Issue
I am designing a REST API as a backend service for Android app of a startup. The startup currently has a web version of their service with around 10k users. I have a couple of doubts regarding the design of web APIs:
- How do I make my API secure?
I want only the Android client to access the API and no one else. One way would be to send an encrypted token from the front-end and decrypt on the back-end. Is there any other way? Also, how should I implement it?
- How to make my API fast and efficient?
There is a particular endpoint which is accessed very frequently. The information on that endpoint does not change much though. Therefore requests that are made within a short time frame are most likely to return the same response. How do I make response of such requests faster? Would ETag and Last-Modified do the job?
- Should I trust data from my client?
Currently when I receive a request with some parameter the only check I perform on the request is to check if the parameter is null or not. For eg. If a request has mobile as a parameter I only check if the mobile parameter is present in the request. I do not perform other checks like checking the if length of mobile is less than 10 then throw an exception.
EDIT: Anyone who feels that the question is 'too broad', please leave a comment so that I can edit the question and add any necessary details.
Solution
I'm working on a startup and I had pretty much the same problems to resolve. I think the only difference is in the first question because I decided to limit the API access only to authenticated users. However, here is how I solved my problems:
1. How to make my API secure?
As I wrote, I limited the API access only to authenticated users. I'm using a token-based authentication with my own REST registration/authentication API endpoints based on the following packages:
If you'd like to use this solution I suggest you to give a look also at django-rest-auth.
2. How to make my API fast and efficient?
If you have "requests that are made within a short time frame and that are most likely to return the same response", I suggest you to cache this response, something like this (simplest version):
if response_in_cache and time_passed < max_time_frame:
return response_in_cache
else:
generate response
save response in the cache (for next time)
return response
You can also track your api performances using New Relic.
3. Should I trust data from my client?
Absolutely not! Try to use django-rest-framework for your RESTful API. It provides a class called Serializer which gives you a powerful way to control the input/output of your requests/responses. Here an example:
Your serializer
class CommentSerializer(serializers.Serializer):
email = serializers.EmailField()
content = serializers.CharField(max_length=200)
created = serializers.DateTimeField()
Validation
serializer = CommentSerializer(data={'email': 'foobar', 'content': 'baz'})
serializer.is_valid()
# False
serializer.errors
# {'email': [u'Enter a valid e-mail address.'], 'created': [u'This field is required.']}
Give a look to the serializer documentation.
Answered By - marco.santonocito
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.