Using the POST method of a REST API for read operations - json

In a restful API, POST should be used to create, and GET should be used to read.
Sometimes, for security reasons, you can't pass sensitive variables in the URI. For example, if you have an /accounts API that requires you to pass "accountNumber". If your security team won't let you put that in the URI, then you have to use the POST method instead of the GET method to service the "read" operation, and you can then provide the account number in the request body.
That brings me to my question: If you've used up the POST method to service a read operation, how do you service the "create" operation of the same API?
"/accounts/create" wouldn't be advised because your APIs should be nouns, not verbs. It doesn't seem right to use up a different HTTP method like PUT. This issue has to come up a lot so I'm curious what people are doing to get around it?

If you're using POST for this, you are not building a RESTful service. The way I see this, you have 2 options:
Accept this, and build a more RPC-like system.
Change the id's in your application so that they are not a security risk. If knowing an id is a problem, consider using something else.

Related

add auth without ssl for REST API

i set up a REST API based on this tutorial https://www.codeofaninja.com/2017/02/create-simple-rest-api-in-php.html
what i want to do is to provide some sort of security to it. for example to access the ..../read.php address like this .../read.php+{some long key}
they key should be stored on sever and on my side to ensure some kind of match. i know it's not the most secure method but i plan to use this API for an Android app and don't want to complicate things as i'm fairly new to this.
do you have nay suggestions ?

How to make basic REST API calls using a browser

I am trying to get started with REST API calls by seeing how to format the API calls using a browser. Most examples I have found online use SDKs or just return all fields for a request.
For example, I am trying to use the Soundcloud API to view track information.
To start, I've made a simple request in the browser as follows http://api.soundcloud.com/tracks/13158665.json?client_id=31a9f4a3314c219bd5c79393a8a569ec which returns a bunch of info about the track in JSON format
(e.g. {"kind":"track","id":13158665,"created_at":"2011/04/06 15:37:43 ...})
Is it possible to only to get returned the "created_at" value using the browser? I apologize if this question is basic, but I don't know what keywords to search online. Links to basic guides would be nice, although I would prefer to stay out of using a specific SDK for the time being.
In fact, it's really hard to answer such question since it depends on the Web APIs. I mean if the API supports to return only a subset of fields, you could but if not, you will receive all the content. From what I saw on the documentation, it's not possible. The filters only allow you to get a subset of elements and not control the list of returned fields within elements.
Notice that you have a great application to execute HTTP requests (and also REST) in Chrome: Postman. This allows to execute all HTTP methods and not only GET ones and controls the headers and sent content and also see what is received back.
If you use Firefox, Firebug provides a similar thing.
To finish, you could have a look at this link to find out hints about the way Web APIs work and are designed: https://templth.wordpress.com/2014/12/15/designing-a-web-api/.
Hope it helps you and I answered you question,
Thierry
Straight from the browser bar you can utilize REST endpoints that respond to a GET message. That is what you are doing when you hit that URI, you are sending an HTTP GET message to that server and it is sending back a JSON.
You are not always guaranteed a JSON, or anything when hitting a known REST endpoint. What each endpoint returns when hit with a GET is specific to how it was built. In that case, it is built to return a JSON, but some may return an HTML page. In my personal experience, most endpoints that utilize JSON returns expect you to process that object in a computer fashion and don't give you a lot of options to get a specific field of the JSON. Here is a good link on how to process JSON utilizing JavaScript.
You can utilize REST clients (such as the Advanced REST Client for Chrome) to craft HTTP POST and PUT if a specific REST endpoint has the functionality built in to receive data and do something with it. For example, a lot of wiki style REST endpoints will allow you to create a page with a specifically crafted HTTP POST with either specific header information, URI parameters or a JSON as part of it.
you can install DHC client app in your chrome and send request like put or get

Text Form Twitter API?

I'm making a Twitter account statistics program that reads tweets, retweet counts, and favorite counts. I could attempt to read the user's Twitter account URL line by line and parse the information from there, but I was wondering if there was a public API or part of Twitter that just spits out the raw data without formatting it all pretty for web browsers? Not only would this be more efficient in the program, but would also be much neater.
It seems as though API 1.1 uses JSON to fetch data, but I need to make a developer account and create unique identifiers in order to access such data. Is it worth it? Is there some sort of alternative that would be faster and easier?
All API calls to Twitter now require OAuth authentication, so there is unfortunately no way around signing up for a developer account and creating an app. It's not even possible to use a service that makes the requests on your behalf, as this is re-syndication which is forbidden by Twitter's API terms, so you need to make the calls yourself.

How to use Bloomberg JSON API as JSONP

To create a chart, I found that Bloomberg is providing data in JSON format. Please have a look at this URL: http://www.bloomberg.com/markets/chart/data/1Y/IBM:US This sends data of the chart in JSON format. I want to get this data in an Ajax request, so that I can parse it and create a chart. But I can't use Ajax, as this is a cross domain affair. I need to use JSONP. I am not sure how Bloomberg API supports JSOP. If you know how can we use JSONP with the above url, please let me know. If there is any alternative, please let me know.
You can't. JSONP requires that the server be on board with the transaction so that it can properly handle the callback injection. If the server isn't providing it, there's no way to force it unilaterally.
What you might be able to do, subject to your hosting provider's policies, is have your server-side script load the Bloomberg data, then pass it on from there, either printed in the initial page or as a JSON/JSONP call to your own server (which is probably a better idea, as it leaves you more flexibility to update the data on the fly and also allows the page's markup to be cached).
Note that some hosting providers do not allow outgoing requests because they don't want their servers to be used as proxies (which is, after all, basically what I'm suggesting you do). You may have an option to whitelist Bloomberg, or you may just need to keep outgoing traffic to a minimum (i.e. cache the Bloomberg data on your server so that you're not refreshing it every time someone loads your page). Check your hosting terms.

Block unwanted use of json API

I have a website where you can request data using ajax from our servers as json (only to be used on our site). Now i found that people start using our requests to get data from our system. Is there a way to block users from using our public json API. Ideas that i have been thinking about is:
Some kind of checksum.
A session unique javascript value on the page that have to match server-side
Some kind of rolling password with 1000 different valid values.
All these are not 100% safe but makes it harder to use our data. Any other ideas or solutions would be great.
(The requests that you can do is lookup and translations of zip codes, phone numbers, ssn and so on)
You could use the same API-key authentication method Google uses to limit access to its APIs.
Make it compulsory for every user to have a valid API key, to request data.
Generate API key and store it in your database, when a user requests one.
Link: Relevant Question
This way, you can monitor usage of your API, and impose usage limits on it.
As #c69 pointed out, you could also bind the API keys you generate to the API-user's domain . You can then check the Referer URL ($_SERVER['HTTP_REFERER'] in PHP), and reject request, if it is not being made from the API-user's domain.