Rest API Maintenance

Maintaining your Express Rest API:

Swagger and Rate Limits

by Peter Ajtai

Peter Ajtai

Solid Digital

Solutions Architect

www.soliddigital.com

peter.ajtai@gmail.com

@PeterAjtai

SLIDE

Hi, I'm Peter Ajtai, and I'm the Solutions Architect at Solid Digital.

Solid is a digital agency. We do everything from marketing landing pages, to hooking up DRM for VOD platforms.

We always try to partner with our clients, so we can help them figure out how to increase their digital value... How to get more out of their digital assets.

In terms of tech stacks we do mostly NGINX with Node or PHP, prefer Vue on the front end, and MySQL, Mongo, and / or Elastic for DBs. For provisioning we use Ansible, and for builds and deploys we use Gitlab CI.

SLIDE

Our website is www.soliddigital.com.

SLIDE

I use gmail for my email and you can also find me on Twitter.

SLIDE

I'll be putting these slides up online, so look in my Twitter feed for that url.

Maintaining your API

Try it out with:
- Swagger

Protect it with:
- Rate Limits

I'll be discussing two things related to maintaining a Node Express API. There are a lot of resources on the web about how to setup a REST API with Express. This is about going a little beyond that.

That being said, you'll still be able to understand this talk, even if you've never made and express API. I just wanted to set some overall context.

SLIDE

If you have an API, it's nice to be able to give customers and your tech team current docs and a way to test out the API.

Often people setup docs at the beginning of a project and then they go stale.

Or you have to create your own Postman or CURL resources to test it.

SLIDE

We'll be using Swagger to handle these. Swagger is built on OAS (Open API Specification).

SLIDE

Now, once your API gets popular, you'll want to be able to control how people use it.

A common way of doing this is with rate limits. Rate limits allow you to throttle the use of your api based on things like api key and ip address.

SLIDE

I'll be showing you a rate limit using API keys, and I'll show you how to add API keys into Swagger.

Swagger

A way to document and manually test your api

Based on Open API
Integrations with many languages (including node)
Document with JSDoc
Try API with web GUI
Full example

Using Swagger

Need one yaml file to describe the api

Can use JSDOC to build the yaml

Document each controller / model and assemble into the yaml

Swagger Setup

      
'use strict';

const swaggerJSDoc = require('swagger-jsdoc');
const swaggerUi = require('swagger-ui-express');

module.exports = server => {


    const options = {
        swaggerDefinition: {
            openapi: "3.0.0",
            info: {
                title: 'Todo API', // Title (required)
                version: '0.0.0', // Version (required)
            },
            servers:  [
              {
                url: 'https://my.example.com/api/v1',
                description: 'Live Server'
              },
              {
                url: '/api/v1',
                description: 'Local Server'
              }
            ],
            tags: [
              {
                name: "Tasks",
                description: "Things to do."
              }
            ]
        },
        apis: ['./models/**/*.model.js', './api/**/*.controller.js'],
    };

// Initialize swagger-jsdoc -> returns validated swagger spec in json format
    const swaggerSpec = swaggerJSDoc(options);

    server.get('/api/api-docs.json', function(req, res) {
        res.setHeader('Content-Type', 'application/json');
        res.send(swaggerSpec);
    });

    server.use('/api/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerSpec));

};

swagger-jsdoc creates our JSON description of the API.

swagger-ui-express creates the GUI to test the API.

Make sure to specify Version 3. There are subtle differences between 2 and 3.

Options object to initiate Swagger JSDoc

Servers objects allow one or more base urls.

Tags allow you to group api calls e.g. by nouns

We'll parse our controllers and models for JSDOC comments.

We'll create a JSON object using swagger-jsdoc.

We'll use this JSON object to create the Swagger UI: http://localhost:3333/api/api-docs/

We'll serve the JSON object, so we can look at it: http://localhost:3333/api/api-docs.json

Controllers

      
'use strict';

const express = require('express');

module.exports = (app) => {

  app.services.logger.debug('Tasks Controller Loaded');

  const router = express.Router();

  /**
   *  @swagger
   *  /tasks:
   *    get:
   *      tags:
   *        - Tasks
   *      description: Get collection of all tasks
   *      produces:
   *      responses:
   *        200:
   *          content:
   *            application/json:
   *              description: tasks
   *              schema:
   *                type: array
   *                items:
   *                  $ref: '#/components/schemas/Task'
   */
  router.get('/', (req, res) => {

    app.models.tasks
      .find()
      .then(docs => res.json(docs))
      .catch(sendError(res));
  });

  /**
   *  @swagger
   *  /tasks:
   *    post:
   *      tags:
   *        - Tasks
   *      description: Add a task
   *      requestBody:
   *        required: true
   *        content:
   *          application/json:
   *            schema:
   *              $ref: '#/components/schemas/Task'
   *      responses:
   *        201:
   *          content:
   *            application/json:
   *              description: tasks
   *              schema:
   *                $ref: '#/components/schemas/Task'
   */
  router.post('/', (req, res) => {

    const incoming = req.body;

    const task = app.models.tasks(incoming);

    task
      .save(incoming)
      .then(doc => res.status(201).json(doc))
      .catch(sendError(res));
  });

  /**
   *  @swagger
   *  /tasks/{id}:
   *    delete:
   *      tags:
   *        - Tasks
   *      description: Delete a task by id
   *      parameters:
   *        - in: path
   *          name: id
   *          description: id of task to be deleted
   *          schema:
   *            type: string
   *      responses:
   *        200:
   *          content:
   *            application/json:
   *              description: tasks
   *              schema:
   *                $ref: '#/components/schemas/Task'
   */
  router.delete('/:id', (req, res) => {
    console.log('about to delete', req.params.id);
    app.models.tasks.findByIdAndRemove(req.params.id)
      .then(doc => {
        console.log('deleted', doc);
        res.json(doc)
      })
      .catch(sendError(res));
  });

  return router;
};

function sendError(res) {
  return error => {
    res.status(500);
    res.send(error);
  }
}

Docs for Swagger are here. Can use JSON or YAML.

Mark swagger annotations with @swagger

Path is added to url from the servers objects.

Nest everything under the verb.

Request body

Parameter in path

Parameters docs(query, path, header, body, or form):
https://swagger.io/docs/specification/describing-parameters/

$refs are reusable pointers. Here they point to model definitions. Let's look at those.

Models

      
'use strict';

const mongoose = require('mongoose');

module.exports = (app) => {

    app.services.logger.debug('Tasks Model Loaded');

    /**
     *  @swagger
     *  components:
     *    schemas:
     *      Task:
     *        type: object
     *        properties:
     *          title:
     *            type: string
     *          done:
     *            type: boolean
     */
    const tasksSchema = mongoose.Schema({
        title: String,
        done: {
            type: Boolean,
            default: false
        }
    });

    return app.connection.model('Tasks', tasksSchema);
};

Creating $refs

$ref: '#/components/schemas/Task'

There is some repetition here.

API Keys

      
'use strict';

const swaggerJSDoc = require('swagger-jsdoc');
const swaggerUi = require('swagger-ui-express');

module.exports = server => {


    const options = {
        swaggerDefinition: {
            openapi: "3.0.0",
            info: {
                title: 'Todo API', // Title (required)
                version: '0.0.0', // Version (required)
            },
            servers:  [
              {
                url: '/api/v1',
                description: 'Local Server'
              },
              {
                url: 'https://www.example.com/api/v1',
                description: 'Production Server'
              }
            ],
            security: [
              {
                api_key: []
              }
            ],
            tags: [
              {
                name: "Tasks",
                description: "Things to do."
              }
            ]
        },
        apis: ['./boot/autoload.js', './models/**/*.model.js', './api/**/*.controller.js'], // Path to the API docs
    };

// Initialize swagger-jsdoc -> returns validated swagger spec in json format
    const swaggerSpec = swaggerJSDoc(options);

    server.get('/api/api-docs.json', function(req, res) {
        res.setHeader('Content-Type', 'application/json');
        res.send(swaggerSpec);
    });

    server.use('/api/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerSpec));

};

autoload.js will have global configs

Use security schema api_key on all paths

API Keys

        
'use strict';

const consign = require('consign');
const flatten = require('flat');
const logger = require('../services/logger')();

module.exports = (server, connection) => {

    const app = {
        connection
    };

    consign()
        .include('services')
        .include('models')
        .include('api')
        .into(app);

  /**
   *  @swagger
   *  components:
   *    securitySchemes:
   *      api_key:
   *        type: apiKey
   *        in: header
   *        name: X-API-KEY
   */
    // Add controllers to the server
    const flattened = flatten(app.api);
    Object.entries(flattened).forEach(([route, router]) => {
        route = '/api/' + route.replace(/\.controller$/, '').replace(/\./g, '/');
        logger.debug(`mounting router at: ${route}`);
        server.use(route, router);
    });

  // Remove .model from the keys.
    // Needs to be updated if models are put into sub directories
    Object.entries(app.models).forEach(([modelKey, model]) => {
        app.models[modelKey.replace(/.model$/,'')] = model;
    });

    return app;
};

Name the security scheme api_key

It's an API Key

In the header

The header is X-API-KEY

What it looks like

http://localhost:3333/api/api-docs/

Protect your API

Make API keys mandatory

Limit requests by API key

Let's find an npm

33K weekly downloads

... but there's a problem

Test it out

          
const limiter = rateLimit({
  windowMs: 15 * 1000, // 15 seconds
  max: 5 // limit each IP to 5 requests per windowMs
});

Limit is 5 requests per 15 seconds

Can I do 10 requests in 10 seconds?

Let's try: http://localhost:4321/

Visualize the Problem

Example - 4 requests a day

How you imagine it

What many npms allow
Limit is completely reset at end of window
Windows are independent of requests
Essentially 2X planned requests in 1 second
- Imagine this with a 500 request limit

Visualize the Problem

          
// export an API to allow hits all IPs to be reset
this.resetAll = function() {
  hits = {};
  resetTime = calculateNextResetTime(windowMs);
};

// simply reset ALL hits every windowMs
const interval = setInterval(this.resetAll, windowMs);
//

All hits are cleared every windowMs