REST API Design, Development & Management
PS :
- Ce COURS ne PAS focus sur le Codage de l’API REST – L’accent est mis sur la Conception en utilisant des modèles éprouvés.
- Veuillez NE PAS vous inscrire si votre objectif/objectif est simplement d’apprendre la partie “Codage” de l’API REST.
Comment ce cours a-t-il été créé ?
L’auteur (Raj) a travaillé avec de nombreuses grandes organisations pour élaborer leur stratégie numérique dans lequel l’API était un thème central. Au fil des ans, l’auteur a reconnu certains modèles et pratiques qui ont conduit à des initiatives API réussies. Intrigué par ses découvertes, l’auteur a effectué des recherches approfondies sur 100 autres fournisseurs d’API à succès (exemples : Facebook, Expedia, Capital One …) et cela a abouti à une collection de bonnes pratiques et de modèles de conception qui sont couverts dans ce cours.
Ce cours couvre tous les aspects importants liés à la conception, au développement et à la gestion des API. Les meilleures pratiques, modèles de conception, défis, suggestions et options abordées dans ce cours sont :
- Créé en analysant comment les fournisseurs d’API populaires tels que Facebook, Twitter, Capital One, etc. créent et gèrent leur API
- Tiré de données personnelles expériences de l’auteur
Le cours est divisé en 6 parties :
1. Préparer le terrain – Discute d’une étude de cas (ACME voyages) utilisée tout au long du cours + fournit des informations sur les outils utilisés
2. Évolution de API REST – Les conférences de cette section couvriront les concepts fondamentaux + Pourquoi REST/JSON est devenu une norme de facto
3. Conception de l’API REST (Couvrant plusieurs sections)
C’est ici que les étudiants apprendront :
- Meilleur Pratiques
- Modèles d’implémentation
Pour démontrer les aspects d’implémentation, un ensemble d’API basées sur NodeJS est également implémenté pour une entreprise fictive ACME Voyages.
4. Sécurisation de l’API REST
Lorsqu’une API est exposée par une entreprise à l’Internet public, elle présente un risque pour l’entreprise car les pirates peuvent utiliser les vulnérabilités de l’API pour lancer des attaques contre l’entreprise. Il existe plusieurs types d’attaques fonctionnelles que le fournisseur d’API doit prendre en compte. Vous découvrirez les attaques courantes et les meilleures pratiques pour protéger l’API.
5. Spécifications Swagger 2.0 / Open API Initiative
Cette section commencera par la description du processus de développement des spécifications Collaboratives & avantages d’adopter l’approche du contrat d’abord. À la fin de cette section, l’étudiant sera capable d’écrire les spécifications Swagger/OAI pour sa propre API. Dans le cadre des cours magistraux, un cahier des charges complet sera élaborépour ACME Vacances.
6. API Management
API management est le processus de publication, de documentation et de supervision des interfaces de programmation d’applications (API) dans un environnement sécurisé et évolutif environnement. Les conférences de cette section couvrent les détails des activités suivantes qu’un fournisseur d’API effectue dans le cadre de la gestion des API.
APIgee, IBM API Connect La plates-forme & Mulesoft seront utilisées pour démontrer les divers aspects de la gestion des API abordés dans les conférences. Les étudiants sont encouragés à essayer ces plates-formes par eux-mêmes pour avoir une bonne idée de ce que les plates-formes de gestion des API apportent à la table. Les trois plates-formes offrent une version d’essai gratuite qui peut être utilisée pour les tests.
Pourquoi REST API ?
Aujourd’hui, les entreprises utilisent les API REST pour créer non seulement des applications mobiles, mais aussi pour :
- Créer de nouveaux canaux de partenariat
- Créer de nouvelles sources de revenus & modèles commerciaux
- Promouvoir leurs marques
Le simple fait de créer l’API ne garantit pas que l’entreprise sera en mesure d’atteindre les objectifs souhaités du point de vue de l’API. L’adoption de l’API par les développeurs dépend de plusieurs aspects tels que son utilité, sa facilité d’utilisation, ses performances, son évolutivité, sa sécurité. Le fournisseur d’API doit appliquer les meilleures pratiques tout au long du cycle de vie d’une API.
Qui doit suivre ce cours ?
Ce cours s’adresse à tout technologue intéressé par l’apprentissage de l’API REST de bout en bout, et pas seulement du point de vue du codage. Bien que ce cours utilise NodeJS pour démontrer les meilleures pratiques de conception, il n’exige pas que les étudiants aient une expérience préalable avec NodeJS.
Pour suivre ce cours, l’étudiant doit connaître un (ou plusieurs) ) langage de programmation ; avoir compréhension de l’architecture des applications Web ; se familiar avec la notion de services ; comprend les formats de données tels que JSON ou XML
Veuillez noter que ce cours n’enseignera PAS comment coder REST API dans NodeJS.
Setting the stage
Quick introduction to the course
Tips on how to get the most out of this course
Provides link for summary decks download.
ACME Travels is a fictitious company that is going through a crisis as they did not keep up to speed with the technology. Their CTO has a vision to create an API driven organization.
This quick lecture describes the ACME case study that will be used in discussions of various concepts discussed in this course. All APIs created in the course are for ACME travels.
In this course multiple tools will be used. This quick lecture describes the tools that will be used in this course. Students are not expected to have any prior experience with any of the tools discussed
In this lecture students will learn about the free MongoDB sandbox environment offered by http://mlab.com
Samples in this course will use the MongoDB instance on mlab.com
Evolution of RESTful services
Walkthrough of a scenario to explain what an API is.
Students will learn about the
- Issues with using XML/RPC for mobile applications
- History of RESTful API
- How so many organizations are leveraging REST API
Students will learn the core concepts of RESTful API. At end of the lecture they would understand the following terms:
- Representational state
- Resources
- State transfer
Also covers the demonstration of a publicly available REST API from Walmart.
Checks students understanding of general concepts of API
Students will learn about the three types of APIs.
In this lecture students will learn about the API exposed by TicketMaster.
Student will learn about:
- the API value chain
- "common sense" design principles :)
REST API Architectural Constraints
Just using the JSON+HTTP does not automatically make the API RESTful. In this student will get a overview of the REST constraints described by Roy Fielding in his dissertation paper.
Student will learn about the benefit of following the "Client-Server" constraint which is considered the foundation for the RESTful API.
Student will learn about the constraint#2 Uniform Interface + the 4 guiding principles that are part of the Uniform Interface constraint.
Student will learn about the "Statelessness" constraint.
In this lecture student will learn
- about the HTTP Caching headers
- how the HTTP Cache-Control can be used to achieve better performance
- how the caching strategy counterbalances the "performance" hit due to "statelessness"
Student how "Layered System" architecture enables a incremental evolutionary approach.
This lecture describes the (optional) REST constraint referred to as the "Code on Demand"
At the end of this lecture the Student will be able to evaluate the maturity level of an organization from the perspective of adoption of RESTful architecture & practices.
Test student's knowledge of REST architectural constraints.
Desigining REST API
Students will learn about the structure of the API Endpoint URL
Student will learn about:
- Conventions used for "Base URL"
- resource naming for REST API. Examples of how Facebook/Walmart ... are naming their resources
Describes how to implement the API CRUD operations. Covers the use of HTTP verbs, status codes and how to implement the support for multiple data formats.
You will be seeing the API(s) in actions. This lecture will provide you the steps to setup the local environment.
In this lecture students will learn how to create a simple API in Node. At the end of the lecture students are expected to be able to extend the vacations API to add more operations.
This quiz will test the student's understanding of how to implement basic operations & error handling for REST API.
REST API Error Handling Patterns
Students will how to implement error handling in REST API
Walk through of the code for demonstrating the error handling for REST API
Code available at https://www.github.com/acloudfan
Test student's knowledge of designing the error handling for their API
REST API Handling Change - Versioning Patterns
Students will learn about common changes required for API after they have been released. Also included is a discussion on practices for handling API changes.
- Breaking change & how to handle it
- Non-breaking change
Student will learn the common version strategies for the REST API. Also understand the API lifeservice from version perspective.
REST API Cache Control Patterns
Students will learn
- the benefits of Caching
- practices around what to cache and the design decisions
Student will lear how to use the HTTP cache control directive
API implementations can use the HTTP header Cache-Control to take advantage of the HTTP protocol built in support for caching. In this lecture students will learn the various directives (instructions) they can use for building API with cache support.
This lecture demonstrates the use of the HTTP caching header from the Node JS API.
Checks students knowledge of general concepts of caching and Cache-Control directives.
REST API Response Data Handling Patterns
Its common for many popular API providers (Facebook, LinkedIn, Pinterest...) to support partial response in their APIs. In this lecture student will learn the benefits of supporting partial responses and they will see a demo of building API with support for partial responses (ACME Hotels API)
Students will see the implementation of partial response pattern
In this lecture students will learn common ways in which Pagination support may be implemented in an API. At the end of this lecture they would learn how to build pagination in a MongoDB/Node application using the limit/skip functions
Checks students understanding of how to design API with support for partial responses and pagination
REST API Security
Student will learn about security aspects related to API:
- Authentication
- Authorization
- Functional attacks
Basic authentication is the simplest form of authentication that may be applied to the API. Student will learns concepts and then understand how to code Basic Auth in Node JS code.
Tests the student on their understanding of Basic authentication
Student will learn:
- What are tokens?
- Jason Web Token (JWT) standard
- Securing Node REST API with JWT
Checks student's understanding of Token based authentication and JWT
The API Key/Secret is the most common way the API providers protect the API. In this lecture student will learn about:
- implementation of the key/secret
- practices for the implementation of the key/secret
- technical considerations for implementing key/secret base auth
Tests students understanding of concept of client key & secret
Student will learn the concepts of OAuth2.0.
In this lecture, student will also learn how Spotify (Streaming music) has implemented the OAuth2 for their public API.
Tests student's understanding of concepts of API authorization and OAuth 2.0
Hackers are always looking for threats/vulnerabilities in publicly available API. Student will learn abut common types of attack. In the lecture the student will also see a demonstration of a "SQLInjection" attack.
REST API Specifications using Swagger 2.0 / OAI
In this lecture student will learn:
- contract first approach
- collaborative specifications development process
- different REST API specifications standard
- introduction to Swagger/OAI standard
Checks student's knowledge of basic concepts of REST API specifications
In this lecture student will get an overview of he Swagger/OAI + YAML specifications. Also discuss the various editor options for Swagger/OIA
Tests the student on their knowledge of Swagger
Students will learn:
- structure of the Swagger/OAI specs document
- about the tools for Swagger/OAI document editing
- to create the Swagger/OAI specifications in YAML format
Checks student's understanding of the specifications format
Student will learn how to define the following in Swagger/OAI specs:
- Request/response schema
- Security definitions
- Parameters
Student will learn how to create Paths/Operations in the Swagger/OAI specifications. Walkthrough of the developer documentation generated from the specifications.
Checks student's understanding of the Paths/Resources
API Management
In this lecture student will learn about the
- Activities that fall under the scope of API management
- Common API management infrastructure setup (Agent & Proxy model)
In this lecture student will learn about the practices for managing the API "Lifecycle" that has 5 stages.
How API developer productivity is enhanced by way of adoption of the API management platforms.
Demonstration of specification import process on the "Mulesoft" and "IBM API Connect" platform
Generate the API proxy on "Apigee" platform using the vacation specification generated in previous section. Apply policies to control the behavior of the API.
Student will learn about the essential features of the API developer portal. At the end of the lecture will be in a position to decide whether to build or buy a portal for their API.
At end of the lecture student will see how easily an off the shelf developer portal (Mulesoft) can easily be customized.
Students will learn about:
- security best practices
- the need for the minimal security (key) for the API
- how API management based solution can be used for key authentication (demo on Apigee)
Student will learn
- why an API provider MUST carry out traffic management
- about types of traffic management policies (Quota, Spike arrest, Rate limiting)
API Analytics is an important aspect of API management. There are multiple types of analytics collected on the API platform. Student will learn abut the common analytics collected on API platforms and how it can be leveraged by the developers.
Students will learn about the good practice that states "Treat your API like a product if you would like to sell it like a product".
Also the student will understand the
- concept of monetization
- various monetization models
- technology considerations from the realization perspective
