## GROUP 4

## - i. Explain the core principles of RESTful API design, including client-server architecture, statelessness, and the uniform interface.

# RESTful API Design Principles

## Introduction to RESTful API

RESTful web services are web services that follow the REST architectural style, which defines a set of rules for creating web services. 

**REpresentational State Transfer (REST)** is an architectural style that defines a set of constraints to be used for creating web services. It enables easy and flexible access to web services without excessive processing. REST APIs use only HTTP (Hypertext Transfer Protocol) requests for communication.

### How REST Works
- A request is sent from the client to the server in the form of a web URL using HTTP methods like `GET`, `POST`, `PUT`, or `DELETE`.
- The server processes the request and sends a response back in the form of a resource. The resource can be in different formats such as HTML, XML, Image, or JSON. However, JSON is the most commonly used format in modern web services.

### Basic Concept
- A **client** sends requests for the resources.
- A **server** contains and provides access to the resources.

## Core Principles of RESTful API Design

### 1. Uniform Interface
A uniform way of interacting with a given server should be maintained, regardless of the device or application type (e.g., website, mobile app).

#### Principles of a Uniform Interface:
- **Resource-Based:** Individual resources are identified in requests. Example: `/API/users`
- **Manipulation of Resources Through Representations:** Clients receive resource representations containing enough information to modify or delete them, provided they have permission. Example: A user retrieves a list of users and uses an ID to delete or modify a specific user.
- **Self-descriptive Messages:** Each message includes enough information for the server to process it without additional context.
- **Hypermedia as the Engine of Application State (HATEOAS):** API responses should include links to help clients discover related resources easily.

### 2. Stateless
Each request from a client must contain all the necessary information for the server to process it. The server does not store session data or client state between requests. This ensures:
- Scalability
- Reliability
- No need for session tracking on the server

### 3. Client-Server Architecture
A REST application should follow a **client-server** architecture:
- The **client** is responsible for requesting resources and is not concerned with data storage.
- The **server** holds the resources and is not concerned with the user interface or user state.
- The client and server can evolve independently, making development more flexible.

The separation ensures that:
- The client does not need to know anything about business logic.
- The server does not need to know anything about the frontend UI.


- ## ii)Describe how to use HTTP methods appropriately for different API operations. 
# HTTP Methods and API Requests

HTTP methods are critical components of requests to REST APIs, as they enable clients the action they would like to perform on a given resource.

One cannot send a request to a REST API without an HTTP method.

HTTP methods are used in association with endpoints. Some of them use request bodies.

HTTP methods enable API clients to perform CRUD (Create, Read, Update & Delete) actions on API resources in a standardized & predictable way.

## Common API Methods

### GET
- Allows API clients to access a resource on a server (Retrieve data).
- Used in association with an endpoint to usually access a specific resource/resource.

**Example:**  
`/products` : Return all products in the database of an API (e-commerce).

### POST
- Used to create new resources (Add new resources).
- For example, if an e-commerce store wanted to add a new product to a database, they would send a `POST` request to the product endpoint.
- `POST` requests usually include a request body where the client specifies the attributes of the resource to be created.

**Example:**  
A `POST` request to `/products` might have a request body:

```json
{
    "name": "Sneakers",
    "color": "Blue",
    "price": 59.95,
    "currency": "USD"
}
```

---

### PUT
- Used to replace an existing resource with an updated version.  
  (Acts like updating in a database).
- If there is a product located at the `/product/123` endpoint, it is wholly replaced with data in the request body.
- Properties or fields not included in the request body are deleted. (No new fields are added).

---

### PATCH
- Used to update an existing resource.
- Similar to `PUT`.
- Compared to `PUT`, `PATCH` allows clients to update specific properties on a resource without overwriting the others.
- More flexible & efficient compared to `PUT`.
- Can be able to update a resource without affecting others.

**Example:**  
If you have a product resource with fields for `name`, `price`, one could use `PATCH` method to send a request that only includes the new value for the `price` field.

---

### DELETE
- Used to remove data from a database.
- A `DELETE` request removes a resource at a specified URL.

**Example:**  
A `DELETE` request to the `/products/123` endpoint will permanently remove the product with an ID of 123 from the database.

- API can also authorize certain permissions to allow clients to delete resources.


## - iii) Demonstrate how to design resource URIs that are clear, consistent, and easy to understand.
# Uniform Resource Identifiers (URIs)

## Introduction
URIs play a significant role in identifying and routing resources. They are used to address API-exposed resources. When resources have proper names in the URI, an API becomes natural and simple to use. If not implemented correctly, the same API can be difficult to operate and understand.

A **resource** is the information that is manipulated or accessed using URIs. Examples include:
- Events
- Products
- Orders
- Articles
- Customers

## Key Principles for Writing URIs

### 1. Use Nouns to Represent Resources
RESTful URIs should refer to a **resource** (noun) rather than an **action** (verb) because:
- Nouns have properties that verbs do not.
- Resources have attributes.

#### Example:
- **Teacher** (Attributes: name, ID, age, qualifications, etc.)
- **Apple** (Attributes: color, taste, expiry date, etc.)

### 2. Consistency is Key
Maintaining consistency in URI naming conventions and formatting helps improve readability and maintainability.
- **Use forward slashes (`/`)** to indicate hierarchical relationships.
- **Do not use trailing forward slashes (`/`)** at the end of URIs.
- **Use hyphens (`-`)** to improve readability in long-path segments.
- **Use lowercase letters** for URI paths.

### 3. Do Not Use File Extensions
File extensions in URIs do not provide any advantage and should be avoided.

### 4. Avoid Using Verbs in URIs
REST URIs should use **nouns** to represent resources, while HTTP methods (`GET`, `POST`, `PUT`, `DELETE`, etc.) perform actions on those resources.

#### When an Action is Necessary
If an action does not naturally apply to a resource, create a custom URI that represents a noun/resource and perform the action on it.

### 5. Never Use CRUD Function Names in URIs
URIs should **only identify resources**, not define actions. HTTP methods should be used to indicate CRUD operations.

#### Correct Approach:
- `GET /products` → Retrieve products
- `POST /products` → Create a product
- `PUT /products/{id}` → Update a product
- `DELETE /products/{id}` → Delete a product

## Reference
[What is REST? - Ekanayaka Salitha](https://ekanayakasalitha.medium.com/what-is-rest-891dadf5c1c9)


## - iv)Explain how to use HTTP status codes to communicate the outcome of API requests.
# Using HTTP Status Codes to Communicate API Outcomes

## Introduction
HTTP status codes are essential in RESTful APIs to communicate the outcome of client requests. They help developers understand whether an API request was successful, encountered an error, or requires further action. This guide provides structured explanations, JavaScript examples, real-world use cases, and references.

## 1. Categories of HTTP Status Codes
HTTP status codes fall into five main categories:

1. **1xx (Informational)** – Request received and processing continues.
2. **2xx (Success)** – The request was successfully received, understood, and accepted.
3. **3xx (Redirection)** – Further action is needed to complete the request.
4. **4xx (Client Errors)** – The request contains incorrect syntax or cannot be fulfilled.
5. **5xx (Server Errors)** – The server failed to fulfill a valid request.

## 2. Common HTTP Status Codes and JavaScript Examples

### (A) 200 OK – Successful Response
**Indicates that the request was successful.**
- **Real-World Use Case:** Fetching user data from an API successfully.

### (B) 201 Created – Resource Successfully Created
**Used when a new resource is created on the server.**
- **Real-World Use Case:** A new user signing up successfully.



### (C) 400 Bad Request – Client Error
**Indicates an issue with the request (e.g., missing required fields).**
- **Real-World Use Case:** Prevents invalid data from being processed.




### (D) 401 Unauthorized – Authentication Required
**Indicates the client needs to authenticate before accessing a resource.**
- **Real-World Use Case:** API requiring user login.


### (E) 403 Forbidden – Access Denied
**Indicates the client does not have permission to access the resource.**
- **Real-World Use Case:** Restricts non-admin users from accessing admin-only resources.

### (F) 404 Not Found – Resource Not Found
**Indicates that the requested resource does not exist.**
- **Real-World Use Case:** Handling missing pages or user profiles that don’t exist.

### (G) 500 Internal Server Error – Server Issue
**Indicates an unexpected server-side error.**
- **Real-World Use Case:** Helps debug server failures without exposing sensitive details.

## 3. How HTTP Status Codes Solve Web Development Problems

| Problem | Solution with Status Code |
|---------|---------------------------|
| API consumers need confirmation of successful requests | Use **200 OK** and **201 Created** |
| API requests with incorrect data should be rejected | Use **400 Bad Request** |
| Unauthorized users should be restricted | Use **401 Unauthorized** and **403 Forbidden** |
| Missing resources should return a clear error | Use **404 Not Found** |
| Server issues should not expose sensitive information | Use **500 Internal Server Error** |

## 4. Reliable Sources for HTTP Status Codes
1. [MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status)
2. [REST API Design Guidelines](https://restfulapi.net/http-status-codes/)
3. [IETF RFC 2616 (HTTP 1.1 Specification)](https://www.ietf.org/rfc/rfc2616.txt)

## Conclusion
Using the correct HTTP status codes improves API usability, debugging, and error handling. It enhances user experience, prevents unexpected behavior, and ensures API consumers can handle responses appropriately.


## - v). Discuss API security considerations, such as authentication, 
authorization, and data validation. 
# API Security Considerations

## Authentication
Authentication verifies the identity of the user making the request, ensuring that the entity is who it claims to be. 

### Common Authentication Methods
- **Token-based authentication**: Issues a token (e.g., JWT - JSON Web Token) upon successful login, which is sent with subsequent requests.
- **API keys**: A unique identifier sent with each request to authenticate the client.
- **OAuth 2.0**: A protocol that allows third-party applications to access user data without exposing credentials.

## Authorization
Authorization determines what actions the authenticated user is allowed to perform, defining access control rules, roles, and permissions.

### Authorization Mechanisms
- **Role-Based Access Control (RBAC)**: Assigns users to roles with predefined permissions to access specific API resources.
- **Attribute-Based Access Control (ABAC)**: Provides more granular control based on user attributes like location, time, or device.
- **Claims-Based Access Control**: Verifies specific claims within a token to determine access levels.

## Data Validation
Ensuring the data being sent to the API is valid and safe from malicious input is critical to protecting sensitive information and preventing unauthorized access.

### Key Data Validation Techniques
- **Input Validation**: Checks all incoming data for expected formats, data types, and length to prevent attacks like SQL injection and Cross-Site Scripting (XSS).
- **Sanitization**: Removes potentially harmful characters or formatting from user input.
- **Data Masking**: Hides sensitive information within data fields before transmission.

## Best Practices for API Security
- Implement a sound and scalable authentication and authorization model.
- Use verified industry standards like OAuth 2.0 and OpenID Connect.
- Enforce strong password policies (uppercase/lowercase letters, numbers, and symbols).
- Validate and sanitize all input received from clients to prevent vulnerabilities like injection attacks.
- Use allow list-based validation to define strict input formats for endpoints.

## References
- [API Security - F5](https://www.f5.com/glossary/api-security)
- [Next.js Authentication Guide](https://nextjs.org/docs/pages/building-your-application/authentication)
- [RESTful API Principles - GeeksforGeeks](https://www.geeksforgeeks.org/rest-api-introduction/)
