Posts Tagged ‘REST’

RESTful confusion

Tuesday, April 1st, 2008

REST confuses me. I’m trying to come up with a consistent, elegant RESTful interface to a web appplication, and I just can’t understand how I’m supposed to do it while maintaining “correct” RESTful design.

I see the advantages of using REST over, say, XML-RPC. I want to use it. But I’ve got serious questions and I can’t find any answers.

At the front of my list of questions is the biggest, most basic problem – that of credentials. How the hell do you send credentials as part of a REST request?

From wikipedia:

HTTP separates the notions of a web server and a web browser. This allows the implementation of each to vary from the other based on the client-server principle. When used RESTfully, HTTP is stateless. Each message contains all the information necessary to understand the request when combined with state at the resource. As a result, neither the client nor the server needs to remember any communication state between messages. Any state retained by the server must be modeled as a resource.

REST is supposed to be completely stateless. I understand that. That means no “sessions” or login keys or cookies for the client to remember and reuse. That also means the credentials must be sent with every request if I’m understanding it right.

So where are the credentials supposed to be? In the URL? Or in the form body (assuming a POST request)? If so, what about a GET request, which doesn’t have form body? And am I to assume that all REST requests requiring credentials are supposed to go over TLS? Why do none of the examples I see have any of this in them?

Since the whole point of using this is to standardise, are there standard form names (eg for username/password) we’re supposed to use? I have never seen what I consider to be a “canonical” example of this. In fact I have never seen a RESTful system using credentials of any kind which matches the first basic rule of what “is not REST” according to the RestWiki:

What is not REST?
- Stateful systems

Any system where you do not need to send the credentials more than once is stateful by definition.

Assume that we’re going to cheat a little and implement, say, a stateful session so we don’t have to log on every single time. Should the session token go in the URL? It has to, if it’s a GET and it usually will be. Or should we be faking out cookies? Again – if the session token is in the URL (a “secret” URL) that will need to be over TLS or anyone will be able to sniff it. But how else can you do sessions over HTTP GET without cookies? HTTP BASIC AUTH?

Confused yet? Me too. Has anyone ever actually implemented a pure RESTful system in an application that requires authentication?

Tags:
Posted in development, programming | 1 Comment »

Make shadow.rb serve unicode

Sunday, December 2nd, 2007

Shadow is an awesome little project that gives you a tiny, zero-config REST server for your database. Just pure GET PUT POST DELETE, nothing more, nothing less. Uses mongrel for the net and AR for the db – you’ll need to point it at your database.yml.

But it didn’t do UTF8 out of the box, so let’s change that:

1
2
3
4
5
6
7
8
9
10

$ diff shadow-old.rb shadow.rb
5a6
> require 'Ya2YAML'
12a14
>     $KCODE='u'
42c44
<       out.write obj.to_yaml
---
>       out.write obj.ya2yaml
$

できた!

I really love this kind of thing. Rails is becoming a MONSTER and is a bitch to force to play with anything else on your server(s). I think we’ll see a lot more of this kind of thing – a breaking-out of small pieces of very nice Rails functionality, into a way that makes them play nicer in a team.

Tags: , ,
Posted in development, rails | No Comments »