4Developers 2015: REST w praktyce - tej dobrej i tej złej - Jakub Kubryński

REST w praktyce...tej dobrej i tej złej

Jakub Kubrynski

[email protected] / @jkubrynski 1 / 42

"The Code is more what you'd call guidelines than actual rules. Welcomeaboard the Black Pearl, Miss Turner"

-- Cpt. Hector Barbossa to Elizabeth Swann

RT Ben Hale


Formal REST constraintsClient-Server

Stateless

Cache

Interface / Uniform Contract

Layered System


Richardson maturity model

http://martinfowler.com/articles/richardsonMaturityModel.html


http://martinfowler.com/articles/richardsonMaturityModel.html

POST vs PUT


POST vs PUTPOST creates new resources


POST vs PUTPOST creates new resources

PUT updates existing resources

PUT can create resource if ID is already known


REST without PUTsfor everyone who hates CRUD


REST without PUTsfor everyone who hates CRUD

all changes driven by events

POST to /domainEvents


Maybe PATCH?partial update concept

no "out of the box" support


Cachingbe aware - especially IE caches aggressively

better disable caching


Cache headerscache-control: public, max-age=0, no-cache

public / private

no-cacheno-storemax-ages-maxage


ETagIf-None-Match header set to entity uuid

if matches then "304 Not Modified"

uuid can be smart - entity id and version

"User:34652:15"


Compressionreduces response size dramatically

10 times smaller response is nothing special

usually really easy to enable


HATEOAS


HATEOASself-descriptive


HATEOASself-descriptive

client understands hypermedia

{ "name" : "Alice", "email" : "alice_at_inchains.org" "links" : [ { "rel" : "self", "href" : "/customers/1213" }, { "rel" : "currentOrder", "href" : "/orders/14312" }, { "rel" : "loyaltyAccount", "href" : "/accounts/11234" } ]}

HTTP/1.1 201 CreatedLocation: http://api.myshop.com/orders/1234


@DanaDanger HTTP codes classification20x: cool

30x: ask that dude over there

40x: you fucked up

50x: we fucked up


Exceptionshide sensitive information


Exceptionshide sensitive information

but include detailed information

{ "status" : 400, "code" : 40483, "message" : "Incorrect body signature", "moreInfo" : "http://www.mycompany.com/errors/40483"}


API Versioningdon't even think aboutapi.domain.com/v2/orders

URIs to the same resources should be fixedbetween versions


API Versioningdon't even think aboutapi.domain.com/v2/orders

URIs to the same resources should be fixedbetween versions

use Content-Type

1 version: application/vnd.domain+json

2 version: application/vnd.domain.v2+json


Filtering and sortingGET /reviews?rating=5

GET /reviews?rating=5&sortAsc=author




Dynamic queries are easier in POST body




Dynamic queries are easier in POST body

POST /reviews/searches

GET /reviews/searches/23?page=2


Documentationrunnable with examples

Swagger


Stateless or not?password hashing cost

session replication

load-balancing


Stateless or not?password hashing cost

session replication

load-balancing

...

stateless session?


SecuritySQL Injection

XSS

CSRF

XXE


CSRF - Cross-site request forgery<img src="https://api.mybank.com/transfers/from/1233/to/1234/amount/5000">

<form action="https://api.mybank.com/transfers" method="POST"> <input type="hidden" name="from" value="1233"/> <input type="hidden" name="to" value="1234"/> <input type="hidden" name=amount" value="5000"/> <input type="submit" value="Celebrity Nude Photos!"/></form>


CSRF - Cross-site request forgery<img src="https://api.mybank.com/transfers/from/1233/to/1234/amount/5000">

<form action="https://api.mybank.com/transfers" method="POST"> <input type="hidden" name="from" value="1233"/> <input type="hidden" name="to" value="1234"/> <input type="hidden" name=amount" value="5000"/> <input type="submit" value="Celebrity Nude Photos!"/></form>

One time request tokens

Correct CORS headers


CORS - Cross Origin Requests SharingPreflight request

OPTIONS /cors HTTP/1.1Origin: http://www.domain.comAccess-Control-Request-Method: PUTAccess-Control-Request-Headers: X-Custom-HeaderHost: api.mydomain.orgAccept-Language: en-USConnection: keep-aliveUser-Agent: Mozilla/5.0...

Preflight response

Access-Control-Allow-Origin: http://www.domain.comAccess-Control-Allow-Methods: GET, POST, PUTAccess-Control-Allow-Headers: X-Custom-HeaderContent-Type: text/html; charset=utf-8


XML External Entity<?xml version="1.0" encoding="utf-8"?><comment> <text>Yeah! I like it!</text></comment>


XML External Entity<?xml version="1.0" encoding="utf-8"?><comment> <text>Yeah! I like it!</text></comment>

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE myentity [ <!ENTITY a "Yeah! I like it!"> ]><comment> <text>&a;</text></comment>


# XML External Entity

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE myentity [ <!ENTITY a SYSTEM "/etc/passwd"> ]><comment> <text>&a;</text></comment>


# XML External Entity

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE myentity [ <!ENTITY a SYSTEM "/etc/passwd"> ]><comment> <text>&a;</text></comment>

<?xml version="1.0" encoding="utf-8"?><comment> <text>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt ..... </text></comment>


XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE myentity [<!ENTITY a "abcdefghij1234567890" ><!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a" ><!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;" ><!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;" >...<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;" >]><comment> <text>&h;</text></comment>


http://knowyourmeme.com/photos/531557 thx to @mihn


http://knowyourmeme.com/photos/531557

DDD training?


Thanks!


4Developers 2015: REST w praktyce - tej dobrej i tej złej - Jakub Kubryński

Software

Transcript of 4Developers 2015: REST w praktyce - tej dobrej i tej złej - Jakub Kubryński