stoney core: REST API

From stoney cloud
Revision as of 15:08, 7 February 2014 by Michael (Talk | contribs)


Jump to: navigation, search

Overview

REST API documentation

Base URI

The RESTful web service has to be accessible via a secure HTTP (HTTPS) base URI, for instance https://api.example.com/v1. The definition of the base URI is up to the provider of the service. The only requirements are the use of HTTPS and the presence of the service's version information, so that further changes are possible without breaking existing clients.

Client authentication and authorization

The service needs to authenticate each client via HTTP basic authentication by a user name and a corresponding password. If a unauthenticated client tries to access the service, it will response with a 401 (Unauthorized) HTTP error code.

Furthermore the service must retrieve the authenticated users role and object ownership and respect their respective value when returning collections and elements and acting on HTTP methods. If a client tries to get, modify or delete an element for which it is not authorized, the services will response with a 403 (Forbidden) HTTP error code and includes a descriptive authorization validation message within the JSON error object.

To solely authentication a person, use the resource described under stoney core: Authentication Resource - REST API.

Data interchange format

The service needs to accept and send all data in the JSON data interchange format via HTTP, encoded as UTF-8. Thus a client needs to accept and use the application/json media type. Further media types might be supported in the future.

This results in the following required request and response headers:

Request header Response header
Accept: application/json
Accept-Charset: utf-8
Content-Type: application/json; charset=UTF-8
  • If the client sends an Accept header with an unsupported value (at the moment only application/json is supported), the service will respond with a 406 (Not Acceptable) error code.
  • If the client sends an Accept-Charset header with an unsupported value (at the moment only utf-8 is supported), the service will respond with a 406 (Not Acceptable) error code.
  • If no Accept header is sent, the server will use JSON, possibly pretty-printed and annotated.
  • If no Accept-Charset header is sent, the server send the response with utf-8 as charset.
  • If the client sends a Content-Type other than application/json on a POST, PUT or PATCH request, the service will respond with a 415 (Unsupported Media Type) error code.
  • If the client sends invalid JSON, the service will response with a 400 (Bad Request) HTTP error code and a descriptive error message within the error object.

Future extension: Client may supply application/vnd.org.stoney-cloud.api+json as Content-Type to declare the requested schema/format of the data. This can then also be used to introduce additional versioning.

Error codes and responses

The service returns appropriate HTTP status codes for every request, the following table lists the commonly used codes:

HTTP status code Text Description
200 OK Success.
201 Created A new resource was successfully created.
400 Bad Request The request was invalid. A descriptive error message will be sent within the response body.
404 Not Found The requested resource could not be found but may be available again in the future.
406 Not Acceptable The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.
401 Unauthorized The client has failed or not yet tried to authenticate.
403 Forbidden The client is not allowed to access the requested resource.
415 Unsupported Media Type The request entity has a media type which the server or resource does not support. For example, sending XML instead of JSON in a POST, PUT or PATCH method.
422 Unprocessable Entity The request was well-formed but was unable to be followed due to semantic errors. For example, a client sends a invalid field value (numbers instead of characters) in a JSON object.


428 Precondition Required The client did not provide a proper ETag and/or Last-modification header when updating an object via PUT, see http://tools.ietf.org/html/rfc6585#section-3


429 Too Many Requests There were too many requests within a given time-period, see http://tools.ietf.org/html/rfc6585#section-4


500 Internal Server Error An internal error succoured. A descriptive error message will be sent within the response body.
503 Service Unavailable The service is temporary unavailable, because it is overloaded or down for maintenance

Additionally the service returns a descriptive error object in case a HTTP error was returned (4xx) within the message body of the response. An error object consists of an error code and a human readable error message, with further detailed error messages if applicable.

{ 
  "error": { 
    "code": 123,
    "message": "Validation failed"
    "details" : [
      {
        "code" : 5432,
        "field" : "firstName",
        "message" : "First name cannot be longer than 35 characters"
      },
      {
        "code" : 5123,
        "field" : "password",
        "message" : "Password cannot be blank"
      }
    ]
  }
}

Mandatory headers

Besides the above mentioned headers, the following headers are mandatory.

  • every answer to a GET reqest should always include ETag and Last-Modified header. This allows a proxy to cache requests and a client to revalidate already fetched data.
  • the service must recognize ETag, Last-Modified and Cache-Control: none provided by the client and act accordingly.
  • every answer to a GET request must include proper Cache-Control headers
  • every PUT request to update an object must include the ETag provided by the GET request to fetch the object initially. The API must respond with an 428 (Precondition Required) if the ETag is missing.

Implementation notes:

  • one could use the internal LDAP attributes entryCSN and/or modifyTimestamp to generate an ETag via a hash function. In the case of business objects where multiple LDAP objects are aggregated for one exposed object, the hash can be generated over all constituent objects
  • the Last-Modified header can be used to directly limit the search results when hitting the LDAP via the modifyTimestamp internal attribute. Ex. modifytimestamp>=20060301000000Z

Resources and HTTP methods

Resources are always nouns, and specified in plural (such as resellers, customers, users etc.), this prevents one from dealing with irregular pluralizations such as person/people.

The manipulation of resources happens via the HTTP request methods such as GET, POST, PUT, DELETE and PATCH. The following example illustrates the concept with a fictive user resource:

HTTP request Description
GET /users Retrieves a list of users
GET /users/12345678 Retrieves a specific user with user ID 12345678
POST /users Creates a new user
PUT /users/12345678 Updates the user with user ID 12345678
PATCH /users/12345678 Partly updates the user with user ID 12345678
DELETE /users/12345678 Deletes the user with user ID 12345678
DELETE /users Deletes all users

POST

On successful creation of an element, the service must return an URI string to the newly created element.

Example:

Request:

POST /v1/users/ HTTP 1.1
HOST: api.example.com
Accept: application/json
Content-Type: application/json
{
  "usersName": "Mueller",
  "usersType": "reseller",
}

Answer:

HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8 
Location: https://api.example.com/v1/users/67890
{
  "id": 67890,
  "location": "https://api.example.com/v1/users/67890",
}

Relations

If a relation can only exist within another resource, it will be represent by its URI, for example: /threads/123/messages/45. This URI represents the message with ID #45 of the forum thread with ID #123.

If a resources can stand by its own, such as users it won't be added as a sub-resource. Relations are always returned as URIs, which the client can hit.

@TBD: Shall there be a functionality to request the embedding of elements, for relations that are commonly requested alongside the resource (to save requests)?

Filtering, sorting and searching

Filter, sort and search requests are added as query parameters to the resource URI.

For filtering the objects returned by a resource URI, the name of an object's attribute is added as a query parameter with the required value.

For example, get all active user elements GET /v1/users?status=active


For sorting the objects returned by a resource URI, the query parameter sort is added with the object's sort attribute(s) as the value.

For example, sort all users by their last and first name GET /v1/users?sort=lastname,firstname


For full text search the objects returned by a resource URI, the query parameter q is added with the value to search for.

For example, GET /v1/users?q=Muell will return users named Mueller as well as the ones living at Muellhaldenstrasse.

For full text search over all the available resources visit stoney core: Search Resource - REST API.

Pagination

Responses with multiple items will be limited and paginated to 30 items per default (defined on server-side). Further items can be accessed by appending the page query parameter. The number of items to be returned can be raised to a maximum of 100 (defined on server-side), by specifying the per_page query parameter.

For example, to request page number 3 with 40 items per page, a client would send the following GET request:

GET /v1/users?page=3&per_page=40

If pagination is requested by the client and/or enforced by the server (e.g. if the number of available records is larger than the default count and no pagination requested), the service returns official registered link relation types (next, prev, first, last) within the HTTP Link header field for pagination use:

Content-Type: Content-Type: application/json; charset=UTF-8
Link: <https://api.example.com/v1/resellers?page=1&per_page=30>; rel="first",
  <https://api.example.com/v1/resellers?page=2&per_page=30>; rel="prev",
  <https://api.example.com/v1/resellers?page=4&per_page=30>; rel="next",
  <https://api.example.com/v1/resellers?page=10&per_page=30>; rel="last"
X-Total-Count: 295

The client MUST use those pagination links, rather than constructing the URLs by itself.

Furthermore the service sets a custom header X-Total-Count containing the (estimation of) total number of records.

Field specifications and limitations

@TBD: Do we want a possibility to specify which fields should be return on a GET request? This could either be used to save further requests to element URIs, if one fetches items from a collection URL, or to reduce the required amount of data to be transferred if one only uses a few attributes from a response. If yes, a fields query parameter should be added to a resource which takes a comma separated list of field names, such as https://api.example.com/v1/users?fields=firstname,lastname.

Maybe. In a collection there shouldn't be as many elements returned such that this may be come a problem. On the other hand, if we return large sets, we should rather use caching properly. Making it possible to specify fields makes cachign even harder. See for example https://blog.apigee.com/detail/restful_api_design_can_your_api_give_developers_just_the_information/ --Tiziano (talk) 11:47, 11 December 2013 (CET)

Input validations

The service validates all input it receives from a client and returns a 422 (Unprocessable Entity) HTTP error code with a descriptive error object.

Notes

  • Resource for modules => which modules are available for a given role and belong to which category
  • Nested URLs vs. filter via get parameter => /users/<UID>/products vs. /products/?userId=<UID>, (choose a better word for product?)
  • Sudo mechanism, via custom HTTP header, for example X-USER