# Quickstart

https://www.django-rest-framework.org/tutorial/quickstart/

## Project setup
- startproject is run with a . after the project name to put the app in the project directory, but it helps avoid clashes with external module's namespaces

## Serializers
`HyperlinkedModelSerializer` used instead of primary key and various other relationships - hyperlinking is good RESTful design

## Views
We group common behavior into classes called `ViewSets`.  These can be very concise and organized.

## URLs
When using viewsets, we can generate the URL conf for our API by registering viewsets with a router class in `urls.py`
- if we need more control over API URLs we can use class-based views and explicitely write URL conf
- default login and logout views are added for browsable API

## Pagination
Determines how many objects per page are returned.  Edit `settings.py`.

# API access
Run the server, then 
`curl -H 'Accept: application/json; indent=4' -u admin:password123 http://127.0.0.1:8000/users/`
or with HTTPie
`http -a admin:password123 http://127.0.0.1:8000/users/`
or point the browser to
http://127.0.0.1:8000/users/

# In-depth Tutorial
https://www.django-rest-framework.org/tutorial/1-serialization/

The tutorial walks through setting up the snippets app, and creating a model for it.

## Creating a Serializer class
We can serialize data into `json` by declaring serializers in a way similar to Django's forms

### snippets/serializers.py

In [None]:
from rest_framework import serializers
from snippets.models import Snippet, LANGUAGE_CHOICES, STYLE_CHOICES


class SnippetSerializer(serializers.Serializer):
    id = serializers.IntegerField(read_only=True)
    title = serializers.CharField(required=False, allow_blank=True, max_length=100)
    code = serializers.CharField(style={'base_template': 'textarea.html'})
    linenos = serializers.BooleanField(required=False)
    language = serializers.ChoiceField(choices=LANGUAGE_CHOICES, default='python')
    style = serializers.ChoiceField(choices=STYLE_CHOICES, default='friendly')

    def create(self, validated_data):
        """
        Create and return a new `Snippet` instance, given the validated data.
        """
        return Snippet.objects.create(**validated_data)

    def update(self, instance, validated_data):
        """
        Update and return an existing `Snippet` instance, given the validated data.
        """
        instance.title = validated_data.get('title', instance.title)
        instance.code = validated_data.get('code', instance.code)
        instance.linenos = validated_data.get('linenos', instance.linenos)
        instance.language = validated_data.get('language', instance.language)
        instance.style = validated_data.get('style', instance.style)
        instance.save()
        return instance

### Serializing

Now that we have this set up, run `python manage.py shell` from the terminal.  Once inside:

In [None]:
from snippets.models import Snippet
from snippets.serializers import SnippetSerializer
from rest_framework.renderers import JSONRenderer
from rest_framework.parsers import JSONParser

# we'll add some data to play with
snippet = Snippet(code='foo = "bar"\n')
snippet.save()

snippet = Snippet(code='print("hello, world")\n')
snippet.save()

In [None]:
# now we can see what the serialized output is
# this will be Python native datatypes
serializer = SnippetSerializer(snippet)
serializer.data

In [None]:
# render to json
content = JSONRenderer().render(serializer.data)
content

### Deserialization

In [None]:
import io

# parse a stream into Python native datatypes
stream = io.BytesIO(content)
data = JSONParser().parse(stream)

In [None]:
# restore native datatypes to object instance
serializer = SnippetSerializer(data=data)
serializer.is_valid()
# True
serializer.validated_data
# OrderedDict([('title', ''), ('code', 'print("hello, world")\n'), ('linenos', False), ('language', 'python'), ('style', 'friendly')])
serializer.save()
# <Snippet: Snippet object>

### Serializing querysets
Add `many=True` to serializer arguments

In [None]:
serializer = SnippetSerializer(Snippet.objects.all(), many=True)
serializer.data
# [OrderedDict([('id', 1), ('title', ''), ('code', 'foo = "bar"\n'), ('linenos', False), ('language', 'python'), ('style', 'friendly')]), OrderedDict([('id', 2), ('title', ''), ('code', 'print("hello, world")\n'), ('linenos', False), ('language', 'python'), ('style', 'friendly')]), OrderedDict([('id', 3), ('title', ''), ('code', 'print("hello, world")'), ('linenos', False), ('language', 'python'), ('style', 'friendly')])]

### ModelSerializers
`SnippetSerializer` and the `Snippet` model are a little redundant.  REST provides `Serializer` and `ModelSerializer` classes.  We can rewrite `snippets/serializers` by replacing `SnippetsSerializer`

In [None]:
class SnippetSerializer(serializers.ModelSerializer):
    class Meta:
        model = Snippet
        fields = ['id', 'title', 'code', 'linenos', 'language', 'style']

`ModelSerializer` classes are a shortcut for creating serializer classes:
- automatically determined set of fields
- simple `create()` and `update()` methods are implemented for you

## Writing views using Serializer
First we'll write views as regular Django views in `snippets/views.py`

In [None]:
from django.http import HttpResponse, JsonResponse
from django.views.decorators.csrf import csrf_exempt
from rest_framework.parsers import JSONParser
from snippets.models import Snippet
from snippets.serializers import SnippetSerializer

Will have a view that supports listing all the existing snippets or creating a new snippet

In [None]:
@csrf_exempt
def snippet_list(request):
    """
    List all code snippets, or create a new snippet.
    """
    if request.method == 'GET':
        snippets = Snippet.objects.all()
        serializer = SnippetSerializer(snippets, many=True)
        return JsonResponse(serializer.data, safe=False)

    elif request.method == 'POST':
        data = JSONParser().parse(request)
        serializer = SnippetSerializer(data=data)
        if serializer.is_valid():
            serializer.save()
            return JsonResponse(serializer.data, status=201)
        return JsonResponse(serializer.errors, status=400)

The view is marked as `csrf_exempt` to make things easier for now - we wouldn't do with REST framework views.  For viewing an individual snippet:

In [None]:
@csrf_exempt
def snippet_detail(request, pk):
    """
    Retrieve, update or delete a code snippet.
    """
    try:
        snippet = Snippet.objects.get(pk=pk)
    except Snippet.DoesNotExist:
        return HttpResponse(status=404)

    if request.method == 'GET':
        serializer = SnippetSerializer(snippet)
        return JsonResponse(serializer.data)

    elif request.method == 'PUT':
        data = JSONParser().parse(request)
        serializer = SnippetSerializer(snippet, data=data)
        if serializer.is_valid():
            serializer.save()
            return JsonResponse(serializer.data)
        return JsonResponse(serializer.errors, status=400)

    elif request.method == 'DELETE':
        snippet.delete()
        return HttpResponse(status=204)

 Create `snippets/urls.py` and wire the views

In [None]:
from django.urls import path
from snippets import views

urlpatterns = [
    path('snippets/', views.snippet_list),
    path('snippets/<int:pk>/', views.snippet_detail),
]

Edit `tutorial/urls.py`

In [None]:
from django.urls import path, include

urlpatterns = [
    path('', include('snippets.urls')),
]

# Testing
Run `python manage.py runserver`.  In another terminal, install `httpie` with pip.  
- Run `http http://127.0.0.1:8000/snippets/`
- Run `http http://127.0.0.1:8000/snippets/2/` to reference by id
- `json` can be viewed by going through the browser:
    - http://127.0.0.1:8000/snippets/
    - http://127.0.0.1:8000/snippets/2/

# Requests and Responses
## Request objects
`Request` objects extend `HttpRequest` to give us more parsing options.

`request.data` can be used for `POST`, `PUT`, and `PATCH` methods
## Response objects
`Response` objects come from `TemplateResponse`, and uses content negotiation to return correct content type data.
## Status codes
REST framework gives more explicit identifiers for status codes like `HTTP_400_BAD_REQUEST` using the `status` module
## Wrapping API views
1. `@api_view` decorator for function-based views
1. `APIView` class for working with class-based views

Both:
- Make sure you receive `Request` instances in your view
- Add context to `Response` objects 
- Detailed responses
- Handle `ParseError` exceptions if `request.data` is accessed with flawed input

## Refactoring request objects
Replace django imports with rest_framework imports, make use of request objects to make code more concise in `snippets/views.py`.  It's very similar to working with normal Django views.

In [None]:
from rest_framework import status
from rest_framework.decorators import api_view
from rest_framework.response import Response
from snippets.models import Snippet
from snippets.serializers import SnippetSerializer


@api_view(['GET', 'POST'])
def snippet_list(request):
    """
    List all code snippets, or create a new snippet.
    """
    if request.method == 'GET':
        snippets = Snippet.objects.all()
        serializer = SnippetSerializer(snippets, many=True)
        return Response(serializer.data)

    elif request.method == 'POST':
        serializer = SnippetSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data, status=status.HTTP_201_CREATED)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

In [None]:
@api_view(['GET', 'PUT', 'DELETE'])
def snippet_detail(request, pk):
    """
    Retrieve, update or delete a code snippet.
    """
    try:
        snippet = Snippet.objects.get(pk=pk)
    except Snippet.DoesNotExist:
        return Response(status=status.HTTP_404_NOT_FOUND)

    if request.method == 'GET':
        serializer = SnippetSerializer(snippet)
        return Response(serializer.data)

    elif request.method == 'PUT':
        serializer = SnippetSerializer(snippet, data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

    elif request.method == 'DELETE':
        snippet.delete()
        return Response(status=status.HTTP_204_NO_CONTENT)

## Optional format suffixes
If our responses are no longer hardwired to a single content type, we can add support for format suffixes to our API endpoints.  This will make the URLs explicitly refer to a format.  It can be done by adding `format=None` as an argument in both views.

Update `snippets/urls.py` to have `format_suffix_patterns`

In [None]:
from django.urls import path
from rest_framework.urlpatterns import format_suffix_patterns
from snippets import views

urlpatterns = [
    path('snippets/', views.snippet_list),
    path('snippets/<int:pk>', views.snippet_detail),
]

urlpatterns = format_suffix_patterns(urlpatterns)

Run the server and try:
`http http://127.0.0.1:8000/snippets/`

and

`http http://127.0.0.1:8000/snippets/ Accept:application/json` 

and 

`http http://127.0.0.1:8000/snippets/ Accept:text/html`

and

`http http://127.0.0.1:8000/snippets.json`

and

`http http://127.0.0.1:8000/snippets.api`

and

`http --form POST http://127.0.0.1:8000/snippets/ code="print(123)"`

and

`http --json POST http://127.0.0.1:8000/snippets/ code="print(456)"`

Note: adding `--debug` to these will show the request type in request headers

Browsable API can be used since HTML is returned by default when requested by a web browser.

# Class-based views
We are going to re-write the root view as a class-based view.
> - This creates a pattern that allows us to reuse common functionality
> - It keeps our code [DRY](https://en.wikipedia.org/wiki/Don't_repeat_yourself)

Let's refactor `snippets/views.py` with the below code

In [None]:
from snippets.models import Snippet
from snippets.serializers import SnippetSerializer
from django.http import Http404
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework import status


class SnippetList(APIView):
    """
    List all snippets, or create a new snippet.
    """
    def get(self, request, format=None):
        snippets = Snippet.objects.all()
        serializer = SnippetSerializer(snippets, many=True)
        return Response(serializer.data)

    def post(self, request, format=None):
        serializer = SnippetSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data, status=status.HTTP_201_CREATED)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
    
class SnippetDetail(APIView):
    """
    Retrieve, update or delete a snippet instance.
    """
    def get_object(self, pk):
        try:
            return Snippet.objects.get(pk=pk)
        except Snippet.DoesNotExist:
            raise Http404

    def get(self, request, pk, format=None):
        snippet = self.get_object(pk)
        serializer = SnippetSerializer(snippet)
        return Response(serializer.data)

    def put(self, request, pk, format=None):
        snippet = self.get_object(pk)
        serializer = SnippetSerializer(snippet, data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

    def delete(self, request, pk, format=None):
        snippet = self.get_object(pk)
        snippet.delete()
        return Response(status=status.HTTP_204_NO_CONTENT)

Then we refactor `snippets/urls.py`.  Note `as_view()`

In [None]:
from django.urls import path
from rest_framework.urlpatterns import format_suffix_patterns
from snippets import views

urlpatterns = [
    path('snippets/', views.SnippetList.as_view()),
    path('snippets/<int:pk>/', views.SnippetDetail.as_view()),
]

urlpatterns = format_suffix_patterns(urlpatterns)

## Using mixins
Because create/retreive/update/delete operations are similar for any model-backend API views we create.  REST framework's mixin classes provide this behavior.  Let's refactor `snippets/views.py` again using these.

In [None]:
from snippets.models import Snippet
from snippets.serializers import SnippetSerializer
from rest_framework import mixins
from rest_framework import generics

class SnippetList(mixins.ListModelMixin,
                  mixins.CreateModelMixin,
                  generics.GenericAPIView):
    queryset = Snippet.objects.all()
    serializer_class = SnippetSerializer

    def get(self, request, *args, **kwargs):
        return self.list(request, *args, **kwargs)

    def post(self, request, *args, **kwargs):
        return self.create(request, *args, **kwargs)

View is built with `GenericAPIView` (core functionality) with `ListModelMixin` and `CreateModelMixin` (give `.list()` and `.create()` actions.  Then we bind get/post to the right actions.

In [None]:
class SnippetDetail(mixins.RetrieveModelMixin,
                    mixins.UpdateModelMixin,
                    mixins.DestroyModelMixin,
                    generics.GenericAPIView):
    queryset = Snippet.objects.all()
    serializer_class = SnippetSerializer

    def get(self, request, *args, **kwargs):
        return self.retrieve(request, *args, **kwargs)

    def put(self, request, *args, **kwargs):
        return self.update(request, *args, **kwargs)

    def delete(self, request, *args, **kwargs):
        return self.destroy(request, *args, **kwargs)

`GenericAPIView` class for core again, with mixins added for `.retreive()`, `.update()`, and `.destroy()` actions.

## Using generic class-based views
REST framework provides a set of already mixed-in generic views that we can use to trim down `views.py` more.

In [None]:
from snippets.models import Snippet
from snippets.serializers import SnippetSerializer
from rest_framework import generics


class SnippetList(generics.ListCreateAPIView):
    queryset = Snippet.objects.all()
    serializer_class = SnippetSerializer


class SnippetDetail(generics.RetrieveUpdateDestroyAPIView):
    queryset = Snippet.objects.all()
    serializer_class = SnippetSerializer

Let's test this again to prove it behaves the same:

Run the server and try: `http http://127.0.0.1:8000/snippets/`

## Authentication and Permissions
Right now anyone can delete or edit code snippets.  Let's make this more secure.
- We want to associate with a creator
- only authenticated users can create
- Only the creator of a snippet may update or delete
- Unauthenticated requests should have full read-only access

To make these changes, we have to start by adding fields to our model.

### Adding info to our model
Let's add these fields to our `snippets/models.py` file:

In [None]:
owner = models.ForeignKey('auth.User', related_name='snippets', on_delete=models.CASCADE)
highlighted = models.TextField()

Since we will use the `pygments` code-highlighting library, we'll add these imports to the top of `snippets/models.py`:

In [None]:
from pygments.lexers import get_lexer_by_name
from pygments.formatters.html import HtmlFormatter
from pygments import highlight

We then add the `.save()` method to the model class:

In [None]:
def save(self, *args, **kwargs):
    """
    Use the `pygments` library to create a highlighted HTML
    representation of the code snippet.
    """
    lexer = get_lexer_by_name(self.language)
    linenos = 'table' if self.linenos else False
    options = {'title': self.title} if self.title else {}
    formatter = HtmlFormatter(style=self.style, linenos=linenos,
                              full=True, **options)
    self.highlighted = highlight(self.code, lexer, formatter)
    super(Snippet, self).save(*args, **kwargs)

Instead of performing a db migration, the tutorial says to delete the db and start again (maybe this is quicker with all the fiddling we did):
```
rm -f db.sqlite3
rm -r snippets/migrations
python manage.py makemigrations snippets
python manage.py migrate
```

When done, create a superuser:
`python manage.py createsuperuser`

### Adding endpoints for User models
With a user to work with, we can create better representations in the API.  We'll make a new serializer by adding this to  `snippets/serializers.py`:

In [None]:
from django.contrib.auth.models import User

class UserSerializer(serializers.ModelSerializer):
    snippets = serializers.PrimaryKeyRelatedField(many=True, queryset=Snippet.objects.all())

    class Meta:
        model = User
        fields = ['id', 'username', 'snippets']

The `snippets` field has a reverse relationship on the `User` model - it won't be included by default when using `ModelSerializer` so we add an explicit field for it.

Let's add some views to `snippets/views.py`.  We can use `ListAPIView` and `RetreiveAPIView` for generic class-based views:

In [None]:
from django.contrib.auth.models import User
from snippets.serializers import UserSerializer

class UserList(generics.ListAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer


class UserDetail(generics.RetrieveAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer

We are using the `UserSerializer` class in both views.

Let's edit `snippets/urls.py` to get the views added to the API.  Add:

In [None]:
path('users/', views.UserList.as_view()),
path('users/<int:pk>/', views.UserDetail.as_view()),

### Associating snippets with users
Currently the user isn't sent as part of the serialized representation - they are a property of the incoming request.  We want to associate the user that created the snippet with the snippet instance.  We can override the `.perform_create()` method on our views.  This let's us modify how the instance save is managed and handle info that is implicit in the incoming request or requested URL.

Add the code below to the `SnippetList` class in `snippets/views.py`, and the `create()` method of the serializer will be passed the `owner` filed, and the validated data from the request:

In [None]:
def perform_create(self, serializer):
    serializer.save(owner=self.request.user)

### Updating the serializer
We can add a field to the `SnippetSerializer` definition in `snippets/seralizers.py`:

In [None]:
class SnippetSerializer(serializers.ModelSerializer):
    owner = serializers.ReadOnlyField(source='owner.username')
    class Meta:
        model = Snippet
        fields = ['id', 'title', 'code', 'linenos', 'language', 'style', 'owner',]

The `source` argument controls the attribute that is used to populate a field, and can point to any attribute on the serialized instance.  The dotted notation used in the code below allows it to traverse given attributes in a similiar way as it is used in Django's template language.

`ReadOnlyField` is untyped, always read-only, used for serialized representations, but not used for updating model instances when they are deserialized.  `CharField(read_only=True)` could have also been used here.

### Adding required permissions to views
To ensure only authenticated users can cretae, update, and delete snippets, we can use REST framework's permission classes.  `IsAuthenticatedOrReadOnly` will make sure auth reqs get read-write access, and unathenticated requests get read-only access.

In [None]:
# add this import to snippets/views.py
from rest_framework import permissions

Add this property to both `SnippetList` and `SnippetDetail` view classes:

In [None]:
permission_classes = [permissions.IsAuthenticatedOrReadOnly]

### Adding login to Browsable API
We can add in the login for the browsable API by eding the URLconf in our project-level `tutorial/urls.py` file:

In [None]:
from django.urls import path, include

# add this to bottom of file
urlpatterns += [
    path('api-auth/', include('rest_framework.urls')),
]

Run the server with `python manage.py runserver`, and navigate to http://127.0.0.1:8000/snippets/ with your browser.  Example output after submitting a snippet:

```
HTTP 201 Created
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 1,
    "title": "All Unique",
    "code": "def all_unique(lst):\r\n    return len(lst) == len(set(lst))",
    "linenos": false,
    "language": "python",
    "style": "default",
    "owner": "brandon"
}
```

After creating a few snippets, go to http://127.0.0.1:8000/users/ and note that the snippet ids are associated with each user in each user's `snippets` field.

```
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

[
    {
        "id": 1,
        "username": "brandon",
        "snippets": [
            1,
            2,
            3
        ]
    }
```

### Object-level permissions
We'd like the code snippets to be visible to anyone, but make sure the user who created it can update or delete it.  We'll create a custom permission.  Create a new file called `permissions.py` in the `snippets` folder.  Add the code below:

In [None]:
from rest_framework import permissions


class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to edit it.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # Write permissions are only allowed to the owner of the snippet.
        return obj.owner == request.user

We can add the custom permission to our snippet instance endpoint by editing the `permissions_classes` property on the `SnippetDetail` view class, and add the import for `IsOwnerOrReadOnly`:

In [None]:
from snippets.permissions import IsOwnerOrReadOnly

permission_classes = [permissions.IsAuthenticatedOrReadOnly,
                      IsOwnerOrReadOnly]

If you go back to http://127.0.0.1:8000/snippets/ and note that PUT and DELETE only appear if you're logged in as the user who created the snippet.

### Authenticating with the API
