# Flask
## REST API

## REST | introduction

- HTTP protocol:
  - **REQUEST**
    - methods: GET, POST, PUT, DELETE
    - url, endpoint (`/users/:id`), where the `:id` is a variable part of the url
    - url parameters (`/users?name=John`), query string
    - headers: `Content-Type`, `Accept`, `Authorization`
    - body: JSON, XML, form data
  - **RESPONSE**
    - status code: 1xx, 2xx, 3xx, 4xx, 5xx
    - headers: `Content-Type`, `Set-Cookie`
    - body: JSON, XML, HTML

## REST | introduction
### Flask Web

![flask_web](./imgs/flask_web.png)

## REST | introduction
### Flask Rest

![flask_rest](./imgs/flask_rest.png)

## HTTP | methods

| Method | Description | default status code |
| --- | --- | --- |
| GET | Retrieve data | 200 |
| POST | Create data | 201 |
| PUT | Update data | 200 |
| (PATCH) | Partial update data | 200 |
| DELETE | Delete data | 204 |

## HTTP | status codes

| Code | Description |
| --- | --- |
| 1xx | Informational |
| 2xx | Success |
| 3xx | Redirection |
| 4xx | Client Error |
| 5xx | Server Error |

## Routes | endpoints

- `http://127.0.0.1:5000/users`

- `http://` - protocol
- `127.0.0.1` - host
- `5000` - port
- `/users` - endpoint

## Routes | endpoints

- GET `/users` - get all users
- POST `/users` - create a user, we need to specify the body we want to create

___
- GET `/users/:id` - get a user by id
- PUT `/users/:id` - update a user by id, we need to specify the body we want to update
- DELETE `/users/:id` - delete a user by id

# Bonnes pratiques

- **GET** - should not have a body
- **POST** - should have a body, and should return the created object, with 201
- **PUT** - should have a body, and should return the updated object
- **DELETE** - should not have a body, and should return a status code 204
- **(PATCH)** - should have a body, and should return the updated object

## MVC | Model View Controller

- **Model** - data, database
- **View** - user interface
- **Controller** - logic, routes

We will use a different MVC pattern to structure our application

- `controller`: Manage routes
- `service`: Manage business logic
- `model`: Manage data
- `repository`: Manage database
- `Mapper`: Manage data transformation

## DTO | Data Transfer Object

DTO, is an object that carries data between processes. It is a simple object with fields and getters/setters.

DTOs:
- **Request**: object that carries data from the client to the server
- **Response**: object that carries data from the server to the client

The DTOs helps data validation

During this week we'll use `Marshmallow` to create our DTOs

# JWT | JSON Web Token

- JWT is a standard for creating tokens (IETF RFC 7519)
- The JWT is used to authenticate and authorize users
- JWT are "documents" JSON that contains information (claims)
- The informations are called claims, there exists many different type of claims depending the needs
- The JWTs are structured in three parts: header, payload, signature
  - header: algorithm (`alg`) and type (`typ`)
  - payload: claims
  - signature: hash of the header and payload with a secret key
    - The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way (authenticity and non-repudiation)
  - The three parts are separated by dots (`.`)
- The JWT is encoded in base64 (url-safe), but it is not encrypted
- We can use the website [jwt.io](https://jwt.io/) to decode and verify the JWT

# JWT | JSON Web Token

We distinguish two types of tokens:

- **ID Token**: token that contains user information
- **Access token**: token that is used to access resources

# JWT | JSON Web Token
## Claims

- **Registered claims**: standard claims defined by the JWT specification
  - `iss`: issuer, the entity(server, service, API) that issued the JWT
  - `sub`: subject, the person(system) who the JWT is about
  - `aud`: audience, the endpoint that the JWT is intended for
  - `iat`: issued at, the time at which the JWT was issued
  - `exp`: expiration time, the time after which the JWT must not be accepted

To know more about the claims, you can visit the website: [JWT Claims](https://www.iana.org/assignments/jwt/jwt.xhtml)

# JWT | JSON Web Token
## Signing algorithms

There are two ways for encrypting the JWT:

- **HMAC**: symmetric algorithm, the same key is used to sign and verify the token
- **RSA**: asymmetric algorithm, a private key is used to sign the token and a public key is used to verify the token

- **HS256**: HMAC with SHA-256, encrypt using a secret key
- **RS256**: RSA with SHA-256, encrypt using a private key

# JWT | JSON Web Token
## Sgning purpose

The goal of signing the JWT is to ensure that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way (authenticity and non-repudiation)