Representational State Transfer (REST) and HATEOAS

Representational State Transfer (REST)and HATEOAS

Service-Oriented Architecture

Computing + Mathematical SciencesAuckland University of Technology

Image used under Creative Commons from apasciuto http://flickr.com/apasciuto/

http://flickr.com/apasciuto/

REST APIs Example Scenario Pitfalls of REST Design More Leveraging HTTP REST Examples

Outline

1 REST APIsIdentification of ResourcesManipulation of ResourcesSelf-Descriptive MessagesHATEOAS

2 Example Scenario

3 Pitfalls of REST Design

4 More Leveraging HTTPHTTP Status CodesETags & Optimistic Locking

5 REST Examples

Service-Oriented Architecture | Representational State Transfer (REST) and HATEOAS 2/84


Outline


2 Example Scenario



5 REST Examples



Warning before we start!

REST != MVCDo not think in controllers, IDs, actions, models,views, plugins, helpers . . .In fact, do not think about implementation at all!



What is REST?Roy Fielding, “Father” of REST

REST is a coordinated set of architecturalconstraints that attempts to minimize latency andnetwork communication while at the same timemaximizing the independence and scalability ofcomponent implementations. This is achieved byplacing constraints on connector semantics whereother styles have focused on component semantics.REST enables the caching and reuse ofinteractions, dynamic substitutability ofcomponents, and processing of actions byintermediaries, thereby meeting the needs of anInternet-scale distributed hypermedia system.



What is REST?

8 REST is not a standard8 REST is not a protocol

REST is an architectural style for networked applicationsREST defines a set of simple principles(loosely followed by most API implementations)



What is REST?Advantages of REST

CacheableStatelessScalableFault-tolerantLoosely coupled



What is REST?Principles of REST

URL identifies a resourceURLs have a hierarchyMethods perform operations on resourcesOperation must be implicitHypermedia format to represent dataLink relations to navigate



What is REST?The Four Main Principles

1 Identification of resources2 Manipulation of resources3 Self-descriptive messages4 HATEOAS



Identification of ResourcesYou are doing it wrong . . . :-(

/index.php?action=getarticle&id=5

/default/article/5/4/6/size

Cacheable? Scalable? Readable?



Identification of ResourcesReadable and Maintainable!

/articles

We want all articles/articles/5/photos/4/comments/1

We want the first comment of the fourth photofor the fifth article/articles/5/photos/4/comments

We want all comments of the fourth photofor the fifth article

Cacheable! 4 Scalable! 4 Readable! 4



Identification of ResourcesFiltering through a Query String, not the URI

8 /photos/order/size/limit/5

8 /photos/limit/5/order/size

4 /photos?order=size&limit=5

4 /photos?limit=5&order=size



Manipulation of Resources

CreateRetrieveUpdateDelete

But please note: REST != CRUD



Manipulation of ResourcesCRUD to HTTP verb mapping

Create = POST

Retrieve = GET

Update = PUT (or PATCH)Delete = DELETE



Manipulation of ResourcesCreating a Resource

POST creates a new resourceBut the server decides on that resources URIExamples

WWW: Posting to Web log→ Server decides URI of posting

and any comments made on that post

Programmatic service: Creating a new employee record



Manipulation of ResourcesSafe Methods

Any client should be able to make the request. . . as many times as necessaryGET, OPTIONS, HEAD



Manipulation of ResourcesIdempotent Methods

Guarantees that the client can repeat the requestwhen it’s not certainx++ vs. x=4All methods except “POST”



Self-Descriptive Messages

Stateless!All information for processing is available:

How? (method + content-type)What? (URI)When? (preconditions)Who? (authentication)



Self-Descriptive MessagesHow: Method

GET /article/1234 HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+jsonAuthorization: OAuth oauth_nonce="123" ...If-None-Matched: absad12412414



Self-Descriptive MessagesHow: Content-Type




Self-Descriptive MessagesHow: Content-Type

application/vnd.mycompany.myapp-v1+json???The vnd name space is for proprietary media types(as opposed to the IANA registered ones)We want to “talk” JSON, not XML or othersWe wnat to “play” with API version 1.0 (not any other)General notes:

Interpret requests generouslyBe strict with responses



Self-Descriptive MessagesWhat




Self-Descriptive MessagesWhen




Self-Descriptive MessagesWho




Self-Descriptive Messages?Encoding

Google Trends chart: “XML API vs JSON API”(http://ur1.ca/ey5o6)

JSON feels more self-descriptive, too . . .


http://ur1.ca/ey5o6

http://ur1.ca/ey5o6


Self-Descriptive MessagesWADL?

We can describe RESTful XML Web Services(similar to WSDL)Web Application Description Language (WADL)(another XML grammar to describe HTTP-based webapplications)But we don’t need a static contract description

→ We want self-descriptive messages, dammit!



HATEOASHATEOAS to the rescue!

HATEOAS=

Hypermedia As The Engine Of Application State

→ Magic awesome sauce to improve REST!



HATEOAS

This is the hardest and of course,most important part of REST

. . . But it makes the API “explorable”!


Image used under Creative Commons from oliverkendal http://flickr.com/oliverkendal/

http://flickr.com/oliverkendal/


Links

Use links to allow clients todiscover locations and operationsLink relations are used to express optionsClients do not need to know URLsThis controls the state



Links

Links contain (adapted from Atom format’s link definition):The target (href, mandatory)A short relationship indication (rel, mandatory)(e. g. “details”, “payment”, “cancel”)The content type needed for the request (type, optional)The HTTP method (method, optional)See also:http://www.subbu.org/blog/2008/10/generalized-linking


http://www.subbu.org/blog/2008/10/generalized-linking


Outline


2 Example Scenario



5 REST Examples



Flight Booking APIState inside your REST API

The HATEOAS links indicate state transitions



Search for Specified Flights

POST /search?order=price&limit=5 HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+json

{ "destination": "LAX","date": "2013-09-24","type": "firstclass"

}

Note:This is an operation on a non-CRUD controller resource



Returns a Collection of Flights

HTTP/1.1 200 OKContent-type: application/vnd.mycompany.myapp-v1.0+json

{ "flights": [{ "flightno": "NZ1234", "time": "4:20","links": [{ "href": "/flight/15263", "method": "GET","rel": "details", "type": "application/vnd.mycompany.myapp+json" },

{ "href": "/booking", "method": "POST","rel": "confirm", "type": "application/vnd.mycompany.myapp+json" },

]},{ "flightno": "EH123", "time": "3:55","links": [{ "href": "/flight/523525, "method": "GET","rel": "details", "type": "application/vnd.mycompany.myapp+json" },


]}]

}



Returns a Collection of Flights


{ "flights": [{ "flightno": "NZ1234", "time": "4:20","links": [{ "href": "/flight/15263", "method": "GET","rel": "details", "type": "application/vnd.mycompany.myapp+json" },


]},{ "flightno": "EH123", "time": "3:55","links": [{ "href": "/flight/523525, "method": "GET","rel": "details", "type": "application/vnd.mycompany.myapp+json" },


]}]

}



Confirm a Specific Flight

POST /booking HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+json

{ "flight": "/flight/15263","seat": "42A","meal": "vegetarian"

}

HTTP/1.1 401 Authentication required



Confirm a Specific Flight. . . with more info

POST /booking HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+jsonAuthorization: OAuth ...

{ "flight": "/flight/15263","seat": "42A","meal": "vegetarian"

}

HTTP/1.1 201 CreatedLocation: /booking/1616163



What can we do with our booking?

OPTIONS /booking/1616163 HTTP/1.1Host: www.mycompany.co.nzAuthorization: OAuth ...

HTTP/1.1 200 OKAllow: GET, PUT, DELETE



Cancel our booking!

DELETE /booking/1616163 HTTP/1.1Host: www.mycompany.co.nzAuthorization: OAuth ...

HTTP/1.1 204 No content



Still need to Pay for the Flight

GET /booking/1616163 HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+jsonAuthorization: OAuth ...


{ "flight": {"flightno": "NZ1234", "time": "4:20","links": [{ "href": "/flight/15263", "method": "GET","rel": "details", "type": "application/vnd.mycompany.myapp+json" } ]

},"payment": {"status": "Not paid","links": [{ "href": "/payment/booking/1616163", "method": "GET","rel": "details", "type": "application/vnd.mycompany.myapp+json" },

{ "href": "/payment/booking", "method": "POST","rel": "pay", "type": "application/vnd.mycompany.myapp+json" },

{ "href": "/booking/1616163", "method": "DELETE","rel": "cancel", "type": "application/vnd.mycompany.myapp+json" },

]}

}



Pay through another resource

POST /payment/booking HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+jsonAuthorization: OAuth ...

{ "booking": "/booking/1616163","cardno": "4111-1111-1111-1111","expires": "04/2014","name": "Guy Kloss","amount": { "currency": "NZD",

"value": 1414.00 }}

HTTP/1.1 201 CreatedLocation: /payment/booking/54321



Can’t delete booking (already paid)

OPTIONS /booking/1616163 HTTP/1.1Host: www.mycompany.co.nzAuthorization: OAuth ...

HTTP/1.1 200 OKAllow: GET



We can fetch our e-Ticket now

GET /booking/1616163 HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+jsonAuthorization: OAuth ...


{ "flight": {"flightno": "NZ1234","time": "4:20","links": [ { "href": "/flight/15263", "method": "GET","rel": "details", "type": "application/vnd.mycompany.myapp+json" } ]

},"payment": {"status": "Paid in full""links": [ { "href": "/payment/booking/54321", "method": "GET","rel": "details", "type": "application/vnd.mycompany.myapp+json" } ]

},"links": [ { "href": "/eticket/12415156261616", "method": "GET","rel": "eticket", "type": "application/pdf" } ]

}



Outline


2 Example Scenario



5 REST Examples



(Common) Pitfalls of REST Design

VersioningMethods in URIOne URI per resourceController resources & non-CRUD



Versioning

8 /api/v1.1/article/1234/photos

8 /api/v1.2/article/1234/photos

Different resources?



Versioning

OK:GET /api/article/1234/photos HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp+json ; version = 1.0

4 Better:GET /api/article/1234/photos HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+json

GET /api/article/1234/photos HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1.1+json

GET /api/article/1234/photos HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v5.0.4a+json



Versioning

Why? It doesn’t break the resource’s URI→ Same resource→ Easier to evolve!

See also:http://barelyenough.org/blog/2008/05/versioning-rest-web-services/


http://barelyenough.org/blog/2008/05/versioning-rest-web-services/


Methods in URI

/api/get/articles/1234/photos

/api/articles/new

/api/articles/list

Don’t use verbs in REST URIs!



One URI per Resource

/api/article/1234

/api/article/red+teddybear

Different resources!?!



One URI per Resource

If you must . . .

GET /api/article/red+teddybear HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+json

HTTP/1.1 302 FoundLocation: /api/article/1234



Controller Resources & Non-CRUD

Outside the CRUD?Multiple operations simultaneously?



Controller Resources & Non-CRUDPOST /distance HTTP/1.1Host: www.mycompany.co.nzAccept: application/jsonContent-type: application/json;charset=UTF-8

{ "from": "Auckland, NZL","to": "Hamilton, NZL"

}

or:

GET /distance?from=...&to=... HTTP/1.1Host: www.mycompany.co.nzAccept: application/json

HTTP/1.1 200 OKContent-length: 123Content-type: application/json

{ "km": 127.5,"miles": 78.9

}



Controller Resources & Non-CRUD

POST /user/gkloss/address_merge HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+jsonContent-type: application/csv;charset=UTF-8

John Doe, 1 Main Street, Seattle, WAJane Doe, 100 North Street, Los Angeles, CA

HTTP/1.1 303 See otherLocation: /user/gkloss/addressbook



Outline


2 Example Scenario



5 REST Examples



More Important Stuff

HTTP Status codesETags



HTTP Status Codes

Status codes are importantThey represent the result of your actions

See: http://en.wikipedia.org/wiki/Http_status_codes


http://en.wikipedia.org/wiki/Http_status_codes


HTTP Status Codes

1xx → Informational2xx → Success3xx → Redirection4xx → Client error5xx → Server error



HTTP Status CodesImportant 2xx Codes

200 OK→ Resource returned201 Created→ Resource created204 No content→ Resource deleted




301 Moved Permanently→ Resource reorganised302 Found→ Redirection for specific object (e. g. search)303 Other→ A redirect due to an operation304 Not modified→ Resource wasn’t changed




400 Bad request→ Incorrect payload401 Unauthorized→ Not authorized to operate403 Forbidden→ Not authorized to operate404 Not found→ Resource was not found405 Method not allowed→ Method incorrect406 Not acceptable→ Cannot return in correct format412 Precondition failed→ “ETag mismatch”(418 I’m a teapot→ Hyper Text Coffee Pot Control Protocol)



HTTP Status Codes

501 Not implemented vs. 405 Method not allowed409 Conflict vs. 412 Precondition failed

→ de·bat·a·ble/di’batUbUl/Adjective



Useful HTTP Headers

If-Unmodified-Since

(problem: only 1 second granularity)If-Match and If-None-Match

(used with ETag value)Remember: State can change in the meantime



ETags & Optimistic Locking

GET /blogpost/12345 HTTP/1.1Host: www.mycompany.co.nz

HTTP/1.1 200 OKContent-length: 12340Content-type: application/jsonETag: abcd-1234

{ "author": "Guy Kloss","title": "Frobnification of Sub-Marine Vehicles",...

}



ETags & Optimistic LockingFor Caching

GET /blogpost/12345 HTTP/1.1Host: www.mycompany.co.nzIf-None-Match: abcd-1234

HTTP/1.1 304 Not modified

→ Blog post is cached and can be used



ETags & Optimistic LockingFor Concurrency Protection

PATCH /blogpost/12345 HTTP/1.1Host: www.mycompany.co.nzIf-Match: abcd-1234

{ "author": "Heinrich von Zinkeduetten" }

HTTP/1.1 412 Precondition failed

Blog post was concurrently modified by “someone”HTTP PATCH performs a partial update



Outline


2 Example Scenario



5 REST Examples



An XML ExampleJust to show you, it does work with XML, too.

PUT /booking/1616163 HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+xmlAuthorization: OAuth ...

<booking><flight>/flight/15263</flight><seat>17F</seat><meal>halal</meal>

</booking>

HTTP/1.1 200 OKConent-type: application/vnd.mycompany.myapp-v1.0+xml

<booking><link rel="details" href="/booking/1616163"

method="GET" type="application/vnd.mycompany.myapp+xml"><link rel="payment" href="/payment/booking"

method="POST" type="application/vnd.mycompany.myapp+xml"><link rel="cancel" href="/booking/1616163"

method="DELETE" type="application/vnd.mycompany.myapp+xml"></booking>



Creating a Resource

POST /articles HTTP/1.1Host: www.mycompany.co.nzContent-type: application/vnd.mycompany.myapp-v1+json

{ "name": "Teddybear","colour": "red","stock": 15,"price": { "EUR": 15.95,

"NZD": 26.95 }}

HTTP/1.1 201 CreatedLocation: /articles/1234



Getting a Resource Collection

GET /articles HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+json

HTTP/1.1 200 OKContent-length: 12345Content-type: application/vnd.mycompany.myapp-v1.0+jsonDate: sun, 08 Aug 2013 12:34:56 NZST

{ "articles": [{ "name": "Rubic’s Cube","links": [ { "href": "/articles/1233", "method": "GET",

"rel": "article", "type": "application/vnd.mycompany.myapp+json" } ]},{ "name": "Teddybear","links": [ { "href": "/articles/1234", "method": "GET",

"rel": "article", "type": "application/vnd.mycompany.myapp+json" } ]}]

}



Getting a Resource

GET /articles/1234 HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+json

HTTP/1.1 200 OKContent-length: 12345Content-type: application/vnd.mycompany.myapp-v1.0+jsonETag: 23709-12135125Date: sun, 08 Aug 2013 12:34:56 NZST

{ "name": "Teddybear","manufacturer": "Steiff","colour": "red","stock": 30,...

}

HTTP/1.1 404 Not foundContent-length: 0Date: sun, 08 Aug 2013 12:34:56 NZST



Deleting a Resource

DELETE /articles/1234 HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+json

HTTP/1.1 204 No contentContent-length: 0Date: sun, 08 Aug 2013 12:34:56 NZST



Updating a Resource

PUT /articles/1234 HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+jsonIf-Match: 23709-12135125

{ "name": "Teddybear","manufacturer": "Steiff","colour": "red","stock": 30,"price": { "EUR": 15.95,

"NZD": 26.95 }}

HTTP/1.1 200 OKContent-length: 0Date: sun, 08 Aug 2013 12:34:56 NZST

HTTP/1.1 412 Precondition failedContent-length: 0Date: sun, 08 Aug 2013 12:34:56 NZST

Idempotent!Service-Oriented Architecture | Representational State Transfer (REST) and HATEOAS 75/84


Updating a Resource

PUT is an idempotent operationIt (completely) replaces the contentof the whole resourceConsider PATCH for partial updates!



Controller Resources (Non-CRUD)Revisited . . .

POST /user/gkloss/address_merge HTTP/1.1Host: www.mycompany.co.nzAccept: application/vnd.mycompany.myapp-v1+jsonContent-type: application/csv;charset=UTF-8

John Doe, 1 Main Street, Seattle, WAJane Doe, 100 North Street, Los Angeles, CA

HTTP/1.1 303 See OtherLocation: /user/gkloss/addressbook



Conclusion

Web-based services are about state machinesand business protocols→ The HATEOAS constraint from REST

What can be called “RESTful” depends on who you ask(it’s not a formally accepted definition)

Some say: You are not RESTful without hypermediaI say: REST is about Representational State Transfer,and hypermedia is an add-on (though very important)

4 There are still good APIs without hypermedia(e. g. Amazon S3)

8 There are very bad APIs (pretending to be RESTful)(e. g. Twitter API)

If in doubt, certain APIs can be considered “RESTish”Certain ones are definitely no more than RESTish!



Comparison REST vs. SOAP



Comparison REST vs. SOAP

Both are request/response type servicesSOAP is more an RPC-style API (procedures with verb)REST is about REST (duh!)SOAP has strictly defined interfaces,and the communication can be verifiedREST is more about evolving APIs,and making them explorable through hypermediaBells’n’whistles in SOAP, but can be found in REST(less obvious, less used: WADL, JSON schema, . . . )Use . . .

SOAP for well managed “corporate-style” consumersREST for many, less-defined “citizen consumers”REST if the API is likely to evolve



More Reading

Wikipedia: Representational State Transferhttp://en.wikipedia.org/wiki/Representational_State_Transfer

Roy Fielding’s PhD dissertation coming up with the REST idea:http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm

“RESTful Web Services Cookbook –Solutions for Improving Scalability and Simplicity”http://oreilly.com/catalog/9780596801694


http://en.wikipedia.org/wiki/Representational_State_Transfer

http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm

http://oreilly.com/catalog/9780596801694


More ReadingOnline Slide Presentations

“Designing HTTP Interfaces and RESTful Web Services”http://www.slideshare.net/Wombert/

designing-http-interfaces-and-restful-web-services-dpc2012-20120608

“HATEOAS: The Confusing Bit from REST”http://www.slideshare.net/adorepump/

hateoas-the-confusing-bit-from-rest

“REST in Practice”http://www.slideshare.net/guilhermecaelum/rest-in-practice

“RESTful Web APIs with Python, Flask and MongoDB”https://speakerdeck.com/nicola/

developing-restful-web-apis-with-python-flask-and-mongodb


http://www.slideshare.net/Wombert/designing-http-interfaces-and-restful-web-services-dpc2012-20120608

http://www.slideshare.net/Wombert/designing-http-interfaces-and-restful-web-services-dpc2012-20120608

http://www.slideshare.net/adorepump/hateoas-the-confusing-bit-from-rest

http://www.slideshare.net/adorepump/hateoas-the-confusing-bit-from-rest

http://www.slideshare.net/guilhermecaelum/rest-in-practice

https://speakerdeck.com/nicola/developing-restful-web-apis-with-python-flask-and-mongodb

https://speakerdeck.com/nicola/developing-restful-web-apis-with-python-flask-and-mongodb

��

��

�� !�"#�$%�#��&'()��*��'�)+�'(��&��#(''",--�./"&0)�/)#1-

�%�%��&�)��%��

2��(��'��304��

��%*�#!%'&�)+

��0(�)�)1& !��

5�%#��3��*�!

63%��%�157��!)

4�)��!�23%��%�1

5�85��'�� !�0%'&

0�$"3!/

��96��

:;<

��

��9� ��

� �=�6� ��

6��

http://nz.pycon.org/

Questions? Image used under Creative Commons from Boston Public Libraryhttp://flickr.com/boston_public_library/

http://flickr.com/boston_public_library/

Representational State Transfer (REST) and HATEOAS

Technology

Transcript of Representational State Transfer (REST) and HATEOAS