.
declarative_authorization gem role :guest do ... end role :student do # Include all permissions from guest includes :guest has_permission_on :timelines, to: :show do # Can only see timelines that are made by himself if_attribute :type => is { "UserTimeline" }, :author => is { user } end end
HTTP status codes
Adds semantics to HTTP responses Both for success (2xx) and error (4xx)
REST verbs GET 200 OK POST 201 Created PUT 204 No content (200 OK if include response) DELETE 204 No content
Error codes Wrong authentication 401 Unauthorized Wrong authorization 403 Forbidden Parameter is missing 412 Precondition failed Other error 422 Unprocessable entity
Nice overview on http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
JSON API
jsonapi.org Initiative by Steve Klabnik and Yehuda Katz Standard for representation of JSON responses Belief that shared conventions increase productivity through generalized tooling
Specifies... ...how resources are represented in JSON { "links": { "posts.author": { "href": "http://example.com/people/{posts.author}", "type": "people" }, "posts.comments": { "href": "http://example.com/comments/{posts.comments}", "type": "comments" } }, "posts": [{ "id": "1", "title": "Rails is Omakase", "links": { "author": "9", "comments": [ "5", "12", "17", "20" ] } }] }
...HTTP status codes and Location header When one or more resources has been created, the server MUST return a 201 Created status code. The response MUST include a Location header identifying the location of all resources created by the request.
...structure for errors { "errors": [{ "id": "forbidden", "href": "http://help.example.com/authorization_error", "status": "403", "code": "ERROR_12345", "title": "Authorization error", "detail": "The requesting user does not have the permissions to perform this action" }] }
...structure for PATCH PATCH /posts/1 Content-Type: application/json-patch+json [ { "op": "replace", "path": "/title", "value": "A new title" } ] Replace attribute title of resource /posts/1 with value A new title
Implementations Ruby (0.9.0 released ActiveModel::Serializers last Friday) Javascript Ember Data ... other languages too
Thank you

Recommended

Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Designing JavaScript APIs
Designing JavaScript APIsDesigning JavaScript APIs
Designing JavaScript APIsJonathan LeBlanc
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
RESTful Architecture
RESTful ArchitectureRESTful Architecture
RESTful ArchitectureKabir Baidya
 

Recommended

Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Designing JavaScript APIs
Designing JavaScript APIsDesigning JavaScript APIs
Designing JavaScript APIsJonathan LeBlanc
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
RESTful Architecture
RESTful ArchitectureRESTful Architecture
RESTful ArchitectureKabir Baidya
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
REST Easy with AngularJS - ng-grid CRUD EXAMPLE
REST Easy with AngularJS - ng-grid CRUD EXAMPLEREST Easy with AngularJS - ng-grid CRUD EXAMPLE
REST Easy with AngularJS - ng-grid CRUD EXAMPLEreneechemel
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
 
Indivo X Hospital Connectivity
Indivo X Hospital ConnectivityIndivo X Hospital Connectivity
Indivo X Hospital ConnectivityBen Adida
 
Fine Uploader S3
Fine Uploader S3Fine Uploader S3
Fine Uploader S3Ray Nicholus
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Aaron Ralls
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppBen Adida
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedInKamyar Mohager
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
REST API Design
REST API DesignREST API Design
REST API DesignDevi Kiran G
 
User Management with LastUser
User Management with LastUserUser Management with LastUser
User Management with LastUserKiran Jonnalagadda
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
NodeJS - Creating a Restful API
NodeJS - Creating a Restful APINodeJS - Creating a Restful API
NodeJS - Creating a Restful APIRogério Rodrigues
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Introduction To CodeIgniter
Introduction To CodeIgniterIntroduction To CodeIgniter
Introduction To CodeIgniterMuhammad Hafiz Hasan
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web ServicesGordon Dickens
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 

More Related Content

What's hot

Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
REST Easy with AngularJS - ng-grid CRUD EXAMPLE
REST Easy with AngularJS - ng-grid CRUD EXAMPLEREST Easy with AngularJS - ng-grid CRUD EXAMPLE
REST Easy with AngularJS - ng-grid CRUD EXAMPLEreneechemel
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
 
Indivo X Hospital Connectivity
Indivo X Hospital ConnectivityIndivo X Hospital Connectivity
Indivo X Hospital ConnectivityBen Adida
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Aaron Ralls
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppBen Adida
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
NodeJS - Creating a Restful API
NodeJS - Creating a Restful APINodeJS - Creating a Restful API
NodeJS - Creating a Restful APIRogério Rodrigues
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 

What's hot (20)

Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
REST Easy with AngularJS - ng-grid CRUD EXAMPLE
REST Easy with AngularJS - ng-grid CRUD EXAMPLEREST Easy with AngularJS - ng-grid CRUD EXAMPLE
REST Easy with AngularJS - ng-grid CRUD EXAMPLE
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
 
Indivo X Hospital Connectivity
Indivo X Hospital ConnectivityIndivo X Hospital Connectivity
Indivo X Hospital Connectivity
 
Fine Uploader S3
Fine Uploader S3Fine Uploader S3
Fine Uploader S3
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health App
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedIn
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
REST API Design
REST API DesignREST API Design
REST API Design
 
User Management with LastUser
User Management with LastUserUser Management with LastUser
User Management with LastUser
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
NodeJS - Creating a Restful API
NodeJS - Creating a Restful APINodeJS - Creating a Restful API
NodeJS - Creating a Restful API
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Introduction To CodeIgniter
Introduction To CodeIgniterIntroduction To CodeIgniter
Introduction To CodeIgniter
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 

Similar to REST APIs in the context of single-page applications

RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Mario Cardinal
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworksKen Yee
 
Creating Restful Web Services with restish
Creating Restful Web Services with restishCreating Restful Web Services with restish
Creating Restful Web Services with restishGrig Gheorghiu
 
Node.js introduction
Node.js introductionNode.js introduction
Node.js introductionParth Joshi
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigilityChristian Varela
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsTom Johnson
 
Api Design and More (Friday Training at Itnig)
Api Design and More (Friday Training at Itnig)Api Design and More (Friday Training at Itnig)
Api Design and More (Friday Training at Itnig)itnig
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swiftTim Burks
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakCharles Moulliard
 
Jordi Romero Api for-the-mobile-era
Jordi Romero Api for-the-mobile-eraJordi Romero Api for-the-mobile-era
Jordi Romero Api for-the-mobile-era.toster
 
Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Sumy PHP User Grpoup
 
Together Cheerfully to Walk with Hypermedia
Together Cheerfully to Walk with HypermediaTogether Cheerfully to Walk with Hypermedia
Together Cheerfully to Walk with HypermediaVladimir Tsukur
 

Similar to REST APIs in the context of single-page applications (20)

RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web Services
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
 
Creating Restful Web Services with restish
Creating Restful Web Services with restishCreating Restful Web Services with restish
Creating Restful Web Services with restish
 
Rest with Spring
Rest with SpringRest with Spring
Rest with Spring
 
Node.js introduction
Node.js introductionNode.js introduction
Node.js introduction
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigility
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIs
 
Api Design and More (Friday Training at Itnig)
Api Design and More (Friday Training at Itnig)Api Design and More (Friday Training at Itnig)
Api Design and More (Friday Training at Itnig)
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swift
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
 
Switch to Backend 2023
Switch to Backend 2023Switch to Backend 2023
Switch to Backend 2023
 
Jordi Romero Api for-the-mobile-era
Jordi Romero Api for-the-mobile-eraJordi Romero Api for-the-mobile-era
Jordi Romero Api for-the-mobile-era
 
Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2
 
Together Cheerfully to Walk with Hypermedia
Together Cheerfully to Walk with HypermediaTogether Cheerfully to Walk with Hypermedia
Together Cheerfully to Walk with Hypermedia
 
eZ Publish REST API v2
eZ Publish REST API v2eZ Publish REST API v2
eZ Publish REST API v2
 
E zsc2012 rest-api-v2
E zsc2012 rest-api-v2E zsc2012 rest-api-v2
E zsc2012 rest-api-v2
 
Andrei shakirin rest_cxf
Andrei shakirin rest_cxfAndrei shakirin rest_cxf
Andrei shakirin rest_cxf
 

More from yoranbe

Test with YouTube
Test with YouTubeTest with YouTube
Test with YouTubeyoranbe
 
A client-side image uploader in Ember.js
A client-side image uploader in Ember.jsA client-side image uploader in Ember.js
A client-side image uploader in Ember.jsyoranbe
 
Changes in Ember.js 1.9 and the Road to Ember.js 2.0
Changes in Ember.js 1.9 and the Road to Ember.js 2.0Changes in Ember.js 1.9 and the Road to Ember.js 2.0
Changes in Ember.js 1.9 and the Road to Ember.js 2.0yoranbe
 
Ember Data and JSON API
Ember Data and JSON APIEmber Data and JSON API
Ember Data and JSON APIyoranbe
 
From Ember.js 1.5 to 1.7
From Ember.js 1.5 to 1.7From Ember.js 1.5 to 1.7
From Ember.js 1.5 to 1.7yoranbe
 
Ember.js Brussels Meetup #3 - Testing your Ember.js app
Ember.js Brussels Meetup #3 - Testing your Ember.js appEmber.js Brussels Meetup #3 - Testing your Ember.js app
Ember.js Brussels Meetup #3 - Testing your Ember.js appyoranbe
 

More from yoranbe (6)

Test with YouTube
Test with YouTubeTest with YouTube
Test with YouTube
 
A client-side image uploader in Ember.js
A client-side image uploader in Ember.jsA client-side image uploader in Ember.js
A client-side image uploader in Ember.js
 
Changes in Ember.js 1.9 and the Road to Ember.js 2.0
Changes in Ember.js 1.9 and the Road to Ember.js 2.0Changes in Ember.js 1.9 and the Road to Ember.js 2.0
Changes in Ember.js 1.9 and the Road to Ember.js 2.0
 
Ember Data and JSON API
Ember Data and JSON APIEmber Data and JSON API
Ember Data and JSON API
 
From Ember.js 1.5 to 1.7
From Ember.js 1.5 to 1.7From Ember.js 1.5 to 1.7
From Ember.js 1.5 to 1.7
 
Ember.js Brussels Meetup #3 - Testing your Ember.js app
Ember.js Brussels Meetup #3 - Testing your Ember.js appEmber.js Brussels Meetup #3 - Testing your Ember.js app
Ember.js Brussels Meetup #3 - Testing your Ember.js app
 

Recently uploaded

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 

Recently uploaded (20)

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 

REST APIs in the context of single-page applications

  • 1. REST APIs in the context of single-page applications @YoranBrondsema August 25th 2014
  • 2. About me CTO of Hstry Organizer of Belgium Ember.js meetups
  • 3. A bit of background application has a Ruby on Rails REST API and an Hstry Ember.js front-end Server-client communication is all JSON API is not public: just one front-end
  • 4. Today I'm talking about 1. What is REST? 2. Authentication 3. Authorization 4. HTTP status codes 5. JSON API
  • 5. What is REST? Architecture for the World Wide Web
  • 6. Separation of client and server
  • 8. Unique identification of resources through URIs http://www.example.com/posts/15
  • 9. Standard HTTP methods GET POST PUT DELETE (PATCH)
  • 11. Implies some form of state REST is stateless so stored on client
  • 12. Token-based authentication 1. At login, generate token on server 2. Return token in response 3. Client includes token with every request
  • 13.
  • 14. Where to store token?
  • 15. In memory Single-page application so no refreshes Does not persist when user closes and opens tab
  • 16. Cookies Automatically sent with every request Also sends other stored information Stores text, not objects Not very RESTful
  • 17. sessionStorage and localStorage Part of Web Storage specification Secure, per-domain storage Stores Javascript objects, not text Stays on client Send token through query parameter Browser support is good (caniuse.com)
  • 18. All of this requires HTTPS!
  • 19. Implementation in Devise, unfortunately...
  • 20. Implementation vulnerable to timing attacks Maintainer provided secure implementation, not yet merged in Devise (see here)
  • 22. Deals with permissions Is User X allowed to perform Action Y? Comes after authentication
  • 23. Need context-aware DSL that is expressive enough ALLOWED User with id 15 requests PUT /api/user/15/profile FORBIDDEN User with id 16 requests PUT /api/user/15/profile
  • 24. Define roles e.g. admin, editor, user Specify permissions for each role.
  • 25. declarative_authorization gem role :guest do ... end role :student do # Include all permissions from guest includes :guest has_permission_on :timelines, to: :show do # Can only see timelines that are made by himself if_attribute :type => is { "UserTimeline" }, :author => is { user } end end
  • 27. Adds semantics to HTTP responses Both for success (2xx) and error (4xx)
  • 28. REST verbs GET 200 OK POST 201 Created PUT 204 No content (200 OK if include response) DELETE 204 No content
  • 29. Error codes Wrong authentication 401 Unauthorized Wrong authorization 403 Forbidden Parameter is missing 412 Precondition failed Other error 422 Unprocessable entity
  • 30. Nice overview on http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
  • 32. jsonapi.org Initiative by Steve Klabnik and Yehuda Katz Standard for representation of JSON responses Belief that shared conventions increase productivity through generalized tooling
  • 33. Specifies... ...how resources are represented in JSON { "links": { "posts.author": { "href": "http://example.com/people/{posts.author}", "type": "people" }, "posts.comments": { "href": "http://example.com/comments/{posts.comments}", "type": "comments" } }, "posts": [{ "id": "1", "title": "Rails is Omakase", "links": { "author": "9", "comments": [ "5", "12", "17", "20" ] } }] }
  • 34. ...HTTP status codes and Location header When one or more resources has been created, the server MUST return a 201 Created status code. The response MUST include a Location header identifying the location of all resources created by the request.
  • 35. ...structure for errors { "errors": [{ "id": "forbidden", "href": "http://help.example.com/authorization_error", "status": "403", "code": "ERROR_12345", "title": "Authorization error", "detail": "The requesting user does not have the permissions to perform this action" }] }
  • 36. ...structure for PATCH PATCH /posts/1 Content-Type: application/json-patch+json [ { "op": "replace", "path": "/title", "value": "A new title" } ] Replace attribute title of resource /posts/1 with value A new title
  • 37. Implementations Ruby (0.9.0 released ActiveModel::Serializers last Friday) Javascript Ember Data ... other languages too