Designing an API with Web API on Azure

.NET core is great for creating a Web API project to provide an API.
Tip: Swagger is a great tool that has an editor to specify your API.  With the OpenAPI specification for your API, you can generate documentation, or use the code generation feature to generate tests or C# code.
Tip:  Use the Swashbuckle.AspNetCore Nugget package to generate an OpenAPI specification for your API if you use a code first approach.

Do not trust incoming parameters, you must validate.  Always respond with generic header error messages so you don't give away back-end information.  Ensure you log all errors and review them.

Preferred High Level Design I like for Web API projects

The API needs to return Status Codes to allow consumers/clients to know how there operations are doing so I design with these standard HTTP status codes:

CodeCode Status Meaning 200 OK (GET) 201 Created (POST or PUT) 202 Accepted.  Used for long running operations. 204 Resource has been deleted (DELETE) 304 Not Modified 400 Bad Request 401 Not Authorized 403 Forbidden 404 Not Found 422 Entity Validation Issue 429 Too many Requests (Implement at APIM layer only) 500 Internal Error

• The bold codes are the three minimum set of response codes I will use for a simple API.  The next 4 most important are italicized.
• Name resources/EndPoints with nouns and I always use lowercase e.g. /api/customers is better than verb noun which was common a few years ago, e.g., /api/GetAllCustomers  NB!  No verbs in URL naming.
• Keep the URL's simple.
• Always use HTTPS.
• DateTime data is always in UTC.
• Sensitive information must be in the header or body, not in the URL as it is not encrypted.

URL/Resource	GET (read)	POST (create)	PUT (Update)	DELETE (Delete)
/customers	List all customers	Add/created a new customer	Bulk update customers	Bulk Delete or Generally error and don’t implement
/customers/35	Get a specific customer.  Customer 35 is John Doe	NA	Update the John Doe record	Delete the John Doe object/record

HTTP Methods to Support

GET	Return the current value of an object
PUT	Replace or update an object
DELETE	Delete an object
POST	Create a new object.  Return 201 for created and 202 for long running operations.

* PATCH - is also used for updating objects but normally a subsets of existing data

Versioning
API's need to change but there can be multiple client applications consuming my OpenAPI.  We use versioning to ensure I don't break existing implementations.  There are different strategies for versioning API's:

• No versioning:   https://pbeck.co.uk/customers/35
• URI versioning: https://pbeck.co.uk/v2/customers/35
• Query string versioning: https://pbeck/customers/35?version=2
• Header Versioning:  Not in the URL but passed in the header (my preferred option)

APIM has a great implementation for versioning.  Generally, adding optional data is pretty safe for API versioning.  You need to give 3rd parties using your API's time to implement the new version before deprecating and versions.

Tip: Enforce versions are present in the header.  No version return bad request.

JSON
JSON property names SHOULD be camelCased.

Query Params

Allow filtering using query param e.g. https://pbeck.co.uk/customers?firstname='paul'

Allow sorting for the most common properties

DateTime should be in UTC - The pattern for this date and time format is YYYY-MM-DDThh:mm:ss.sTZD. It is recommended to use the ISO-8601 format.  UI does adjustment for local time display.

Paging

Requests must have max return limit e.g. 100 items.  Specifying the limit param if you want to change the size of the dataset to return.

CORS

Cross Origin Request will need to be supported, reply on OAuth for who can use the API.

HATEOAS 

Good way to navigate around your API.  And a principle worth adhering to where possible.  

Authentication and Authorization

API's access should be via OAuth2.0.  It is very easy to hook APIM and underlying App Service (Web API) up to AAD B2C.  Scopes are used for authorization.

Code Review/Quality

"Linting is the automated checking of your source code for programmatic and stylistic errors. This is done by using a lint tool (otherwise known as linter)".   Examples of Linting Tools are Resharper, StyleCop, SonarQube, ...

Security

Always review the OWASP API Security for your API's.

https://docs.microsoft.com/en-us/azure/architecture/best-practices/api-design
https://owasp.org/www-project-cheat-sheets/cheatsheets/REST_Security_Cheat_Sheet.html

https://github.com/Microsoft/api-guidelines/blob/master/Guidelines.md

It's a good idea to also have a WAF in front of your API.

Excel Services REST API - SP2013 Notes

"Excel Services is a service application that enables you to load, calculate, and display Microsoft Excel workbooks on Microsoft SharePoint 2013. Excel Services was first introduced in Microsoft Office SharePoint Server 2007."  MSDN

There are 4 ways to interact with Excel using Excel Services, this article only looks at utilisting the REST API.  The figure below provide context showing an Excel file with a list of countries with 3 digit ISO codes.

Work in Progress...

Excel Services REST API - SP2013 Notes

"Excel Services is a service application that enables you to load, calculate, and display Microsoft Excel workbooks on Microsoft SharePoint 2013. Excel Services was first introduced in Microsoft Office SharePoint Server 2007."  MSDN

There are 4 ways to interact with Excel using Excel Services, this article only looks at utilisting the REST API.  The figure below provide context showing an Excel file with a list of countries with 3 digit ISO codes.

Work in Progress...

DevOps Tooling

DevOps Tooling Notes

DevOps Tooling is broken down into the following areas, note the tools often overlap in function.  The list is not exhaustive but these are the more common tools I have come across.

1. Version Control: TFS, Git, SVN, ...
2. Bug Tracking: ServiceNow, Jira, ZenDesk
3. Continuous Testing: Selenium, Jasmin or Mocha or Unit.js (JavaScript testing), NUnit, Web Tests (Visual Studio), SpecFlow
4. Continuous Integration (CI): TeamCity, Jenkins, Azure DevOps (bigger) 
5. Configuration Management and Deployment:  Puppet, Chef, ANSIBLE, SALT  (all installed on Linux, obviously work on Windows environments)
6. Containers: Docker, Kubernetes, Microsoft Containers. I think the Azure AKS is pretty much containers for Azure now.
7. Other:  PowerShell, VMWare, HyperV

RESTful API Tooling

1. Swagger - awesome.  Swagger is a set of tools that help document, build and test your API  (Your API conforms to the OpenAPI specification or Swagger specification).  Great way to get a contract for users of the API early on.  Updated 2019/11/25:  Link to Swagger post
2. Swagger UI, Swagger Integrator,...
3. Apiary - UI to create an API and publish with mocks.  I prefer Swagger or on simple projects APIM.
4. API Management (APIM) - flexible Azure service for bring together multiple API securely.  Same as MuleSoft.  Can import OpenAPI's v2 or v3 to create a hosted API.  Can mock and built in test tool.
5. RAML is an alternative to Swagger and Apiary (never used)
6. Blueprint - API documentation tool.  Pretty simple and nice results.
7. Postman - send http requests to the API.  Postman is a REST client useful to check your API.  This is my main tool for testing, exploring REST based API's.  
8. SoapUI - if working with SOAP/XML.
9. Slate - API documentation - I always use OAS/OpenAPI/Swagger.
10. Fiddler - I'm old school and still love Fiddler and it's capabilities.  Fiddler is a great HTTP debugger.  
11. BURP - an HTTP debugger to review traffic.  I've used BURP for security testing and it is great for API debugging.  
12. Charles is another HTTP debugger (never used).
13. cURL - Cmd line to test API's using HTTP, separate exe to run on Windows, Windows 10 has cURL built in.
14. Visual Studio
15. Wireshark - Over the years I have needed packet sniffing to fix issues and always go to Wireshark, I used the tool in the 90's but it had a different name.  Extremely useful for issues relating to firewalls, especially when an environment reacts differently to another working DTAP environment.
16. Tcpdump is another packet sniffer

Testing:
http://www.incyclesoftware.com/2014/02/executing-selenium-ui-tests-release-management/

More Info:
http://blog.sharepointsite.co.uk/2014/02/devops-and-sharepoint.html
http://www.networkworld.com/article/2172097/virtualization/puppet-vs--chef-vs--ansible-vs--salt.html
http://blog.sharepointsite.co.uk/2013/11/iac-presentation-for-sharepoint.html

Anonymous REST JS call error using SP2013

Problem: I am making an anonymous JavaScript REST call to a image library.  I get the error "Request failed.  The method GetItems of the type List with id ... is blocked by the administrator on the server.nundefined".

 

Resolution:  Change the ClientCallbackSettings on the web application as shown below.

 

 



$wa = Get-SPWebApplication http://www.demo.dev
$wa.ClientCallableSettings .AnonymousRestrictedTypes.Remove([microsoft.sharepoint.splist],"GetItems")
$wa.Update()

More Info:
http://www.sharepoint-zone.com/search/label/ClientCallableSettings.AnonymousRestrictedTypes
 

Retrieving lookup list columns using REST SharePoint 2013 API

Problem:  I have 2 related SharePoint lists: 1) Question and a Child (linked) list 2)Comment.  I need to perform an JS call using jQuery to retrieve a specific comment item and I need to also know the Title field from it's related parent list (Question).  The 2 lists are shown below.  The post Creating related lists for SP Hosted Apps using VS2012 show you how to do this.

Resolution:
Open you browser  and check the query works:
http://dev-d8f436fea03755.apps.dev.local/SPHostedApp/_api/web/lists/getByTitle('Comment')/items(1)?$select=*,Question/Title&$expand=Question/Title
(replace the url)

jQuery Ajax code I used to call the REST API is shown below:

The ajax call is made in the document.Ready() method call.