Chapter 7. Improving RESTful Web Services
In the previous chapter, we created RESTful web services in Lumen, and we identified some missing elements or improvements required. In this chapter, we will work on improving that and completing some missing elements. We will improve certain elements with respect to fulfilling loopholes and code quality.
We will cover the following topics in this chapter to improve our RESTful web service:
- Dingo, simplifying RESTful API development:
- Installing and configuring Dingo API package
- Simplifying routes
- API versioning
- Rate limiting
- Internal requests
- Authentication and middleware
- Transformers
- Need of encryption:
- Summary
Dingo, simplifying RESTful API development
Yes, you heard it right. I didn't say bingo. It's Dingo. Actually, API is a package for Laravel and Lumen that makes it a lot simpler to develop RESTful web services. It provides many features out of the box and many are what we saw in the previous chapter. Many of these features will make our existing code better and easier to understand and maintain. You can check out the API package at https://github.com/dingo/api.
Let's first install it, and we will keep looking at its benefits and features side by side while using them.
Installation and configuration
Simply it through composer:
composer require dingo/api:1.0.x@dev
Probably, you are wondering what this @dev
is. So, here is what the documentation says:
At this time, the package is still in a developmental stage and as such, does not have a stable release. You may need to set your minimum stability to dev.
If you are still not sure about why we need to set minimum stability, then it is because of...
Authentication and middleware
We have already discussed several that for a RESTful web service, a session is maintained through an authentication token stored on the client side. So, the server can look for the authentication token and can find that user's session stored on the server.
There are several ways to a token. In our case, we will use JWT (JSON Web Tokens). As told on jwt.io
:
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
We will not go into complete detail about JWT as JWT is a way to transfer information between two parties (in our case, client and server) as JWT can be used for many purposes. Instead, we will use it for access/authentication tokens to maintain stateless sessions. So, we will stick with what we need from JWT. We need it for maintaining sessions for authentication purposes, and this is something the Dingo API package will also help us with.
In fact, Dingo API supports three authentication providers...
In full-stack MVC framework, we have Model View Controller. In Lumen or in API, we don't have Views because we just return some data. However, we may want to data in a different way than usual. We may want to use a different format, or we may want to restrict an object with a specific format. In all such cases, we need a place where formatting-related tasks will be done, a place where we can have different format-related content. We can have it in controller. However, we will need to define the same format at different places. In that case, we can add a method in model. For example, post model can have a specific way to format a post object. So, we can define another method in Post Model.
It will work fine, but if you look at it closely, it is related to formatting, not model. So, we have another layer called serializes or transformers. Also, sometimes, we need nested objects, so we will not want to do the same nesting again and again.
Lumen provides a way to serialize data to...
The next thing that we are missing is of communication between client and server so that nobody can sniff and read data over the network. For this purpose, we will use SSL (Secure Socket Layer). As this book is not about encryption or cryptography or server setup, we will not go into the details of these concepts, but it is important that we talk about encryption here. If someone is to sniff data over the network, then our website or web service is not secure.
In order to secure our web service, we will use HTTPS instead of HTTP. The "S" in HTTPS stands for Secure. Now, the question is how we can make it secure. Probably, you would say that we will use SSL as we said earlier. So what is SSL? SSL is Secure Socket Layer, a standard way to secure communication between server and browser. SSL refers to a security protocol. Actually SSL protocol had three versions, and they were insecure against some attacks. So we actually use is TLS (Transport Layer Security). However, we still...
In this chapter, we discussed what we were missing in the previous chapter where we implemented RESTful web service endpoints in Lumen. We discussed throttling (Request Rate Limiting) to prevent DoS or brute force. We also implemented token-based authentication using some packages. Note that we only secured endpoints here, which we didn't want to leave accessible without user login. If there are other endpoints that you don't want to have public access to but they don't need users to log in, then you can use either some sort of key or basic authentication on those endpoints.
Other than that, we discussed and used transformers that are a sort of view layer for web services. Then, we briefly discussed encryption and SSL importance and then discussed the available options for SSL certificates.
In this chapter, I will not give you a list or URLs for more resources because we discussed a lot of different things in this chapter, so we were not able to go into the details of each and every...