Net API Notes for 2019/10/11

Ugh. Still only early fall and I've already been hit by a bug. I'm wading through the unpleasant out-of-body feeling brought about by decongestant, menthol, and Mountain Dew. However, you can't stop the signal. This week there were API World and the API version Write-the-Docs events. To keep these lovely nuggets of insight from getting buried, let's get this edition of the notes out of the way. Conference recapping will be next week.

NOTES

GRAPHQL, JSON:API AND NETWORK HACKS

Phil Sturgeon has a new piece out entitled "Let's Stop Building Around a Network Hack. Phil's gift is boiling long, nuanced history on complex technical concepts and into straightforward insights. That ability is on display here, in full force.

Phil starts by discussing JSON:API and how the problem that it initially set out to solve isn't relevant anymore. He then transitions into other areas, pointing out how useful shims in one era become a blocker in another.

AUTONUMERATION AS API SECURITY VULNERABILITY

API vulnerabilities come in many forms. A recent discussion on SecurityWeek.com discussed how both webex and zoom APIs use auto-incrementing meeting id numbers.

Perhaps it doesn't seem quite the eye-popping freak-out that Heartbleed or WannaCry were. However, a malicious actor, aware of the API endpoints and the ability to loop, can begin accessing unprotected meeting rooms. Both companies have switched to have password-protected meetings as their default behavior.

What is interesting, for me, is that the vendors continue to argue this lackadaisical approach to public identifiers is 'by design'. It's been a while since my "third normal form", relational database days. But even as a full-stack software developer, I knew a predictable ID sequence is a bad idea.

IS REST STILL A GOOD DESIGN PATTERN TO USE?

Yes, the title of the recent Nordic API piece, "Is REST still a good API design style to use is chasing the clicks. Yes, the inflammatory tone at the onset doesn't match the thoughtful tenor of the larger piece. There is even an RPC heal turn in an example at the end! ZOMG!

So why do I even bring it up?

Because I've seen too many developers, architects, and digital product managers on a fool's quest for "the one right solution". Whether it is messaging, microservices, or the trade-offs with GraphQL and gRPC, it is crucial for crafts-folk to have a toolbox at their disposal, not just a hammer they wield indiscriminately.

This piece does a good job of articulating the pros and cons of several of the patterns and protocols out there.

MILESTONES

• Lorna Jane has an ongoing OpenAPI conversation about supporting webhooks as a first-class concept. If you've got thoughts, head on over to the OpenAPI github repo.
• Supermodel.io now returns application/schema+json by default, thus making it compatible with both OpenAPI or AsyncAPI.

WRAPPING UP

We're slowly entering the last run of API events for 2019. Check out NetAPI.events for those items. I should have local meetups added for the next month (or two) sometime over this weekend. If you know of a meetup, hackathon, or conference that should be added, let me know.

Also, a big thank you goes out to my Patreons. This week you not only covered the caffeine, but each box of tissues I'm consuming was lovingly named after you.

Happy health and till next time,

Matthew @libel_vox and matthewreinbold.com