1) Yes, you should only use info supplied by the API. This should mean that the API is helping to ensure the client never sends the user down a UX dead-end, and also that the client does not break when the API changes.
But...
2) I don't like the thought of collections having a resource identifier for a page. As items are deleted from the collection, the resource identifiers now represent a modified resource and break caching (delete item 3 of a 5 item per page collection, and all resources in the collection - logical pages - have been modified implicitly).
I much prefer using query string for this, as it is a query on a collection.
But... the API should still be the thing that generates/builds these URLs, the client should never do this work. The client must use the provided first|prev|self|next|last URLs, otherwise the client may break in the future.
Where 'limit' and 'offset' are provided by the query string (but default to 25 and 0 respectively) and the API takes care of generating valid links (like not including 'prev' if you are on the first page').
This way the client does what it should, just use the links provided.
And whilst I'm here... one of the things I dislike about link relations is how they presently fail to mention the method you should use (let alone content-types acceptable by that end-point).
Aren't you worried that there is too much "protocol" information in your returned object? I'm struggling with this now. I've come to think the API should return exactly what was requested. So instead of a very specific structured object...
It generically returns what was asked for. The items array...
[{},{}]
I have seen the "total records" value return in the header with "206 Partial Content" response, but that still leaves the very important "links" information. Right now I am putting a "link-href" value for each object returned, but I don't know where to put the collections link information.
Where does the meta information about the resource belong? In the object/resource returned OR as meta information in the header (with other HTTP information). Is this a needless hindress for
There's a purity vs pragmatism argument, and I have tried the purity approach several times without success. This time I'm just going for pragmatism... giving developers an easy to use interface that is predictable and consistent.
I just didn't find it constructive to continue pursuing purity when the developers trying to implement the APIs just wanted to get the job done as simply as possible, with all the info at hand, and for them to return to what they were trying to do (usually solve some problem for a user).
So what if you want to have a list of pages to jump to - send back 80 links?
What is a client supposed to do when a new "nextToLast" appears? I've yet to hear of any API consumer that is driven like a browser.
What's the actual point, other than some purity to some abstract concept? Just make it part of the API to take /api/things?page=x and do the right thing.
What's "tomorrow it may well be a computer" supposed to mean? We'll have AI? Or there will be some sort of new WSDL "... for REST" invented?
> What's the actual point, other than some purity to some abstract concept?
The actual point is decoupling. It's generally considered in software architecture that design that's decoupled is a little harder to build upfront, but survives change over time.
As a 'real life' example, because Twitter exposed internal details (a tweet ID), clients sorted based on that number, because they assumed it'd be monotonically increasing. Once sequential IDs became a problem with Twitter at scale, they had an issue: if they switched to GUIDs, clients would break, because they were sorting based on the ID value. They had to invent an entirely new algorithm (Snowflake) to adapt to this change. This wouldn't have happened if they hadn't leaked internal details. It's basic encapsulation.
I'm not sure how the Twitter example is remotely related to what I'm asking. You're saying that if Twitter returned long URLs as opaque tokens to get, then it'd have been ok. Sure, but it'd have been fine if they had made the tweet id an opaque token either way. Surely returning named URL pairs isn't "basic encapsulation", and "GET /Tweet/<token>" has no reason to break.
I can see how returning hypermedia adds yet another layer of abstraction (and potentially plenty more round trips!). I'm just unsure how it helps. I don't understand how actual client code (besides a browser) can deal with arbitrary hypermedia. I'm cautious when I don't understand why people are hyped up about something, but I've yet to see any "real life" examples that demonstrate real benefits of this approach.
I can't point to them because they're internal, but there are some good ones I've used. Pagination was one useful part, where we saw the API change but didn't have to change the client. A second was being able to explore parent relationships, so we could start somewhere in the tree and move up until we hit the level we were interested in.
There are always agreements between the API designers and client designers, because the code isn't intelligent, so it doesn't know what 'parent' means. If the name of that changes, then the client would have to change. What can be different is the url structure to get the 'parent'. Maybe there's a new token that has to be there, or the naming of something has been changed, or whatever. Those changes can be made without breaking the clients. Putting this in the responses means two things:
1) Small changes don't break everything (pagination is a great one, its a /pages/1 one day then ?page=1, then ?offset=25, then ?pageSize is optional, then it's required, etc.).
2) Fewer assumptions baked into the client. Getting the tweets for a user you've loaded would be nicer as load(user.tweets) than load("/tweets/"+user.id)
About the pagination example you mentioned: Rather than use link relations, pagination might be better done with URI Templates. This is a spec [1] that allows passing a URI with placeholders to the client which can then fill them in without every option being described up front by the server. It's still a new-ish area but there are library implementations for most major languages now.
Explicit link relations aren't the only way to do hypermedia and the best practices are still moving/being discovered.
I do something similar, with the only exception being that I've never bothered calculating the number of pages (or links to other pages) on the server side, preferring to just let the client figure it out.
Mainly, I've found that for dynamic data sets, the links could possibly change between the first page and the 87th, as well as the number of pages, voiding the practicality of the data set.
Give them the number of records per page, the offset, the number of records, and let the clients determine the rest (ideally you'd have documentation showing how to paginate, whether it be ?page=1 or ?offset=20, or whatever).
edit and edit-media are covered by ATOMpub, but rel is not an attribute with a fixed range of values. Which means that the information a developer needs isn't there with the link, instead one has to go off and for each link relation try and find the original first citation, hopefully in a spec, which defines for that particular link relation the method to use. Then the developer has to hope that the API implementor also knew about that spec and did the right thing.
My criticism is that link relations fails to describe the valid verbs for a link. And there is no appropriate place to put it. We're being told about a link, but now how to interact with it.
We're given half of the story: this link relates to this item in this way (rel attribute), and you can expect it to hold this content type (type attribute) and it's over here (href attribute).
But the missing part of that story is "and to make a call to this particular end point you need to use one of these methods: HEAD, or GET".
We could use OPTIONS of course, that's the point of it. But pragmatism kicks in and when I've in the past gone done a purity route and had people do things like this... developers start to kick back. They end up with a very chatty API and lots more code than they need to perform a simple action. The audience of an API remains the developer and keeping to a purity line just causes most developers pain (not all devs, some prefer purity).
Going back to the example in the linked cookbook, they had a bank and a deposit resource. You can reasonably expect that the API permits a new deposit, permits fetching information about an existing deposit, but in the case of a bank account won't allow you to edit or delete a deposit once it's been made... you need to make a new deposit to fix that.
So reasonably links should have been returned that pretty much said:
DELETE wasn't allowed for either, and PUT and POST depended on the end point.
I shouldn't do that though, as 'methods' is a gibberish attribute I just made up and no client will know what to do with that.
I should use OPTIONS, but then if you follow that through why include a 'type' attribute as you could've got that info from OPTIONS? (The entity-body of the OPTIONS response could give you the type information and even describe the schema of the resource).
I guess where I'm at is that once you start printing links according to what the user (not client) of the API can or cannot do, you're effectively echoing permissions through the use of links. And that permissions go beyond which resources can be touched, and into what actions you can perform on those resources. Meaning that to express this properly we start needing to be able to communicate which verbs are good for this user, for a given resource. Requiring a second HTTP request for everything to check these permissions seems a bit crazy in practise (very chatty APIs) though great in theory (conformance to every spec there is).
And what we're doing at the moment is opaque as the information on those interactions that the user can perform is held in different places, in the link, in OPTIONS, and additionally in specs. To a developer implementing against this, they're not given an easy way to just answer the question "What can I do right now?"... we give them half the information they need and leave it as a job for the developer to figure out the rest.
BTW: Respect for your book, thanks for replying as I'd love to hear your views on the above.
> BTW: Respect for your book, thanks for replying as I'd love to hear your views on the above.
<3. Trying to get more good stuff out there...
> Then the developer has to hope that the API implementor also knew about that spec and did the right thing.
This is why relations that aren't specified in your media type or in the IANA list are supposed to be URIs. If they're not, they're breaking the Web Linking spec.
> But the missing part of that story is "and to make a call to this particular end point you need to use one of these methods: HEAD, or GET".
There is no reason that text cannot be in every link relation. It's just not. When defining your own, absolutely add that in.
> And that permissions go beyond which resources can be touched, and into what actions you can perform on those resources.
This is certainly a good insight.
> Requiring a second HTTP request for everything to check these permissions seems a bit crazy in practise
Technically, there is no difference at all in how they function.
But I only use //example.com/ if an API is truly available on both http and https (very unlikely, nearly all APIs should be on https only if they use some form of access token in the querystring for auth), and I only use https://example.com/ if the end point exists on some other domain.
As there is no technical difference I opt to save some bytes in the bandwidth.
1) Yes, you should only use info supplied by the API. This should mean that the API is helping to ensure the client never sends the user down a UX dead-end, and also that the client does not break when the API changes.
But...
2) I don't like the thought of collections having a resource identifier for a page. As items are deleted from the collection, the resource identifiers now represent a modified resource and break caching (delete item 3 of a 5 item per page collection, and all resources in the collection - logical pages - have been modified implicitly).
I much prefer using query string for this, as it is a query on a collection.
But... the API should still be the thing that generates/builds these URLs, the client should never do this work. The client must use the provided first|prev|self|next|last URLs, otherwise the client may break in the future.
An example of how I prefer pagination:
Where 'limit' and 'offset' are provided by the query string (but default to 25 and 0 respectively) and the API takes care of generating valid links (like not including 'prev' if you are on the first page').This way the client does what it should, just use the links provided.
And whilst I'm here... one of the things I dislike about link relations is how they presently fail to mention the method you should use (let alone content-types acceptable by that end-point).
In the example above every link is a GET, in the example on this page http://restcookbook.com/Basics/hateoas/ they're probably POST. In the link relation assignments http://www.iana.org/assignments/link-relations/link-relation... 'edit' is probably a PUT. There's an 'edit', but not a 'delete', so it's not as if just sending more than one 'rel' might describe the method.
Today the audience of an API is a developer, so it's fine to just point them at the documentation. But tomorrow it may well be a computer.