5. So, what is a RESTful API?
An application program interface (API) that receives a
request from client (web/mobile application) and send a
response based on the state of server over the HTTP
protocol.
6. REST vs SOAP
• REST performs better and faster than SOAP
• Coupled with JSON, easily readable language by both human and
machine
• Though in some cases in data security and transaction reliability,
SOAP performs better
7. What is JSON?
• JavaScript Object Notation
• Minimal, readable format for
structuring data
• An alternative for XML, more light
weighted in nature
• A key features of REST API response is
JSON
8. REST API Design Architecture
Key things to be noted
Simple request Secure request
Fast response Status code
Appropriate response Secure response
Documentation Console
Versioning
9. Simple Request
• URL should be light and meaningful
• Avoid unnecessary query string
• Use basic HTTP request methods [GET, POST, PUT, PATCH, DELETE]
based on API use case
10. Secure Request
• Authentication & Authorization
• Token based authentication [e.g JWT]
• Client must know the secret key to sign the token for persistent connection
• Server will verify the signature by same key
• If mismatched, request is unauthorized
• Oath2 authentication & authorization
• Register client identity in Authorization server firsthand
• Request access token from Authorization server
• Request resource server with the access token granted from Authorization server
• Provide encrypted/encoded session token for persistent connection between
user and server
• Input filter handling
• Cross-site scripting (XSS) protection
• SQL-injection protection
• SSL installation in server
• Block IP of DDos attacker
11. Fast response
• Make backend as light as possible
• PHP Microframework (Slim, Lumen, Flight etc.)
• Use Non-blocking I/O over blocking I/O
• Express JS
• Python Django
• Cache server to store relatively non-dynamic and light weighted data
for faster reading
• Memcache / Radis
• Backend code optimization
12. Status codes
• Forecast the client to be prepared which comes next
• HTTP status codes
• 1xx (Informational): The request was received, continuing process
• 2xx (Successful): The request was successfully received, understood, and
accepted
• 3xx (Redirection): Further action needs to be taken in order to complete the
request
• 4xx (Client Error): The request contains bad syntax or cannot be fulfilled
• 5xx (Server Error): The server failed to fulfill an apparently valid request
• Result codes
• Make client understand the state of requested result
13. Appropriate response
• Send response in correct
format
• JSON data as response
• Avoid data redundancy
• Avoid unwanted data
{
"result_code":0,
"time":"2018-12-10 12:20:00",
"data":{
"user":{
"id":4,
"name":"Mr. X",
"items":[
{
"id":1,
"name":"laptop",
"count":1
},
{
"id":2,
"name":"monitor",
"count":1
}
]
}
}
}
14. Secure response
• Masking file directory path with custom URL or Third party cloud
storage path
http://example.com/uploads/image/users/1.jpg
http://example.com/image/user/1?ref=xxxxxxxxxx1
• Remove unnecessary response header to hide server information
from exposing to threat
16. Console
• A testing ground for API request/response testing
• Should be available to system developer/s and tester/s only
• Tools
• POSTMAN
• Custom console tool
17. Versioning
• Keep your api version up while major changes is on
• Keep older api versions for old- not yet updated client users
• Example:
• http://host/v1/get_user_info?user_id=1
• http://host/v2/users/info/1
18. Code example
• A custom REST-API template can be found here
• https://github.com/sabbir-rupom/rest-api-flight-PHP
• Based on PHP-Flight microframework
• Follow the documentation flow
• Study the source architecture