Articles/etc | Protocols - REST
Get flash to fully experience Pearltrees
This is a follow-up post to my post here . You probably want to read that first. UPDATE: Please note that ' REST is over' . 'Hypermedia API' is the proper term now. A few words on standards versus pragmatism
Since I've posted this, I've refined a few of my positions on things. Everyone learns and grows, and while I still stand by most of what I said, I specifically don't agree that versioning the media type is how to properly version APIs. Hypermedia APIs should not actually use explicit versioning, but I'd rather see a version in the URI with HATEOAS than no HATEOAS and versioned media types.
Posted by Stefan Tilkov on Dec 10, 2007 Sections Enterprise Architecture , Architecture & Design Topics
Posted by Stefan Tilkov on Mar 13, 2008 Sections Enterprise Architecture , Architecture & Design Topics WS-ReliableMessaging ,
Posted by Stefan Tilkov on Jun 01, 2007 Sections Enterprise Architecture , Architecture & Design Topics Web Services ,
Posted by Stefan Tilkov on Jul 02, 2008 Sections
Buzzwords can be a funny thing. I’ve been writing (what I thought were) ‘RESTful’ web apps and APIs for five years now, and it wasn’t until a couple of weeks ago that I really began to understand what that meant. I’d like to share my ‘ AHA ’ moment, and give a concrete example of why following the REST style correctly can save you headaches in the long run. TL;DR: A RESTful API should provide hypertext links to drive traversal through itself, instead of forcing the client to craft their own URIs. Many have complained about the font on my site, but I personally like it. If you’re having trouble with it though, just click here .
Managing changes to APIs is hard. That is no surprise to anyone who has ever maintained an API of any sort.
Situation You want to develop a RESTful web API for developers that is secure to use, but doesn’t require the complexity of OAuth and takes a simple “ pass the credentials in the query ” approach… or something equally-as-easy for people to use, but it needs to be secure . You are a smart guy, so you start to think… Problem You realize that literally passing the credentials over HTTP leaves that data open to being sniffed in plain-text; After the Gawker incident , you realize that plain-text or weakly-hashed anything is usually a bad idea . You realize that hashing the password and sending the hash over the wire in lieu of the plain-text password still gives people sniffing at least the username for the account and a hash of the password that could (in a disturbing number of cases) be looked up in a Rainbow Table .
Yesterday there has been a popular post on Hacker News about Designing Secure REST API without OAuth . I don’t agree that OAuth is unsuitable and I’ll introduce my way shortly. This post is intented to be a reply on this topic . In our new startup ( ollaa.com ), we (3 undergrad co-founders) are basically developing a mobile social network that has iOS/Android clients communicating the server via a REST API .
Every time someone mentions RESTful web services, there’s always that one person that has to chime in: “That’s not really RESTful, it’s just kinda RESTful.” I’d always filed that information away, under ‘things to learn later,’ and let it simmer in the back of my brain. I’ve finally looked into it, and they’re absolutely right: 99.99% of the RESTful APIs out there aren’t fully compliant with Roy Fielding’s conception of REST. Is that bad?