This article is part 2 of a series showing how to prepare, design, and implement a RESTful API. After setting up the grounds in the first part, this time we are going to look at how an API is designed, what concerns we should have in mind when doing that. But first, we will have a look at what REST is, and what are the architectural constraints it imposes on a system.
Representational State Transfer is an application architectural style that, instead of imposing specific technology choices, defines a set of constraints for the software system to follow. This way, the actual implementation details can change, while still taking advantage from the overall benefits of the RESTful approach.
A resource represents any information that can be named. Usually resources are concepts within the application domain, no matter if they refer to concrete concepts such as persons, or to virtual ones like files. A starting point of visualising it for those familiar with OOP is to use a 1-to-1 mapping with the domain model classes. Since we are going to build an application tracking vehicle data, we can say that one resource is vehicle, another one its insurance. The difficulty of explaining this term comes from the fact that aspects particular to the business can dictate deviations from the most intuitive way of representation, without this breaking the validity.
REST has been formally described by Roy J. Fielding in his PhD thesis. He started from a system with no distinguished boundaries between its components, and incrementally applying five mandatory constraints and an optional one to elements within the architecture:
client-server: separates UI concerns from data storage
stateless: keep session details entirely on the client, and free the server from dealing with it, in order to allow scalability, reliability, and visibility; the downside is that each request needs to contain enough context in order to get processed
cache: data within a response must be labeled as cacheable or non-cacheable
uniform interface between components, as defined by the following four interface sub-constraints: identification of resources; manipulation of resources through representations; self-descriptive messages; and hypermedia as the engine of application state (aka HATEOAS)
layered system: component can only "see" and interact with layers immediate to it; for example, clients cannot assume they interact directly with the data source, as they can be talking to a cache layer
Representation is a part of the resource state that is transferred between the client and the server. It usually refers to the current state of the resource, but it can also indicate its desired state, you can think of this as the client performing an action dry-run when making the request.
While not a constraint itself, the communication mechanisms offered by HTTP are the choice of most people implementing REST. We are going to use HTTP as well, and use its powerful verbs to define operations on our resources. Let's use the common calendar paradigm to quickly illustrate the difference between resources and their representations, by showing an .ics representation first:
GET /calendar/123sample
Host example.dev
Accept: text/calendarcould return something similar to
BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Tekkie Consulting//123sample//EN
CALSCALE:GREGORIAN
BEGIN:VTIMEZONE
TZID:Europe/Bucharest
END:VTIMEZONE
BEGIN:VEVENT
UID:123456789@example.dev
DTSTART;TZID=Z:20150311T123456
DTEND;TZID=Z:20150311T125959
END:VEVENT
END:VCALENDARIf we ask for a JSON representation of the same resource
GET /calendar/123sample
Host example.dev
Accept: application/jsonit might look like this:
{
"version": "2.0",
"creator": {"company": "Tekkie Consulting", "product": "123sample"},
"type": "Gregorian",
"language": "English",
"timezone": {
"id": "Europe/Bucharest"
},
"events": [{
"id": "123456789@example.dev",
"start": "2015-03-11T12:34:56.000Z",
"end": "2015-03-11T12:59:59.000Z"
}]
}For the remaining of this article series we will choose JSON as the representation default of our resources.
In order to specify how our API will behave, we want to use Behaviour Driven Development. In this section we are going to introduce some concepts and tools to help with that. Setting this up will be very helpful when we will need to write down the requirements as user scenarios.
There are two main keywords that arise in discussions about doing BDD in PHP. The most popular is Behat, which uses Gherkin to specify the requirements in a business-like language. The other one is Codeception, which uses PHP code that is human readable to do the same, but in addition offers a group of tools to write all your tests in (acceptance, functional, as well as unit tests).
I have used Behat quite a lot in my Symfony projects, so I naturally tried to take the simple route and install it first, using $ composer install behat/behat. I noticed packaging conflicts because Behat wanted to use symfony/event-dispatcher ~2.1 but I was already using 3.0.1. So, instead of even attempting to fix that by imposing more strict requirements on my existing packages, I just decided I long wanted to give Codeception a try anyway, as others told me they absolutely love it in their day to day flow. No more nice text Gherkin spec files to share with the business people, back to 100% PHP!
So I went on and installed it using the Composer method, which worked perfectly, no digging required:
$ composer install codeception/codeceptionand then bootstrap it
$ vendor/bin/codecept bootstrapWe notice a new folder called /tests/ in our root directory has been populated with a lot of goodness.
As we are in development mode, we start our application locally using the built-in PHP server:
$ php -S localhost:12345 -t webso we will make sure this URL is properly configured under tests/acceptance.suite.yml.
Next we will generate a basic acceptance test by running:
$ vendor/bin/codecept generate:cept acceptance WelcomeOur tests/acceptance/WelcomeCept.php will contain a very simplistic test, that only checks the status route:
$I = new AcceptanceTester($scenario);
$I->wantTo('check the status route');
$I->amOnPage('/');
$I->see('Up and running.');And the results are indeed what we expect:
$ vendor/bin/codecept run
Codeception PHP Testing Framework v2.1.5
Powered by PHPUnit 4.8.21 by Sebastian Bergmann and contributors.
Acceptance Tests (1) ---------------------------------------------
Check the status route (WelcomeCept) Ok
------------------------------------------------------------------
Functional Tests (0) ------------------------
---------------------------------------------
Unit Tests (0) ------------------------------
---------------------------------------------
Time: 214 ms, Memory: 11.25Mb
OK (1 test, 1 assertion)The acceptance tests of Codeception are usually much slower than functional ones, as they require a web server to run tests. Fortunately, functional tests are going to be very good at describing our intended functionality, so we are going to use those instead. Let's enable the Silex module first, by adding it to tests/functional.suite.yml:
class_name: FunctionalTester
modules:
enabled:
- Silex:
app: 'app/bootstrap.php'
- \Helper\FunctionalAs we have seen in the REST introductory section, a key concept in this architecture style are resources, as everything else gravitates around them. Therefore I recommend going through the list of domain concepts first, and identify what our resources would be:
vehicle - the main concept describing the central resource of our application
road tax - has a start and end date of validity, and is associated to a vehicle
insurance - similar properties to road tax, but is a distinct concept
Now that we know what our application resources are, what are the operations we define on each? We are certainly interested to be able to create, update, and retrieve vehicle information. Then we need to add and retrieve road tax details, add and retrieve technical checks, as well as add and retrieve insurance information.
All the above operations look strikingly similar to CRUD operations (part of them are missing in our list for domain reasons). So let's go ahead and define the full list of CRUD operations on a vehicle resource:
Read information about all vehicles
GET /vehicles
If there are no vehicles, we will receive 200 OK status and a body of []
If there are items in the storage, we will receive 200 OK status and a body containing all of them, like [{ "name": "family car", "make": "Mazda", "model": "3", "registration": "AB10TKK", "VIN": "JMZBLA2F701213123", "engine": "1999", "emissions": "175", "registered": "2010-10-01T12:23:45Z" }]
500 Internal Server Error will be issued. It is the catch-all error for unrecoverable errors, when "it's the server's fault" and we can't offer recovery options to the client. This will be the case for all operations, so we will not repeat the information further.Create a vehicle
POST /vehicles/
Request body will contain all the data about our car, for example { "name": "family car", "make": "Mazda", "model": "3", "registration": "AB10TKK", "VIN": "JMZBLA2F701213123", "engine": "1999", "emissions": "175", "registered": "2010-10-01T12:23:45Z" }
On successful creation of the resource, we expect a 200 OK status code (some recommend using 201 Created instead) and the body to contain the same data we sent, plus the ID this resource has received in the backend.
400 Bad Request status code and a body describing the problem: { "VIN": "mandatory" }Read information about a specific vehicle
GET /vehicles/{id}
If the vehicle with the given ID exists, we expect a 200 OK status code and the body to contain relevant data about it.
404 Not Found and an empty response body.Update
PUT /vehicles/{id}
If the vehicle with the given ID exists, we expect a 200 OK status code and the body to contain relevant data about it.
400 Bad Request status code and a body describing the problem: { "VIN": "mandatory" }Delete
DELETE /vehicles/{id}
If there is a vehicle with that ID, it will be removed from the system and a 200 OK status code with an empty body will be returned.
404 Not Found and an empty response body.The dates are present here in ISO 8601 standard, to maintain dates in a timezone-aware format. Facebook had to switch in 2012 entire events API to account for timezone issues.
We will not go into further detail on operations about road tax, technical check and insurance, as they are very similar to those described above.
It is important to offer a consistent API, first of all for our sanity, and then for the benefits of any 3rd party consuming it. This is very easy to explain with the public-published distinction that Martin Fowler makes. Once something is published, making changes to it requires a complex process of deprecating existing functionality, offering new one on a different URI, which takes more time and effort than a normal code update.
An important aspect to consider upfront is the API versioning. Some API designers prefer to define the version in the base URL, like GitHub which uses the version number, or like Twilio who uses https://api.twilio.com/2010-04-01 as their starting point. WePay also uses release timestamps in the URL to differentiate between versions. Almost everyone does versioning one way or another, and if you want to play safe you just start with /v1/ yourself and go from there. The biggest advantage of choosing this approach is to be able to have a drastically different API in the next version. However, the important question to ask yourself is: "Will the API itself change drastically over time? Or will the resources and their representation change?" Strategies to change a non-versioned resource structure or operations on it are a bit more complex, and they usually involve offering a new URI to handle the new data, and deprecating the current one. As Stefan Tilkov points out, REST is so much more than just some URI patterns and GET, PUT, POST, DELETE. Choosing the best strategy is highly dependant on the problem at hand, and we all know stories of under- or over-engineered APIs.
When constructing our URIs, we should take care to not mix singular and plurals. So we will not expose /vehicles/{id} and /tax/{id} in the same application, we will prefer taxes in the second case. It is generally recommended to use plural forms instead of singulars.
As the URIs identify resources, it is considered good practice to keep only nouns in defining them, and avoid verbs. To describe the actions that are performed on the resource, the HTTP verbs should be used. For example, usage of /vehicles/create should in fact be a POST on /vehicles.
For more hands-on examples, I recommend the well-written White House API standards, which contain also handy examples to show what is considered "bad" and what is "good". There are also some good hints on REST API Tutorial, but I recommend caution when navigating the site because not all information there is adhering strictly to the RESTful we met at the beginning of this article.
Even more granular advices concern the naming conventions and case usage, both for URIs and for JSON structures. Just make sure you pick one type and adhere to it everywhere.
Let's setup the vehicle behaviour we want by defining functional tests for them. We are going to use Cest classes as they will later help us set up the tests better. They are simple classes that group the cept functionality in a more OOP manner, help us use methods to group certain things together.
So we are going to generate our cest first, using
$ vendor/bin/codecept generate:cest functional Vehicles
Test was created in /Users/g/Sites/learn/silex-tutorial/tests/functional/VehiclesCept.phpLet's go ahead and define how creation of a new vehicle record should look like. We are basically saying "if a POST request is executed against the /vehicles endpoint, with a name for the new item, we are going to create it and retrieve the full record, including its ID". This will enable us to perform later operations on the item by accessing /vehicles/ID.
wantTo('create a new vehicle');
$I->sendPOST('/vehicles', [
'name' => 'Pansy'
]);
// we mark scenario as not implemented
$scenario->incomplete('work in progress');
$I->seeResponseCodeIs(200);
$I->seeResponseIsJson();
$I->seeResponseJsonMatchesXpath('//id');
$I->seeResponseJsonMatchesXpath('//name');
$I->seeResponseMatchesJsonType([
'id' => 'integer',
'name' => 'string'
]);
$I->seeResponseContainsJson([
'id' => 123,
'name' => 'Pansy'
]);
}
}Please note that, for now, we mark the scenario as incomplete, to prevent execution of our assertions. We will remove this in the next part of our tutorial, where we will get to implement the actual functionality.
A commit containing more information about the other operations defined for vehicles and the assertions we make can be consulted on GitHub.
Running the functional tests indicates that we have indeed defined several tests which are skipped for now, here are the relevant bits for you to check:
$ vendor/bin/codecept run
Functional Tests (4) ----------------------------------------------------
Check the status route (StatusRouteCest::checkTheStatusRoute) Ok
Create a new vehicle (VehiclesCest::createItem) Incomplete
Retrieve current vehicles (VehiclesCest::retrieveItems) Incomplete
Modify an existing item (VehiclesCest::updateItem) Incomplete
-------------------------------------------------------------------------
Time: 372 ms, Memory: 12.00Mb
OK, but incomplete, skipped, or risky tests!
Tests: 4, Assertions: 1, Incomplete: 3.The remaining definition of use cases remains for the reader as an exercise.
We have learned what the REST architectural style is, learned the difference between resources and their representations, setup Codeception to help us define the user stories, learned how to design an API from a practical point of view, and saw what we need to be aware of to keep it consistent. In the next article we will refine the user stories and work on the implementation.
by Radu Murzea
by Delia Mircea
by Ovidiu Mățan
by Ovidiu Mățan
