Merge pull request #6 from leapfrogtechnology/rest-api

REST API Standards (Include Best practices for Methods, Headers, Versioning, Naming convention etc)

Author: anishmanandhar

docs/rest-api/delete.md

@@ -0,0 +1,24 @@
+---
+id: delete
+title: Delete Method
+sidebar_label: Delete
+---
+
+As the name applies, **DELETE** APIs are used to delete resources (identified by the Request-URI).
+
+A successful response of DELETE requests SHOULD be HTTP response code 200 (OK) if the response includes an entity describing the status, 202 (Accepted) if the action has been queued, or 204 (No Content) if the action has been performed but the response does not include an entity.
+
+DELETE operations are idempotent. If you DELETE a resource, it’s removed from the collection of resources. Repeatedly calling DELETE API on that resource will not change the outcome – however, calling DELETE on a resource a second time will return a 404 (NOT FOUND) since it was already removed. Some may argue that it makes the DELETE method non-idempotent. It’s a matter of discussion and personal opinion.
+
+If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries SHOULD be treated as stale. Responses to this method are not cacheable.
+
+> * **/employees/{employee-id}**
+> * **/departments/{department-id}**
+
+|  Response code            |  Result/Reason |
+|---------------------------|------------------------------|
+|200 OK                     | Sucessfully deleted the Enity.|
+|401 (Unauthorized)         | Invalid Credentials/ Invalid Authentication |
+|403 (Forbidden)            | Invalid Authorization/ Insufficient rights/ Incorrect Role |  
+|405 (Method Not allowed)   | If API supports methods other than PUT request |
+|500 (Internal server error)| Server encountered an unexpected condition that prevented it from fulfilling the request.|

docs/rest-api/get.md

@@ -0,0 +1,25 @@
+---
+id: get
+title: Get Method
+sidebar_label: Get
+---
+
+Use **GET requests** to retrieve resource representation/information only – and not to modify it in any way. As GET requests do not change the state of the resource, these are said to be safe methods. Additionally, GET APIs should be **idempotent**, which means that making multiple identical requests must produce the same result every time until another API (POST/PUT/PATCH/DELETE) has changed the state of the resource on the server.
+
+> * **/employees**
+> * **/employees/{employee-id}/leaves**
+> * **/employees/{employee-id}/employee-reports**
+
+Use query params to filter response or get subset or limited resource.
+
+> * **/employees/{employee-id}/leaves?type={leave-type}&order-by={leave-date}**
+
+|  Response code            |  Result/Reason |
+|---------------------------|------------------------------|
+|200 OK                     | Sucessfully Fetched the Enity. <br/> Must include a response body. |
+|404 (Not found)            | If Entity not found for given ID or is invalid ID|
+|405 (Method Not allowed)   | If API supports methods other than GET request |
+|401 (Unauthorized)         | Invalid Credentials/ Invalid Authentication |
+|403 (Forbidden)            | Invalid Authorization/ Insufficient rights/ Incorrect Role |
+|410 (Gone)                 | Expired link/Server no longer serve this request.|
+|500 (Internal server error)| Server encountered an unexpected condition that prevented it from fulfilling the request. |

docs/rest-api/hateaos.md

@@ -0,0 +1,7 @@
+---
+id: hateaos
+title: HATEAOS
+sidebar_label: HATEAOS
+---
+
+#### HATEAOS

docs/rest-api/headers.md

@@ -0,0 +1,24 @@
+---
+id: headers
+title: Headers Best Practices
+sidebar_label: Headers
+---
+
+#### The following convention should be followed for REST API Headers
+
+* Headers names should be **noun**  and should be **Captialised-Case** separated by **(-)**. e.g  **Token-Key**, **Account-ID**, **Tenant-ID** etc
+
+* For cases like Acronym, use acronyms itself. eg. *PID-value*, *PIN*
+
+* Headers can be used for meta information that the API carries for e.g
+  * Authentication
+  * Authorization
+  * Versioning the API
+  * Content-Type
+  * Caching etc
+  * <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers" target="_blank">More Examples</a>
+
+* Avoid using headers for business logic
+
+* Use headers for parameters that should not appear in the URL 
+  * for e.g https://api.application.com/users/{id}/fetch?apiKey=abcd123456789 //**BAD Practice**

docs/rest-api/naming-convention.md

@@ -0,0 +1,51 @@
+---
+id: naming-convention
+title: Naming Convention
+sidebar_label: Naming Convention
+---
+
+In REST(**REpresentational State Transfer**), primary data **representation** is called **Resource**. Having a strong and consistent REST resource naming strategy – will definitely prove one of the best design decisions in the long term.
+
+* Use **noun** and **hyphenated-lower-case** for CRUD operations to an entity/resource/document. The **GET/POST/PUT/DELETE/PATCH** requests represents the corresponding CRUD operation for the following resources like employees, reports, leaves.
+  
+> * **/employees**
+> * **/employees/{employee-id}/leaves**
+> * **/employees/{employee-id}/employee-reports**
+
+* For cases of executable functions besides a basic CRUD operations, use **verb** and **hyphenated-lower-case**.
+
+> * **/customer/{customer-id}/check-validity**
+> * **/customer/{customer-id}/cart/checkout**
+
+* Use forward slash (/) to indicate hierarchical relationships
+  
+> **/customers/{customer-id}/accounts/{account-id}/balance**
+> **/category/{cateogry-id}/products/{product-id}/balance**
+
+* Do not use trailing forward slash (/) in URIs
+
+> * **/employees** //Good practice
+> * **/employees/{employee-id}/leaves/** //Bad practice
+
+* Use hyphens (-) to improve the readability of URIs
+  
+> * **/employees/{employee-id}/employee-reports** //Readable
+> * **/customer/{customer-id}/check-validity** //Readable
+>
+> * **/employees/{employee-id}/employeeReports** //Less Readable
+> * **/customer/{customer-id}/checkValidity** //Less Readable
+
+* Do not use file extentions and underscores
+
+> * **/employees/{employee-id}/employee-reports.pdf** /*Bad Practice*/
+> * **/employees/{employee-id}/employee_reports** /*Bad Practice*/
+
+* Never use CRUD function names in URIs
+  
+URIs should not be used to indicate that a CRUD function is performed. URIs should be used to uniquely identify resources and not any action upon them. HTTP request methods should be used to indicate which CRUD function is performed.
+
+> * GET Request  **/employees** // Get all employees
+> * POST Request  **/employees** // Create new employees
+> * GET Request  **/employees/{employee-id}** // Get one employee with given id
+> * PUT Request  **/employees/{employee-id}** // Update one employee with given id
+> * DELETE Request  **/employees/{employee-id}** // Delete one employee with given id

docs/rest-api/patch.md

@@ -0,0 +1,7 @@
+---
+id: patch
+title: Patch Method
+sidebar_label: Patch
+---
+
+#### The following convention should be followed for Patch

docs/rest-api/post.md

@@ -0,0 +1,21 @@
+---
+id: post
+title: Post Method
+sidebar_label: Post
+---
+
+Use **POST requests** to create new subordinate resources, e.g., a file is subordinate to a directory containing it or a row is subordinate to a database table. Talking strictly in terms of REST, POST methods are used to create a new resource into the collection of resources.Note that POST is **neither safe nor idempotent**, and invoking two identical POST requests will result in two different resources containing the same information (except resource ids).
+
+> * **/employees**
+> * **/departments**
+
+|  Response code            |  Result/Reason |
+|---------------------------|------------------------------|
+|201 (Created)              | Sucessfully Created the Enity. <br/> Must include a response body. |
+|202 (Accepted)             | Actions that take a long while to process/ Batch/Queue Oriented Process |
+|204 (No Content)           | When the REST API declines to send back any status message or representation in the response message’s body. Must not contains the response body|
+|401 (Unauthorized)         | Invalid Credentials/ Invalid Authentication |
+|403 (Forbidden)            | Invalid Authorization/ Insufficient rights/ Incorrect Role |
+|400 (Bad Request)           | Bad request object | validation error |
+|405 (Method Not allowed)   | If API supports methods other than POST request |
+|500 (Internal server error)| Server encountered an unexpected condition that prevented it from fulfilling the request.|

docs/rest-api/put.md

@@ -0,0 +1,21 @@
+---
+id: put
+title: Put Method
+sidebar_label: Put
+---
+
+Use **PUT** APIs primarily to update existing resource (if the resource does not exist, then API may decide to create a new resource or not). If a new resource has been created by the PUT API, the origin server MUST inform the user agent via the HTTP response code 201 (Created) response and if an existing resource is modified, either the 200 (OK) or 204 (No Content) response codes SHOULD be sent to indicate successful completion of the request.
+
+> * **/employees/{employee-id}**
+> * **/departments/{department-id}**
+
+|  Response code            |  Result/Reason |
+|---------------------------|------------------------------|
+|200 OK                     | Sucessfully updated the Enity. <br/> Must include a response body. |
+|204 (No Content)           | When the REST API declines to send back any status message or representation in the response message’s body. Must not contains the response body|
+|401 (Unauthorized)         | Invalid Credentials/ Invalid Authentication |
+|403 (Forbidden)            | Invalid Authorization/ Insufficient rights/ Incorrect Role |
+|400 (Bad Request)          | Bad request object | validation error |
+|404 (Not found)            |  If ID not found or invalid|
+|405 (Method Not allowed)   | If API supports methods other than PUT request |
+|500 (Internal server error)| Server encountered an unexpected condition that prevented it from fulfilling the request.|

docs/rest-api/security.md

@@ -0,0 +1,19 @@
+---
+id: security
+title: Security Method
+sidebar_label: Security
+---
+
+## Best Practices to Secure REST APIs
+
+* Always Use HTTPS.If you use HTTP 2, to improve performance – you can even send multiple requests over a single connection, that way you avoid the complete TCP and SSL handshake overhead on later requests.
+
+* Never expose information on URLs. <https://api.app.com/users/{id}/fetch?apiKey=abcd123456789> //Bad practice
+
+* Conside using token based authentication like OAUTH2
+
+* Consider Adding Timestamp in Request
+
+* Log each request and response data
+
+* Validate and sanitize incoming requests against data types, injections

docs/rest-api/versioning.md

@@ -0,0 +1,35 @@
+---
+id: versioning
+title: Versioning
+sidebar_label: Versioning
+---
+
+## Four common REST API versioning strategies
+
+### Versioning through URI Path (*recommended*)
+
+> <http://api.app.com/v1/products>
+>
+> One way to version a REST API is to include the version number in the URI path.This solution often uses URI routing to point to a specific version of the API. Because cache keys (in this situation URIs) are changed by version, clients can easily cache resources. When a new version of the REST API is released, it is perceived as a new entry in the cache.
+
+### Versioning through custom header
+
+> curl -H API-Version: 1.0” <http://api.app.com/products>
+>
+> This approach doesn’t clutter the URI with versioning information.
+
+### Versioning through query parameters
+
+> <http://api.app.com/products?version=1>
+>
+>Another option for versioning a REST API is to include the version number as a query parameter.
+
+### Versioning through content negotiation
+
+> curl -H “Accept: application/vnd.xm.device+json; version=1” <http://api.app.com/products>
+>
+>The last strategy we are addressing is versioning through content negotiation.
+>
+>This approach allows us to version a single resource representation instead of versioning the entire API which gives us a more granular control over versioning. It also creates a smaller footprint in the code base as we don’t have to fork the entire application when creating a new version. Another advantage of this approach is that it doesn’t require implementing URI routing rules introduced by versioning through the URI path.
+>
+>One of the drawbacks of this approach is that it is less accessible than URI-versioned APIs: Requiring HTTP headers with media types makes it more difficult to test and explore the API using a browser.