# **REST API With Python**

## What is REST API?
* The term REST stands for REpresentational State Transfer. It is an architectural style that defines a set of rules in order to create Web Services. In a client-server communication, REST suggests to create an object of the data requested by the client and send the values of the object in response to the user. For example, if the user is requesting for a movie in Bangalore at a certain place and time, then you can create an object on the server-side.

* So, over here, you have an object and you are sending the state of an object. This is why REST is known as Representational State Transfer.

* The architectural style of REST helps in leveraging the lesser use of bandwidth to make an application more suitable for the internet. It is often regarded as the “language of the internet” and is completely based on the resources.

* Now that you know what it is, let us move on and understand the need for REST API.  
![image-2.png](attachment:image-2.png)

## **Why use REST API?**
* Consider a scenario where you are using the Book My Show app. Now, obviously, this application needs a lot of Input data, as the data present in the application is never static. Either it is movies getting released on a frequent basis, or various cities showing different languages movies at various times of the day. It’s never static which implies the fact that data is always changing in these applications.

* Now, where do you think we get this data from?

* Well, this data is received from the Server or most commonly known as a Web-server. So, the client requests the server for the required information, via an API, and then, the server sends a response to the client.

* Over here, the response sent to the client is in the form of an HTML Web Page. But, do you think this is an apt response that you would expect when you send a request?

* Well, I am assuming the fact that you would say NO. Since,  you would prefer the data to be returned in the form of a structured format, rather than the complete Web page.

* So, for such reasons, the data returned by the server, in response to the request of the client is either in the format of **JSON or XML**. Both JSON and XML formats have a proper hierarchical structure of data.

* Now, this sounds quite simple, right?

* But, the only issue which is present in this framework until now is that you have to use a lot of methods to get the required information. To the fact, using these methods to retrieve information, becomes quite cumbersome when you require complex data.

* So, this is where REST API comes into the picture. The REST API creates an object, and thereafter sends the values of an object in response to the client. It breaks down a transaction in order to create small modules. Now, each of these modules is used to address a specific part of the transaction. This approach provides more flexibility but requires a lot of effort to be built from the very scratch.


* Moving ahead, let us take a look at the Principles of REST API.

## **Principles of REST API**

* Well, there are **six** ground principles laid down by Dr. Fielding who was the one to define the REST API design in 2000. Below are the six guiding principles of REST:

    * **Stateless**
        * The requests sent from a client to a server will contain all the required information to make the server understand the requests sent from the client. This can be either a part of URL,  query-string parameters, body, or even headers. The URL is used to uniquely identify the resource and the body holds the state of the requesting resource. Once the server processes the request, a response is sent to the client through body, status or headers

    * **Client-Server**
        * The client-server architecture enables a uniform interface and separates clients from the servers.  This enhances the portability across multiple platforms as well as the scalability of the server components.

    * **Uniform Interface**
        * To obtain the uniformity throughout the application, REST has the following four interface constraints:

    * * **Resource identification**
        * Resource Manipulation using representations
        * Self-descriptive messages
        * Hypermedia as the engine of application state
    * **Cacheable**
        * In order to provide a better performance, the applications are often made cacheable. This is done by labeling the response from the server as cacheable or non-cacheable either implicitly or explicitly. If the response is defined as cacheable, then the client cache can reuse the response data for equivalent responses in the future.

    * **Layered system**
        * The layered system architecture allows an application to be more stable by limiting component behavior.  This type of architecture helps in enhancing the application’s security as components in each layer cannot interact beyond the next immediate layer they are in. Also, it enables load balancing and provides shared caches for promoting scalability. To learn more, check out this Full Stack developer course today.

    * **Code on demand**

        * This is an optional constraint and is used the least. It permits a clients code or applets to be downloaded and to be used within the application. In essence, it simplifies the clients by creating a smart application which doesn’t rely on its own code structure.

* Now, that you know the principles behind REST API, next let’s look into the Methods of REST API.

## **Methods of REST API**
* All of us working with the technology of the web, do CRUD operations. When I say **CRUD operations**, I mean that we create a resource, read a resource, update a resource and delete a resource. 
* Now, to do these actions, you can actually use the HTTP methods, which are nothing but the REST API Methods. 
* Refer below.
![image.png](attachment:image.png)

## **API Status Codes**
* Status codes are returned with every request that is made to a web server. Status codes indicate information about what happened with a request. 
* Here are some codes that are relevant to **GET** requests:

    * **200**: Everything went okay, and the result has been returned (if any).
    * **301**: The server is redirecting you to a different endpoint. This can happen when a company switches domain names, or an endpoint name is changed.
    * **400**: The server thinks you made a bad request. This can happen when you don’t send along the right data, among other things.
    * **401**: The server thinks you’re not authenticated. Many APIs require login ccredentials, so this happens when you don’t send the right credentials to access an API.
    * **403**: The resource you’re trying to access is forbidden: you don’t have the right perlessons to see it.
    * **404**: The resource you tried to access wasn’t found on the server.
    * **503**: The server is not ready to handle the request.
* You might notice that all of the status codes that begin with a **‘4’** indicate some sort of error. The first number of status codes indicate their categorization. This is useful — you can know that if your status code starts with a **‘2’** it was successful and if it starts with a ‘4’ or ‘5’ there was an error. If you’re interested you can read more about status codes here.

## **4 Most Used REST API Authentication Methods**
*  While there are as many proprietary authentication methods as there are systems which utilize them, they are largely variations of a few major approaches.

### **Authentication vs Authorization**
* Before I dive into this, let's define what authentication actually is, and more importantly, what it’s not. As much as authentication drives the modern internet, the topic is often conflated with a closely related term: authorization.

* The two functions are often tied together in single solutions, but the easiest way to divide authorization and authentication is to ask: what do they actually state or prove about me?

* **Authentication** is when an entity proves an identity. In other words, **Authentication** proves that you are who you say you are. This is like having a driver license which is given by a trusted authority that the requester, such as a police officer, can use as evidence that suggests you are in fact who you say you are.

* **Authorization** is an entirely different concept and in simple terms, Authorization is when an entity proves a right to access. In other words, Authorization proves you have the right to make a request. Consider the following - You have a working key card that allows you to open only some doors in the work area, but not all of them.

* **Authentication:** Refers to proving correct identity
* **Authorization:** Refers to allowing a certain action

* An API might authenticate you but not authorize you to make a certain request.
![image-3.png](attachment:image-3.png)

**1. HTTP Authentication Schemes (Basic & Bearer)**
* The HTTP Protocol also defines HTTP security auth schemes like:

    * Basic
    * Bearer
    * Digest
    * OAuth
    * and others...
* We will go over the two most popular used today when discussing REST API.

    * **Basic Authentication**
        * HTTP Basic Authentication is rarely recommended due to its inherent security vulnerabilities.

        * This is the most straightforward method and the easiest. With this method, the sender places a username:password into the request header. The username and password are encoded with Base64, which is an encoding technique that converts the username and password into a set of 64 characters to ensure safe transmission.

        * This method does not require **cookies, session IDs, login pages, and other such specialty solutions**, and because it uses the HTTP header itself, there’s no need to handshakes or other complex response systems.
        
     * **Bearer Authentication**
        * Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens.

        * The name **“Bearer authentication”** can be understood as “give access to the bearer of this token.” The bearer token allowing access to a certain resource or URL and most likely is a cryptic string, usually generated by the server in response to a login request.
        * The Bearer authentication scheme was originally created as part of OAuth 2.0 in RFC-6750 but is sometimes also used on its own.

        * Similarly to Basic authentication, Bearer authentication should only be used over HTTPS (SSL).
**2. API Keys**
* In REST API Security - API keys are widely used in the industry and became some sort of standard, however, this method should not be considered a good security measure.

* API Keys were created as somewhat of a fix to the early authentication issues of HTTP Basic Authentication and other such systems. In this method, a unique generated value is assigned to each first time user, signifying that the user is known. When the user attempts to re-enter the system, their unique key (sometimes generated from their hardware combination and IP data, and other times randomly generated by the server which knows them) is used to prove that they’re the same user as before.
![image-4.png](attachment:image-4.png)

* Many API keys are sent in the query string as part of the URL, which makes it easier to discover for someone who should not have access to it. Please do not put any API keys or sensitive information in query string parameters! A better option is to put the API key in the Authorization header. In fact, that’s the proposed standard: Authorization: Apikey 1234567890abcdef.

* Yet, in practice API keys show up in all sorts of places:

    * Authorization Header
    * Basic Auth
    * Body Data
    * Custom Header
    * Query String
* There are definitely some valid reasons for using API Keys. 
* First and foremost, API Keys are simple. The use of a single identifier is simple, and for some use cases, the best solution. For instance, if an API is limited specifically in functionality where “read” is the only possible command, an API Key can be an adequate solution. Without the need to edit, modify, or delete, security is a lower concern.

* The problem, however, is that anyone who makes a request to a service, transmits their key and in theory, this key can be picked up just as easy as any network transmission, and if any point in the entire network is insecure, the entire network is exposed.

* If you are dealing with Authentication in REST APIs, please consider doing Security Testing, in order to check the common vulnerabilities.

**3. OAuth (2.0)**
* The previous versions of this spec, OAuth 1.0 and 1.0a, were much more complicated than OAuth 2.0. The biggest change in the latest version is that it’s no longer required to sign each call with a keyed hash. 
* The most common implementations of OAuth use one or both of these tokens instead:

    * **access token:** sent like an API key, it allows the application to access a user’s data; optionally, access tokens can expire.
    * **refresh token:** optionally part of an OAuth flow, refresh tokens retrieve a new access token if they have expired.  
    
* OAuth2 combines Authentication and Authorization to allow more sophisticated scope and validity control.
* OAuth 2.0 is the best choice for identifying personal user accounts and granting proper permissions. In this method, the user logs into a system. That system will then request authentication, usually in the form of a token. 
* The user will then forward this request to an authentication server, which will either reject or allow this authentication. 
* From here, the token is provided to the user, and then to the requester. Such a token can then be checked at any time independently of the user by the requester for validation and can be used over time with strictly limited scope and age of validity.

* **OAuth 2.0 Popular Flows**
* The flows (also called grant types) are scenarios an API client performs to get an access token from the authorization server.

* OAuth 2.0 provides several popular flows suitable for different types of API clients:
    * **Authorization code –** The most common flow, mostly used for server-side and mobile web applications. This flow is similar to how users sign up into a web application using their Facebook or Google account.
    * **Implicit –** This flow requires the client to retrieve an access token directly. It is useful in cases when the user’s credentials cannot be stored in the client code because they can be easily accessed by the third party. It is suitable for web, desktop, and mobile applications that do not include any server component.
    * **Resource owner password –** Requires logging in with a username and password. Since in that case, the credentials will be a part of the request, this flow is suitable only for trusted clients (for example, official applications released by the API provider).
    * **Client Credentials –** Intended for the server-to-server authentication, this flow describes an approach when the client application acts on its own behalf rather than on behalf of any individual user. In most scenarios, this flow provides the means to allow users to specify their credentials in the client application, so it can access the resources under the client’s control.