Automatic REST APIs with
Jett Durham
@thejettdurham
Who I Am...
Lead Software Developer
What I Am...
full stack and then some
What I Am Not...
postgREST contributor
SQL or PostgreSQL expert
Network Security Expert
Talk Overview
-
Building REST APIs (the hard way)
-
Enter PostgREST
-
DEMO: Exploration
-
Security with PostgREST
-
DEMO: Hospitable Takeover
-
Final Thoughts
Building REST APIs
The hard way
The Layer Cake Pattern
Your Application
Web Server
Database
Request
Response
What's in an App?
HTTP Request Handling
ERROR HANDLING
Authentication
Authorization
Request Parsing
Request Validation
Database Communication
Database Response Handling
HTTP Response Building
Layers in Layers
Your Application
Your Code
Data Handling Library
Object Relational Mapper
Authentication Framework
Application Framework
Much Better!
Active Record cut my lines of code in half!
oAuth lets me stop worrying about my API security!
Play Framework makes writing web apps so easy!
Much Better?
I updated Active Record and the API broke. How to fix?
The last version of oAuth had a security flaw that leaked our customer emails to spambots
Play Framework updated again, time for another rewrite! And updating to Java 8. And updating to Gradle 2.8. And...
Libraries are great!
But know the tradeoffs
A Baker's (Half)-Dozen
Mark's Social Network
Gordon's Coffee Shop
David's DVD Store
Larry's Search Engine
Jeff's Warehouse
Daniel's Streaming Service
Most APIs kinda look the same...
2 Sides of a Coin
GET
POST
PATCH
DELETE
SELECT
INSERT
UPDATE
DELETE
What do?
Enter PostgREST
Where it fits
Your Application
Web Server
Database
Request
Response
Is It Fast?
TL;DR: subsecond response times for up to 2000 requests/sec on Heroku free tier.
TL;DR;TL;DR: Wicked Fast!
What is this sorcery?!
Haskell
PostgreSQL
Warp Web Server
Need to Scale?
DEMO
Exploration
Demo System
10.0.3.2
:5432
/dvdrental
:3000
Demo Database
Sakila Sample Database
- Tables
- Views
- Functions
- Triggers
Security with PostgREST
SSL?
No...
...but wait!
It Doesn't Need To
Authentication?
Authorization?
JSON Web Tokens
{
"user": "seth",
"role": "administrator"
}
+
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InNldGgiLCJyb2xlIjoiYWRtaW5pc3RyYXRvciJ9.3KPWRfCmFTsMN7D8p8Uz0s4Xsxxuuu9QOB83TkSnLq0
Special DB Users
Anonymous
Authenticator
Unauthenticated
{
"user": "seth",
"role": "administrator"
}eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InNldGgiLCJyb2xlIjoiYWRtaW5pc3RyYXRvciJ9.3KPWRfCmFTsMN7D8p8Uz0s4Xsxxuuu9QOB83TkSnLq0
Authenticated
DEMO
Hospitable Takeover
The DVD store has been assimilated
One API to rule them all
Internal Admin Panel
Public Website: Film search
President
All Access
Michael Bluth
Accountant
List & modifies payments
Also has Worker permissions
Gob Bluth
Worker
Lists films, categories, actors, languages, & customers
List & Creates Rentals
George Michael Bluth
John Q Public
Lists films
John Q
Final Thoughts
What is it really good for?
Domain Model
Database Tables
Old Databases
public
apiv1
Public-facing API?
Probably not...
Private APIs!
Competition?
Third Party Alternatives
mongodb-rest
Third Party Alternatives
Automatic API REST
Third Party Alternatives
phprestsql
Third Party Alternatives
arrest-db
Third Party Alternatives
restSQL
First-Party Alternatives
HTTP API
First-Party Alternatives
HTTP API
The Future of PostgREST?
In Review...
REST APIs are important
Building & Maintaining APIs can be hard!
PostgREST can set you free!
We're at the start of the auto API trend
fin
Jett Durham
@thejettdurham
Essential Concepts
Tables, Rows, Columns
| 0 | michael | develop... | 3 | 56500 | ... |
| 1 | john | analyst | 6 | 47900 | ... |
| user_id | name | job_title | dept_id | salary | notes |
|---|
| employee |
|---|
Keys: Primary, Foreign
| 0 | michael | develop... | 3 | 56500 | ... |
| 1 | john | analyst | 6 | 47900 | ... |
| user_id | name | job_title | dept_id | salary | notes |
|---|
| employee |
|---|
Views
Functions & Triggers
-- SAMPLE FUNCTION
CREATE FUNCTION tf1 (acct_no integer, debit numeric)
RETURNS numeric AS $$
UPDATE bank
SET balance = balance - $2
WHERE accountno = $1
RETURNING balance;
$$ LANGUAGE SQL;-- SAMPLE TRIGGER
CREATE TRIGGER emp_stamp
BEFORE INSERT OR UPDATE ON employees
FOR EACH ROW EXECUTE PROCEDURE emp_stamp();Schemas
Databases
Database Server
REST API Recap
REST APIs power the modern web
Why REST APIs?
Interoperability
Ease of Consumption
Ease of Development
?
REST Nuts & Bolts
HTTP Request
https://
api.twitter.com
/1.1
/users/suggestions.json
?id=foo
- GET
- POST
- PUT
- DELETE
- PATCH
- OPTIONS
- HEAD
HTTP Method
| KEY | VALUE |
|---|---|
| Authorization | ... |
| Content-Type | application/json |
Request Headers
Request Body
{
"glossary": {
"title": "example glossary",
"GlossDiv": {
"title": "S",
"GlossList": {
"GlossEntry": {
"ID": "SGML",
"SortAs": "SGML",
"GlossTerm": "Standard Generalized Markup Language",
"Acronym": "SGML",
"Abbrev": "ISO 8879:1986",
"GlossDef": {
"para": "A meta-markup language, used to create markup languages such as DocBook.",
"GlossSeeAlso": ["GML", "XML"]
},
"GlossSee": "markup"
}
}
}
}
}URL
HTTP Response
- 200
- 301
- 403
- 404
- 451
- 500
Status Code
| KEY | VALUE |
|---|---|
| Connection | keep-alive |
| Content-Type | application/json |
Response Headers
Response Body
{
"glossary": {
"title": "example glossary",
"GlossDiv": {
"title": "S",
"GlossList": {
"GlossEntry": {
"ID": "SGML",
"SortAs": "SGML",
"GlossTerm": "Standard Generalized Markup Language",
"Acronym": "SGML",
"Abbrev": "ISO 8879:1986",
"GlossDef": {
"para": "A meta-markup language, used to create markup languages such as DocBook.",
"GlossSeeAlso": ["GML", "XML"]
},
"GlossSee": "markup"
}
}
}
}
}JSON
{
"Count": 1670,
"Username": "jdurham",
"IsPresent": true,
"JobTitles": [
"Software Developer",
"Software Engineer",
"Sysadmin",
"Supervisor"
],
"Addresses": [
{
"Name": "home",
"Street": "123 Main St.",
"City": "Wichita",
"State": "Kansas",
"Zip": 67212
},
{
"Name": "work",
"Street": "266 N Main St.",
"City": "Wichita",
"State": "Kansas",
"Zip": 67202
}
]
}
-
Lightweight
-
Expressive
-
Readable
-
Portable