Article

Latest articles →

· Tim Riley

Decaf Sucks Launch Countdown: Finishing the API

This week passed without me even touching the codebase for the iPhone app. Don’t worry, though, because I actually made a major step forward by completing the Decaf Sucks API. Last week I built the API actions for reading information, and this week I had to solve the problem of providing authenticated API actions for Decaf Sucks users, which are authenticated only using Facebook and Twitter’s OAuth systems.

Authenticating via the API

The answer to this (at least for now) is to use a two-step authentication process for the iPhone app. Firstly, the iPhone app will have the same OAuth consumer tokens and secrets as the web app. When a user wants to get started on the iPhone app, they’ll follow the standard Twitter or Facebook OAuth process, which ends with the iPhone app acquiring a valid access token for that user (connected to the registered “Decaf Sucks” app on either Facebook or Twitter). The iPhone app will then POST the authentication provider and access token to /account.json in the Decaf Sucks API:

{
  "provider": "facebook",
  "access_token": "xxx"
}

At this point, the web app will find the Decaf Sucks user associated with that Facebook account, or create a new one, and return the user’s details along with a custom Decaf Sucks API key:

{
  "api_key": "cd47dcac36f1081f3c23b2bb3d386b47",
  "id": 223,
  "slug": "223-tariley",
  "login": "tariley",
  "name": "Tim Riley",
  "picture_url": "https://graph.facebook.com/tariley/picture?type=square",
  "account_url": "http://facebook.com/tariley"
}

This unique, non-colliding API key is generated automatically when the user is created:

class User < ActiveRecord::Base
  after_create :generate_api_key

  protected

  def generate_api_key
    update_attribute(:api_key, Digest::MD5.hexdigest("#{ActiveSupport::SecureRandom.hex(10)}-#{DateTime.now.to_s}-#{self.id}"))
  end
end

The iPhone app will store this API key and use it to authenticate itself for any subsequent Decaf Sucks API requests that create or modify data. The API will ask for the token via HTTP basic authentication on these requests, much like the Highrise and Campaign Monitor APIs.

Creating Reviews

The API is RESTful, as you would expect, and uses JSON to pass data back and forth. Creating a review is as simple as POSTing to /reviews.json along with a Content-Type: application/json header and JSON formatted attributes in the request body:

{
  "name": "Lonsdale Street Roasters",
  "lat": -35.274862,
  "lng": 149.132495,
  "rating": 10,
  "body": "The reason I get out of bed every morning. Outstanding coffee."
}

That’s it! The web app will take care of connecting your review to any matching cafe at that location, or will create a new one for you. In response, you get the full details of your review back:

{
  "id": 1463,
  "slug": "1463-lonsdale-street-roasters",
  "body": "The reason I get out of bed every morning. Outstanding coffee.",
  "rating": 10,
  "created_at": "2011-07-30T05:59:24Z",
  "updated_at": "2011-07-30T05:59:24Z",
  "reviewer": {
    "id": 223,
    "slug": "223-tariley",
    "login": "tariley",
    "name": "Tim Riley",
    "picture_url": "https://graph.facebook.com/tariley/picture?type=square",
    "account_url": "http://facebook.com/tariley"
  },
  "cafe": {
    "id": 624,
    "slug": "624-lonsdale-street-roasters",
    "name": "Lonsdale Street Roasters",
    "simplified_name": "Lonsdale Street Roasters",
    "address": "7 Lonsdale St, Braddon ACT 2612, Australia",
    "lat": "-35.27493",
    "lng": "149.132115",
    "rating": 8,
    "reviews_count": 12,
    "created_at": "2010-11-24T22:43:22Z",
    "last_reviewed_at": "2011-07-30T05:59:24Z",
    "latest_review": {
      "id": 1463,
      "slug": "1463-lonsdale-street-roasters",
      "body": "The reason I get out of bed every morning. Outstanding coffee.",
      "rating": 10,
      "created_at": "2011-07-30T05:59:24Z",
      "updated_at": "2011-07-30T05:59:24Z",
      "reviewer": {
        "id": 223,
        "slug": "223-tariley",
        "login": "tariley",
        "name": "Tim Riley",
        "picture_url": "https://graph.facebook.com/tariley/picture?type=square",
        "account_url": "http://facebook.com/tariley"
      }
    }
  }
}

Supporting the API

All of the controllers behind the API use decent_exposure to manage the loading and manipulation of the models. This keeps them nice and tidy. Here’s part of the ReviewsController as an example:

class Api::V1::ReviewsController < Api::V1::BaseController
  expose(:reviews) { Review.newest.page(params[:page]).per(per_page_amount(10)) }
  expose(:review)

  before_filter :require_api_key, :only => [:create, :update, :destroy]
  before_filter :must_own_review, :only => [:update, :destroy]

  def create
    review.user = api_user
    review.save
    respond_with(review)
  end
end

Because all of the controllers use decent_exposure, I could create a default exposure in just one place that handles the loading of the model attributes from JSON in the request bodies. In particular, it means we don’t have to require the model attributes to be nested in a hash underneath the model name:

class Api::V1::BaseController < ActionController::Base
  respond_to :json

  self.responder = Decafsucks::ApiResponder

  # Change the default_exposure to support attributes that aren't nested under the object's name
  # (This is the same as the default exposure from decent_exposure except for the params.except() lines)
  default_exposure do |name|
    collection = name.to_s.pluralize
    if respond_to?(collection) && collection != name.to_s && send(collection).respond_to?(:scoped)
      proxy = send(collection)
    else
      proxy = name.to_s.classify.constantize
    end

    if id = params["#{name}_id"] || params[:id]
      proxy.find(id).tap do |r|
        r.attributes = params.except(:controller, :action, :format) unless request.get?
      end
    else
      proxy.new(params.except(:controller, :action, :format))
    end
  end
end

You’ll also notice above that all the controllers use Decafsucks::ApiResponder to return the models at the end of each API call. I created this responder so that we could return error messages along the same lines as the GitHub v3 API. Here’s an example of the response to a review that was posted without a body:

{
  "message": "Validation failed",
  "errors": [
    {
      "resource": "Review",
      "field": "body",
      "code": "missing_field"
    }
  ]
}

The responder extends the default ActionController::Responder to add this behaviour, and also allows me to use a create.rep template for the nicely formatted JSON that is returned when there are no errors (I wrote about these representative_view templates last week). Here’s the responder:

module Decafsucks
  class ApiResponder < ActionController::Responder
    def to_format
      if !get? && has_errors?
        api_behavior(nil)
      else
        super
      end
    end

    def api_behavior(error)
      if !get? && has_errors?
        errors_hash = {
          'message' => 'Validation failed',
          'errors' => error_messages
        }

        display errors_hash, :status => :unprocessable_entity
      else
        super
      end
    end

    protected

    def error_messages
      errors = []

      resource.errors.each_pair do |attr, messages|
        messages.each do |message|
          errors << {
            'resource'  => resource.class.model_name,
            'field'     => attr,
            'code'      => codified_error_message(message)
          }
        end
      end

      errors
    end

    def codified_error_message(message)
      if message == "can't be blank"
        'missing_field'
      else
        'invalid'
      end
    end
  end
end

Potential Improvements

Overall, I’m happy with how the API has come together. I’m quite appreciative of all the many well-established and well-documented APIs that already exist (such as GitHub, the 37signals apps, Gowalla and Campaign Monitor). It’s definitely been useful to check these out and use them as inspiration for building our own thing.

The biggest area for improvement that I see is in how we handle the authentication. Eschewing our own authentication system has been great so far. It allowed us to build the initial app across a single Rails Rumble weekend, and has been helpful for getting new users involved with minimal fuss. It’s only now that we’re building an API that it brings in some complications.

For our initial requirements — to support our iPhone app only — the authentication process I described above will work just fine. In fact, supporting 3rd-party access would work right now by exposing a user’s API key in the web interface and have them use that for any API calls, but that feels too clunky. Ideally, we would have some sort of OAuth support in our own web app that proxies or redirects to the right parts of the Facebook or Twitter OAuth processes when appropriate. Do you have any ideas about this? Let us know.

Where Next?

Now that the API is done, it’s time to get back into building the iPhone app. Time to start investigating Twitter & Facebook OAuth libraries for Cocoa Touch apps. I’ll be back next week to share the results!