# Module 09 - RESTful API and Flask

## Theory Questions

1.  What is a RESTful API?
-  A RESTful API (Representational State Transfer API) is a type of web API that follows the principles of REST architecture. It allows systems to communicate over HTTP using standard methods like GET, POST, PUT, DELETE, etc
-  Key Concepts of RESTful API:
-  Stateless - Each request from a client to the server must contain all the information needed to understand and process the request. The server doesn’t store client context between requests.
-  Resources - Everything in REST is considered a resource, which is identified by a URI (Uniform Resource Identifier), like /users/123.
-  HTTP Methods: `GET`: Retrieve a resource, `POST`: Create a new resource, `PUT`: Update a resource (replace), `PATCH`: Update part of a resource, `DELETE`: Delete a resource
-  JSON or XML - Most RESTful APIs use JSON to send and receive data, though XML is also supported.
-  Stateless Communication - There’s no session or state stored on the server. Each request is independent

---

2.  Explain the concept of API specification.
-   An API specification is a detailed, standardized description of how an API behaves and how developers should interact with it. It defines the rules, structure, and available endpoints of an API in a clear, human and machine - readable format


Key Components of an API Specification
-  Endpoints (URLs) - The paths through which clients access API resources
-  Methods (Verbs) - HTTP methods like GET, POST, PUT, DELETE, etc
-  Request Parameters - Details about query strings, path variables, headers, and request bodies
-  Request/Response Format - Usually in JSON or XML, describing what data to send and expect
-  Authentication Requirements - How clients should authenticate (e.g., API key, OAuth)
-  Status Codes and Errors - What HTTP status codes the API returns and what they mean (200, 404, 500, etc.)

---

3.  What is Flask, and why is it popular for building APIs?
-   Flask is a lightweight, Python-based web framework that's especially popular for building RESTful APIs and small-to-medium-sized web applications
-   Flask is a microframework for Python, meaning: It has minimal built-in functionality, You can add only the tools you need using extensions,
-   Originally developed by Armin Ronacher, Based on Werkzeug (for routing and WSGI) and Jinja2 (for templating)

Reasons and it's corresponding explanation of the popularity of Flask for building APIs:

| Reason                             | Explanation                                                                           |
|------------------------------------|---------------------------------------------------------------------------------------|
| **Lightweight & Minimalistic**  | No unnecessary features — just what's needed to get an API up and running.           |
| **Flexible**                    | You choose how to structure your project, which tools to use (ORM, validation, etc.).|
| **Extensible**                  | Easily integrates with SQLAlchemy, Marshmallow, JWT, etc.                            |
| **Quick to Build & Deploy**     | Great for prototyping and MVPs — very little boilerplate.                            |
| **Well-Documented & Supported** | A large community and tons of tutorials make it beginner-friendly.                   |
| **Great for REST APIs**         | You can define clean routes with methods like `GET`, `POST`, etc.                    |

---

4.   What is routing in Flask?
-  Routing in Flask is the process of mapping URLs (web addresses) to Python functions, known as view functions. These functions are executed when a user visits a specific route (or endpoint) on your web application.
-  Routing lets you decide what your app does when someone visits a specific URL

Importance of Routing in Flask:
-  Enables modular design (each URL can trigger a different function)
-  Essential for building RESTful APIs
-  Allows handling user input, forms, and parameters through different HTTP methods

---

5.   How do you create a simple Flask application?

-  To create a simple Flask application, start by installing Flask using the command pip install Flask. Once installed, create a Python file—let’s call it main.py. Inside this file, write a small script that imports the Flask module, initializes the app, defines a single route (for example, the home route /), and returns a simple HTML response such as Hello, Flask. You’ll also need to include a conditional block at the end of the script to run the app with app.run(debug=True). After saving the file, run the application by executing python main.py in your terminal. Once the app starts, you’ll see a message indicating that the server is running—typically on http://127.0.0.1:5000/. Open this URL in your browser, and you should see the HTML message displayed. This confirms that your Flask application is running correctly and serving content to the web.


-  Install Flask - pip install Flask
-  Creat a file eg: main.py
-  Run application - `python main.py`
-  Output: Running on http://127.0.0.1:5000/ (Press CTRL + C to quit)
-  Click on the link and control to view the display
-  Return HTML 

---

6.  What are HTTP methods used in RESTful APIs?
-  `GET` - The GET method is used to retrieve data from the server. It is a read-only operation and does not change the state of the resource. GET requests are safe and idempotent, meaning multiple identical requests will produce the same result without causing side effects. It’s commonly used to fetch data like user details or a list of items.
-   `POST` - 
The POST method is used to create a new resource on the server. It sends data to the server, such as form inputs or JSON payloads, and the server processes and stores this data. Unlike GET, POST is not idempotent—sending the same POST request multiple times may result in multiple new resources being created.
-   `PUT` - 
The PUT method is used to update or completely replace an existing resource. It requires the full data for the resource, and the existing resource is replaced with the new data sent in the request. PUT is idempotent, meaning making the same request multiple times will always result in the same state of the resource.
-  `PATCH` - 
The PATCH method is used for partial updates to a resource. Instead of sending the entire resource data like PUT, PATCH sends only the fields that need to be changed. It is generally not considered idempotent, as repeated requests may produce different outcomes depending on how the changes are applied.
-   `DELETE` - 
The DELETE method is used to remove a resource from the server. It is idempotent—sending the same DELETE request multiple times will have the same effect, either deleting the resource or ensuring it remains deleted if already removed.
-  `OPTIONS` - 
The OPTIONS method is used to describe the communication options available for a specific resource. It is often used in CORS (Cross-Origin Resource Sharing) to determine which HTTP methods and headers are allowed when accessing a resource from a different origin.
-  `HEAD` - 
The HEAD method is similar to GET, but it only retrieves the headers of the response, not the actual content. It is useful for checking if a resource exists, validating links, or retrieving metadata without downloading the full response body.

---

7.   What is the purpose of the @app.route() decorator in Flask?
-   The `@app.route()` decorator in Flask is used to bind a URL path to a specific function, known as a view function. This means that when a user accesses a particular URL in the browser, Flask knows which function to call and what response to return.
-   In this code, @app.route("/") tells Flask that when someone visits the root URL (/), the home() function should be executed. Whatever the function returns (in this case, a string) is sent back as the response to the client


Key Purposes:
-   Defines the route (URL path) that triggers the function
-   Links URLs to Python functions (view logic)
-   Allows dynamic URLs using route parameters (e.g., @app.route('/user/<username>'))

---

8.  What is the difference between GET and POST HTTP methods?
GET Method
-  Purpose: Used to retrieve data from the server.
-  Data Location: Sends data in the URL as query parameters (e.g., /search?query=python).
-  Visibility: Data is visible in the URL, making it less secure for sensitive information.
-  Caching: GET requests can be cached and bookmarked.
-  Idempotent: Yes – repeating the request does not change server data.
-  Example Use Case: Loading a webpage, fetching search results.

POST Method
-  Purpose: Used to send data to the server, typically to create or submit something.
-  Data Location: Sends data in the request body, not in the URL.
-  Visibility: Data is not visible in the URL, making it more secure for sensitive input.
-  Caching: POST requests are not cached and not bookmarkable.
-  Idempotent: No – repeating the request can result in duplicate actions (e.g., multiple form submissions).
-  Example Use Case: Submitting a login form, posting a comment.


GET -->> Read-only, URL-based, safe for viewing/fetching data.


POST -->> Send/submit data, hidden in the body, used for actions that change server state.

---

9.  How do you handle errors in Flask APIs?
-   Use Flask’s @app.errorhandler Decorator - You can catch specific HTTP error codes or exceptions
-   Handle Custom Exceptions - Define and handle your own exception classes
-   Return JSON Responses Consistently - APIs should return errors in JSON, not HTML. To enforce JSON output for unhandled exceptions
-   Use Flask-RESTful for Cleaner Error Handling - If you're using Flask-RESTful, you can override its error handlers

---

10.   How do you connect Flask to a SQL database?
-    To connect Flask to a SQL database, you typically use an ORM (Object Relational Mapper) like SQLAlchemy, or a database connector library directly. Here's how it's commonly done using Flask-SQLAlchemy, which integrates SQLAlchemy with Flask.
-    Use Flask-SQLAlchemy for ORM-based interaction
-    Configure your app with the correct database URI
-    Define models as Python classes
-    Use db.create_all() to create tables.
-    Interact with the database using SQLAlchemy session methods.

---

11.  What is the role of Flask-SQLAlchemy?

Role of Flask-SQLAlchemy:
-  Database Integration - 
It allows you to connect your Flask app to a SQL database like SQLite, MySQL, PostgreSQL, etc., with minimal setup.
- Object Relational Mapping (ORM) -  Flask-SQLAlchemy lets you define your database tables as Python classes (called models), making database interaction easier and more readable.
-  Simplified Configuration -  It provides a simple way to configure database settings using app.config['SQLALCHEMY_DATABASE_URI'].
-  Session Management -  It handles sessions for committing changes to the database, making it easy to add, update, and delete records.
-  Schema Generation -  You can automatically create tables from your model classes using db.create_all().
-  Query Interface -  Flask-SQLAlchemy provides a powerful querying system through the query object on models, allowing you to perform database operations with Python code instead of raw SQL

---

12.   What are Flask blueprints, and how are they useful?
-   Flask Blueprints are a feature that lets you create parts of your app independently and then register them later to the main application. Think of them as smaller apps within your big app.

Why Blueprints Are Useful:
-  Modular Structure - They help break a large Flask app into smaller, manageable pieces (e.g., auth, admin, user)
-  Reusability - You can reuse the same blueprint in multiple projects or multiple times in one project with different configurations
-  Clear Separation of Concerns -  Keeps your code organized by separating functionality (e.g., routes for authentication vs. routes for products)
-  Easy Collaboration - Different developers or teams can work on different blueprints independently
-  Scalability - Ideal for large applications with many components; avoids clutter in a single app.py file

---

13.   What is the purpose of Flask's request object?
-    The `request` object in Flask is used to access data from the client's HTTP request. It allows the application to read input sent by the user through various methods such as form submissions, URL parameters, headers, and JSON payloads
-    It is a core part of handling user input and is available globally in any route during a request


The request object enables the following:
-   Accessing form data submitted through HTML forms using POST method.
-   Reading query parameters sent via the URL.
-   Parsing JSON data from an API request body.
-   Determining the HTTP method used for the request (GET, POST, etc.).
-   Retrieving request headers and cookies.
-   Handling file uploads

---

14.   How do you create a RESTful API endpoint using Flask?
-   To create a RESTful API endpoint using Flask, you start by installing Flask with pip install Flask. Then, you set up a Flask application by importing the Flask, request, and jsonify modules.
-   You define your app with app = Flask(__name__), and then use route decorators like @app.route() to specify the endpoint URLs and supported HTTP methods such as GET, POST, PUT, and DELETE. For example, a GET request to /api/users can return a list of users, while a POST request to the same endpoint can accept JSON data from request.get_json() to add a new user.
-   Similarly, PUT and DELETE requests to /api/users/<int:user_id> can be used to update or delete a specific user, respectively. Responses are typically returned in JSON format using the jsonify() function. Finally, the app can be run in development mode using app.run(debug=True). This basic structure sets up a simple yet functional RESTful API in Flask.

---

15.  What is the purpose of Flask's jsonify() function?
-    The `jsonify()` function in Flask is used to create a JSON response from Python data structures. It is part of Flask’s `flask` module and simplifies returning JSON-formatted responses from API endpoints.

1. Purpose of `jsonify()`

- Converts Python dictionaries, lists, and other JSON-serializable data into a valid JSON response.
- Automatically sets the correct `Content-Type` header to `application/json`.
- Ensures proper encoding of special characters and Unicode.
- Returns a Flask `Response` object that can be used directly in return statements.

2. Basic Usage

Example:
```python
from flask import Flask, jsonify

app = Flask(__name__)

@app.route('/api/user')
def get_user():
    user = {'name': 'Alice', 'age': 30}
    return jsonify(user)

---

16.  Explain Flask’s url_for() function.
-   The `url_for()` function in Flask is used to dynamically build URLs for routes (endpoints) defined in the application. It is part of Flask's `flask` module and is commonly used in templates and Python code to avoid hardcoding URLs.

1. Purpose of `url_for()`

- Generates the correct URL for a given view function name.
- Ensures that URLs automatically reflect changes in route definitions.
- Helps avoid broken links due to hardcoded paths.
- Supports query parameters and dynamic parts of URLs.

2. Basic Usage

- Syntax:
```python
url_for(endpoint, **values)

---

17.  How does Flask handle static files (CSS, JavaScript, etc.)?
-   Flask handles static files (such as CSS, JavaScript, and images) using a special folder named `static`. This folder is automatically served by Flask at the `/static/` URL path.

1. Default Static Folder

- Flask expects all static files to be placed in a folder named `static` inside the project directory.
- Files can then be accessed in the browser via `/static/filename`.

Example:
- File path: `project/static/style.css`
- URL: `http://localhost:5000/static/style.css`

2. Using Static Files in Templates

- In Jinja2 templates, use the `url_for()` function to link to static files. This ensures correct URL generation.

Example in HTML:
```html
<link rel="stylesheet" href="{{ url_for('static', filename='style.css') }}">
<script src="{{ url_for('static', filename='script.js') }}"></script>

---

18.  What is an API specification, and how does it help in building a Flask API?
-   An API specification is a formal, structured document that defines how an API behaves, what endpoints it offers, what input it accepts, and what output it returns. It acts as a contract between the server (API provider) and the client (API consumer).

In the context of a Flask API, an API specification helps ensure consistency, clarity, and reliability during development and integration.

1. Key Components of an API Specification

- Endpoints (URLs)
- HTTP methods (GET, POST, PUT, DELETE, etc.)
- Request parameters (query, path, headers, body)
- Request and response data formats (usually JSON)
- Response status codes
- Authentication requirements
- Error message formats

2. Common API Specification Formats

- OpenAPI (formerly Swagger)
- RAML (RESTful API Modeling Language)
- API Blueprint
- Postman Collections

3. Benefits of Using an API Specification in Flask

- **Clear Documentation**: Acts as a source of truth for developers working on the API and for clients consuming it.
- **Code Generation**: Tools can generate Flask routes, models, and even client libraries from the specification.
- **Validation**: Requests and responses can be automatically validated against the spec to ensure correctness.
- **Testing**: Easier to write automated tests and mock servers using the defined contract.
- **Collaboration**: Backend and frontend teams can work in parallel using the specification as a shared contract.
- **Versioning**: Simplifies managing and communicating API version changes.

4. How to Use API Specs in Flask

- Use tools like Flask-RESTX or Flask-Smorest to integrate OpenAPI specs directly into your Flask app.
- Use Swagger UI or Redoc to auto-generate interactive documentation.
- Define the spec manually in YAML or JSON, or use decorators in your Flask code to auto-generate it.


An API specification defines the structure and behavior of an API in a standardized way. In Flask development, it enhances clarity, reduces errors, supports automation, and improves collaboration between teams.

---

19.   What are HTTP status codes, and why are they important in a Flask API?
-    HTTP status codes are standardized three-digit codes returned by a server in response to a client's request. They indicate whether a request was successful, resulted in an error, or requires further action.

In a Flask API, using appropriate status codes is important for clearly communicating the outcome of API operations to clients.

1. Categories of HTTP Status Codes

- 1xx (Informational): Request received, continuing process.
- 2xx (Success): The request was successfully received and processed.
- 3xx (Redirection): Further action is needed to complete the request.
- 4xx (Client Error): The request has errors (e.g., bad syntax, unauthorized).
- 5xx (Server Error): The server failed to fulfill a valid request.

2. Common HTTP Status Codes in Flask APIs

- 200 OK: Standard success response.
- 201 Created: Resource successfully created (e.g., after POST).
- 204 No Content: Successful, but no content to return.
- 400 Bad Request: The request is invalid or malformed.
- 401 Unauthorized: Authentication is required or has failed.
- 403 Forbidden: Authenticated but not allowed to access the resource.
- 404 Not Found: Requested resource does not exist.
- 409 Conflict: Request could not be completed due to a conflict (e.g., duplicate entry).
- 500 Internal Server Error: Generic server-side error.

3. Importance in a Flask API

- Helps clients understand the result of their requests without parsing the response body.
- Enables better error handling on the client side.
- Supports RESTful principles for resource management.
- Improves debugging, logging, and API monitoring.
- Essential for frontend/backend integration and automated testing.

---

20.   How do you handle POST requests in Flask?
-   Use methods=['POST'] in route decorator
-   Use request.form for form data
-   Use request.get_json() for JSON payloads
-   Always validate incoming data
-   Return appropriate HTTP responses

---

21.  How would you secure a Flask API?
-    Securing a Flask API is crucial to protect data, prevent misuse, and ensure that only authorized users can access specific endpoints.

1. Authentication and Authorization - Authentication confirms the identity of users. Common methods include token-based authentication (such as JWT), API keys, and OAuth 2.0. Authorization determines what an authenticated user is allowed to do. Role-based access control (RBAC) is commonly used.

2. Use HTTPS - Always serve the API over HTTPS to encrypt data in transit. This prevents eavesdropping and man-in-the-middle (MITM) attacks.

3. Token-Based Authentication (e.g., JWT) - JSON Web Tokens are compact and secure tokens used for stateless authentication. Store minimal user data in the token payload. Verify the signature using a secret key or public/private keys.

4. API Keys - Issue unique keys to clients consuming the API. Check for valid API keys in headers or query parameters. Suitable for public or partner facing APIs.

5. Rate Limiting and Throttling - Prevent abuse such as denial-of-service attacks by limiting the number of requests per IP address or per token. Flask-Limiter is a common extension used for this.

6. Input Validation and Sanitization - Always validate incoming data using libraries like marshmallow, pydantic, or Flask-RESTful’s reqparse. This prevents SQL injection, cross-site scripting (XSS), and other injection-based attacks.

7. Error Handling and Logging - Do not expose stack traces or internal error messages in production responses. Log errors securely for debugging and auditing purposes.

8. CORS Configuration - Use Flask-CORS to control which domains are allowed to access your API. Avoid allowing all origins with Access-Control-Allow-Origin: * on sensitive APIs.

9. Session and Cookie Security (if used) - Set secure, HttpOnly, and SameSite flags on cookies. Use a strong SECRET_KEY to protect session integrity.

10. Security Headers - Add HTTP headers to protect against common attacks:
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Content-Security-Policy
- Flask-Talisman is a helpful extension for adding security headers.

11. Use a Reverse Proxy - Use a reverse proxy like Nginx to handle SSL termination, load balancing, and additional rate limiting outside of your Flask application.

12. Secure the Database  -  Use parameterized queries or ORMs like SQLAlchemy to prevent SQL injection. Restrict database access to only necessary operations. Store credentials in environment variables, not in source code.

13. Keep Dependencies Updated - Use tools like pip-audit or Safety to scan for vulnerabilities in your Python packages. Remove unused packages to reduce the attack surface.

Summary

| Aspect                | Method                                |
|-----------------------|----------------------------------------|
| Authentication        | JWT, OAuth2, API Keys                  |
| Transport Security    | HTTPS only                             |
| Access Control        | Role-based permissions                 |
| Abuse Prevention      | Rate limiting                          |
| Input Security        | Validation & sanitization              |
| CORS Control          | Configure allowed origins              |
| Response Security     | Hide sensitive error messages          |
| Header Hardening      | Security headers (Talisman)            |
| Secure Config Storage | Use environment variables              |

---

22.  What is the significance of the Flask-RESTful extension?
-   Significance of Flask-RESTful Extension - `Flask-RESTful` is an extension for Flask that simplifies the creation of RESTful APIs by providing a structured and consistent approach to building web services.


Key Features and Significance:


**Class-Based Resources**
- Encourages a clean, object-oriented structure for handling HTTP methods.
- Each resource is represented by a class where methods like `get()`, `post()`, `put()`, and `delete()` correspond to HTTP verbs.

**Automatic Routing**
- Simplifies URL mapping using `api.add_resource()` instead of manually defining `@app.route()` decorators.

**Request Parsing with `reqparse`**
- Built-in argument parsing and validation for incoming request data.
- Prevents repetitive boilerplate code when extracting and validating input.

**Improved Code Organization**
- Encourages separation of concerns by organizing logic into resources, rather than putting everything into route functions.
- Makes large APIs more readable and easier to maintain.

**Automatic HTTP Response Codes**
- Returns appropriate HTTP status codes by default (e.g., `404` for missing resources).
- Simplifies error handling and improves API consistency.

**Serialization Support**
- Makes it easier to return JSON responses.
- Supports custom formatting and output models for cleaner responses.

**Custom Error Handling**
- Allows you to define centralized error handlers for better consistency across API responses.


Benefits:
- Reduces boilerplate code in REST APIs.
- Enhances maintainability and readability.
- Promotes RESTful best practices.
- Speeds up development of resource-oriented APIs.


When to Use Flask-RESTful: 
- For medium to large-scale REST APIs.
- When you want to follow a clean, class-based approach to route and logic separation.
- When you need built-in request parsing and response formatting.


**Flask-RESTful** is a helpful extension for building REST APIs in Flask with less code and better structure. It provides class-based views, built-in parsing, and automatic handling of HTTP methods and responses — making it ideal for scalable and maintainable API design.

---

23.  What is the role of Flask’s session object?
-    The `session` object in Flask allows you to store and retrieve data across multiple requests made by the same user. It is used for managing state in a stateless HTTP environment.

- Purpose of `session` - Maintains user-specific data across requests. Stores data like login status, user preferences, and temporary information.

-  How It Works - Data is stored **client-side** in **secure cookies**. Flask **signs** the cookies using the `SECRET_KEY` to prevent tampering. Although stored on the client, session data is protected against modification.

-  Key Features - Dictionary-like interface (`session['key'] = value`). Data persists between requests for the same user Simple and secure mechanism for session management


Common Use Cases
- Tracking logged-in users
- Storing flash messages or alerts
- Shopping cart implementation
- Saving language or theme preferences


Session Lifetime
- By default, session lasts until the browser is closed.
- You can make it **permanent** with `session.permanent = True`.
- The duration of a permanent session can be controlled using `app.permanent_session_lifetime`.

`session` vs `cookies`

| Aspect        | Flask `session`         | Raw Cookies               |
|---------------|-------------------------|---------------------------|
| Interface     | Dict-like (Pythonic)    | Manual string parsing     |
| Security      | Signed (tamper-proof)   | Not secure by default     |
| Usability     | Easy to use             | Requires extra handling   |
| Storage Limit | Few KB (client-side)    | Same as cookies (~4 KB)   |


Best Practices

- Always set a strong `SECRET_KEY` to ensure session integrity.
- Avoid storing large or sensitive data (e.g., passwords) in sessions.
- Clean up session data when it's no longer needed (e.g., on logout).


Flask’s `session` object is a secure and convenient way to maintain state between HTTP requests. It is ideal for tasks like managing login sessions, storing small bits of user data, and enhancing the user experience across multiple requests.

---

---