Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to design a powerful API interface". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. Security issues

Security is a specification that an interface must guarantee. If the interface does not guarantee security, then your interface is tantamount to being directly exposed to the public network environment.

1.1 prerequisites for calling an interface-token

Getting token usually involves several parameters, appid,appkey,timestamp,nonce,sign. We use the above parameters to obtain the credentials of the calling system.

Appid and appkey can be applied directly through the platform online or issued offline. Appid is globally unique, each appid will correspond to a customer, and appkey needs to be highly confidential.

Timestamp is a timestamp that uses the current unix timestamp of the system. The purpose of the timestamp is to mitigate DOS attacks. Keep trying to request the interface after the request is intercepted. The server sets the timestamp threshold, and if the request timestamp and server time exceed the threshold, the response fails.

Nonce is a random value. The random value is mainly to increase the variability of sign, but also to protect the idempotency of the interface. The nonce of two adjacent requests is not allowed to repeat. If the request is repeated, it is considered to be a repeat submission, and the response failed.

Sign is a parameter signature, and the appkey,timestamp,nonce is stitched together for md5 encryption (of course, it's okay to do irreversible encryption in other ways).

Token, which uses the parameter appid,timestamp,nonce,sign to get the token as the only credential for the system call. Token can be set to be valid once (so it is more secure) or timeliness. It is recommended to set timeliness. If it is valid once, the request frequency of this interface may be very high. Token recommends adding it to the request header so that it can be completely distinguished from the business parameters.

1.2 use POST as the interface request method

Generally speaking, the two most common ways to call an interface are GET and POST. The difference between the two is also obvious: the GET request exposes the parameters to the browser URL, and there are limits on the length. For higher security, all interfaces are requested in POST mode.

1.3 client IP whitelist

Ip whitelist refers to opening the access permissions of the API to some ip. This avoids other ip access attacks. The trouble with setting up the ip whitelist is that when your client is migrated, you need to re-contact the service provider to add a new ip whitelist. There are many ways to set ip whitelist. In addition to traditional firewalls, sentinel, a component provided by spring cloud alibaba, also supports whitelist settings. To reduce the complexity of api, it is recommended to use firewall rules for whitelist setting.

1.4 single interface restricts current for ip

Current restriction is to better maintain the stability of the system. Use redis to count the number of API calls, ip+ API address as key, access times as value, each request value+1, and set the expiration time to limit the frequency of API calls.

1.5 record interface request log

Use aop to record the request log globally, quickly locate the location of the abnormal request, and troubleshoot the cause of the problem.

1.6 desensitization of sensitive data

In the process of calling the interface, sensitive data such as the order number may be involved. This kind of data usually needs desensitization, and the most common way is encryption. The encryption method uses RSA asymmetric encryption with high security. The asymmetric encryption algorithm has two keys, which are completely different but completely match. Only by using a matching pair of public and private keys can the process of encrypting and decrypting plaintext be completed.

Two idempotent problem

Idempotency means that the execution result of any number of requests has the same impact as that of one request. To put it bluntly, the query operation will not affect the data itself no matter how many times it is queried, so the query operation itself is idempotent. But the new operation changes the database each time it is executed, so it is non-idempotent.

There are many ideas to solve the idempotent problem, and here we talk about a more rigorous one. Provides an interface for generating random numbers, which are globally unique. Bring in a random number when calling the interface. In the first call, after the business processing is successful, the random number is used as key, and the operation result is stored in redis as value, and the expiration period is set at the same time. The second call, query redis, if key exists, it is proved to be a duplicate submission, directly returning an error.

3. Data specification issues 3.1 version control

A set of mature API documents, once released, is not allowed to modify the interface at will. At this time, if you want to add or modify the interface, you need to add version control. The version number can be an integer type or a floating point type. Generally speaking, the interface address will be marked with the version number, http://ip:port//v1/list.

3.2 response status code specification

A powerful API also needs to provide a simple and clear response value, and you can get a rough idea of the problem according to the status code. We use the status code of http to encapsulate the data. For example, 200 indicates a successful request, 4xx indicates a client error, and 5xx indicates an internal error in the server. The reference for status code design is as follows:

Classification description 1xx information, the server receives the request, requires the requester to continue to perform the operation 2xx successful 3xx redirection, requires further operations to complete the request 4xx client error, the request contains a syntax error or cannot complete the request 5xx server error

Status code enumeration class:

Public enum CodeEnum {/ / add SUCCESS (200, "processed successfully"), ERROR_PATH (404, "request address error"), ERROR_SERVER (505, "server internal error"); private int code; private String message; CodeEnum (int code, String message) {this.code = code; this.message = message } public int getCode () {return code;} public void setCode (int code) {this.code = code;} public String getMessage () {return message;} public void setMessage (String message) {this.message = message;}} 3.3 Unified response data format

To facilitate the response to the client, the response data contains three attributes, the status code (code), the information description (message), and the response data (data). The client can quickly know the interface according to the status code and information description, and then start to process the data if the status code returns successfully.

Definition of response result and common methods:

Public class R implements Serializable {private static final long serialVersionUID = 793034041048451317L; private int code; private String message; private Object data = null; public int getCode () {return code;} public void setCode (int code) {this.code = code;} public String getMessage () {return message;} public void setMessage (String message) {this.message = message } public Object getData () {return data;} / * put in response enumeration * / public R fillCode (CodeEnum codeEnum) {this.setCode (codeEnum.getCode ()); this.setMessage (codeEnum.getMessage ()); return this } / * put the response code and information * / public R fillCode (int code, String message) {this.setCode (code); this.setMessage (message); return this;} / * successfully, put it into the custom business data set * / public R fillData (Object data) {this.setCode (CodeEnum.SUCCESS.getCode ()) This.setMessage (CodeEnum.SUCCESS.getMessage ()); this.data = data; return this;}} "how to design an API interface that looks great" ends here. Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.