Summary
Notes
Transcript
Right. So I'm thinking we'll do an architecture. Like a domain-driven design or microservices architecture, so that you can create an architecture diagram for it. applications that you want to develop. So why is this not? So, you know, the tool that you use, I'm going to let you do whatever you like. This is what we want to build. So In this particular case, I said express and Azure SQL, but it can be C# and Postgres.
I can be Java. With MySQL, it really doesn't matter what you use. Your goal is to... Actually, when you build an API, so many things are abstracted. And that's the beauty of API. Nobody knows what you built the application. Even for web applications, it's only the technology people who know what tool is used. That's why these days everybody's so happy with this WebCell web coding, because they think, oh, it looks like a real website, even though they know this.
It is. A lot of times it's very terrible. Frankly, it just looks great. And not put together properly, all the visual elements are there, but not the code behind it, or when you want to connect, it's not there. So It's... Sometimes it's very difficult to tell between a good web application and a bad web application. It's only when you want to do something more or when an issue arises, that's when you know whether it was designed properly.
So a lot of times, even when I-as a consultant, when I go to company, oh, somebody said we can do this in 15 hours. I said, OK, go and do it with them. If anybody's going to build you in 15 hours a web application, there's only so much you can do. It will not be properly built. When I say, what do I mean by properly built? Using best practices, making it secure, you know, following best coding practices using unit testing and all that right so With AI, even it has become even more Now everybody can code.
Today I was in a call with a customer that I consult with. Oh, I use Cloud Code, it built an application for me. Good for you. I mean, a lot of the challenges that you're seeing as people are graduating is also caused by this. Everybody thinks they don't need anybody to hire. They can go and just build a web application. SoLake. We APA What do I mean by long-lived enterprise assets? It's because when you create an API, Now, In companies, and particularly as graduate students, I'm hoping that you'll go and work in a larger company.
If I I have an API that can be used by more than one application. then that's what they're calling it a long-lived enterprise.
Or even within an application, once I build an API, I'm not going to make a whole lot of changes. What do you think can cause change for an API? What are the factors that will affect an API?
Friendly. usability and future growth and all that. I'll see you When building an API, you need to make sure it's secure. Okay, Shaykh, I'm--But the first time when I'm secure, it is.
But then if there is a threat that you found, like today I was in a very interesting call Whenever we make an application, right, When you do, and when you as a student, you don't realize this.
Most of the time what do you do? Use a main password, you put it in your code, and some people even take it in GitHub. So what is done getting no do, for example?
First of all, if you're using locally, Definitely put it in getting not so that it doesn't go to in the source control, right? That's very important.
We can use GitHub Web History Secrets. Yes. You can use Github Secrets and then there's another one you can use Yeah. Keyword. Key word, that's the most secure.
With Key Vault, you can secure the Key Vault that only the admins have access to Key Vault.
And you can bring your own Key Vault or Azure Pro X, its own Key Vault, AWS, all of them have Key Vault.
So Key Vault is perhaps the most secure. But even then they're questioning, okay, why did they get that secret? I said, if you keep on doing this, you cannot make any application, right? All that you can do is you can do the best effort to see, do not leave any credentials in open, do not give this as a variable, and try to find the most secure authentication, okay? What is the best authentication.
Tokens which can be done through identity. So I don't know what they have in AWS and others. Microsoft has something called managed identity.
So what they do is, instead of you giving a username and a password or a service account and a password, you configure, "Hey, here's my database, here's my API," and the managed identity of the API is allowed to connect to things.
It's not a user ID password, but it's an identity which is managed as a... service, right, which is the API. And when that happens, you don't have to create a password. You will want to be configured.
Whenever this API calls the database, you allow it.
And that's one of the secure, most secure ways because if anybody else tries to go to their SQL, it'll block. Because you said the SQL can only be accessed by a managed item. The other option is you have a SQL admin password.
It is there for a long time, until your application changes. The things that can change, the security we were talking about, Hey, suddenly your API is getting responding slowly.
What else can be a contributing factor? What is APA using? What are you using it to build it yet? Database.
Yeah, you have to connect to a database to make a query, right? How would you know what needs scaling? Like do you need the API server to be scaled or do you need the database to be scaled? It's not always.
Most of the time our business logic doesn't take... This is not why we have a... That's the one way to do it. But first even identifying whether or not you need that. You may just, is there no point putting in a Kubernetes when your database is the limitation? That no matter how many APA servers you have, if the database doesn't return it, having so many nodes will be useless. That's why knowing when.
The data input is there, but you're spending more. So you want to route it to multiple APS servers. They can all get the data and spin it rather than waiting for a CPU intensive workload.
So, that time you may make some changes to API.
And there is another possibility is when the schema changes, when the API schema. Cheers. Right? What do we mean by that? So we start with... There are more things attached, there are more details.
More fields. More fields. Or one field became unnecessary, so you want to delete it. That will also will create some changes, in which case it's one of the most complex things. You know why? Because there will be half the customers who have a different APA expectation and another, you and your building will have a different expectation. How do we handle that?
How I put this leg The only thing you can do is versioning the API. So you can say API v1 and API v2, and then you have to know that hey, when the call is coming from this customer, they are on API v1.
Right. And then your business logic will be different and in a lot of cases you may even have a different database. Or you may have a special column that you did not delete to accommodate that.
So it becomes complicated.
If you have a client and there will be an API gateway, what's the purpose of an API gateway? I used to travel again.
Yeah, routing, throttling, applying policy, using a proxy so that they just call one thing and it knows where to call so you can abstract, make it more secure. and coordinate with multiple APIs. And if you're using Express, then the router will route the things and the middleware that you use for authentication What's the middle of it?
Middle-Wedge simply means that Things that are more generic, you don't make it part of your business much. So tell me an example of generic. Like where the calls coming from?
Yeah, the routing, the one that you said and then authentication, authorization, tokens and you know creating some reusable, like monitoring, logging. You don't want to put it in your business logic. You use middleware for that. And then you say, hey, use this middleware.
So whenever a request comes, the middleware kicks in, starts the count, and when you finish, it closes the count. So now you have log data. Or you create a logging system. The middleware will collect logs about your application.
So you will have a controller for orders, right?
You'll have all the methods, right? All this get. I'll get on the items, get the specific items, I'll need the items. patch the audit, delete the audit, all that would be using multiple controllers.
Controllers That does not mean that every table gets a controller. Other tables don't get a controller. The controller is a mechanism for a service, right?
What is the repository here? Very positive. That's the database layer. So you have a database layer, you have a controller, you have a middleware, router, and the client goes through all of this too. to build what you need to build at an EVA. So DNA, you know, This is what You get a request for a An API, right? and then it is rounded to the proper. What is the rounding here means? What kind of request can come from What kind of HTTP requests are we getting for an API?
What exactly would that be like? It does like--What are the type, do you know that? Gets, puts. Yeah, gets, puts. Oh, puts. And the route resolution means which one to send to what.
If it's a get, I want to send it to this service, right?
And then once that thing is, what are you validating? The celebration access, you want it's valid, like it is there, or you have access to. One, two, three. Well, access control things would have been hopefully done before this. But then, when a-let's say I want to put a-I have an other as a HTTP request. What do you think I need to validate? That exists. That's a business logic.
So now you are in a route which says update an order. or create an audit. What does validation there mean? We are already there Now you're parsing the HTTP. Request. So what do you validate? Okay, let's say an order requires five attributes. and one of them is required and the other one is an integer.
So the validation means first of all, is it in the right format?
So what is the password format? JSON. text, whatever, right?
Is it in the proper format? And if it is in the format, does it have All the required fields.
And are the types, if there's any types, are they right types? All the validation Without the validation, I shouldn't be calling the service. So first thing is I do, here's the schema, and if the schema, if there's missing values, it shouldn't allow you to do that. Once you have it, then I say, oh.
So there's an infrastructure-related, authentication-related validation which has taken place, and there is data-related validations.
format, JSON, does it have a bearer token? Is there a claim that I need to call this business logic? All that can be validated.
And then once you have the business logic, The business logic typically requires to interface with that database.
Like we can use DT also. Data transfer object, so we have to map the data? Yes, so the data transfer object is okay here I'm getting a JSON in this format And this maps to the output.
Because the SQL is not returning The SQL is returning some results. Now you have to map it to what is expected. Oh.
That's it. after the execution. And so that you can, if it's a query get, you have to map the single output to the JSON so that I can bind it, I can create a JSON schema from the output of theRight.
A query with some, in a text format. Now we need to convert that into a JSON schema where we map the SQL field output to a JSON attribute and then convert that, the DT object, and then we send it. To that.
And that's how we build Yeah, so I mean, this we have already talked about, right? The post. And we get-And to update, right? And you notice that What's his name again? Yeah. The foot is kind of what they call "fax." So post Typically, it does not have an ID because when you're creating something, It creates the ID and the data.
And the get without any id means get everything. How does, like if I make a query, If I get 10,000 rules How does GET handle?
And you are a big shopper. You've been buying things left and right in Amazon and 10,000 artists. How does the aviation-we won't be doing this, but you may. You may, if you want to do it for the final project. How do you answer that? You slice it, so you get it piece by piece.
Yeah, that's, there are things called lazy loading, right?
What you do is, when you do, you first send the, 15 and 20.
And then when you're there, behind the scenes, so background, it can do. But if you keep doing it, it may be wasted if the guides are not navigating. So designing these applications, Based on the user behavior, what is typically a user does is very important. So you don't in isolation say I'll only send 25.
So you don't always use these techniques. It's always based on how an API is being used in what context. Right, so most of the time as a program is we don't make that connection. which is what I see. Everybody goes and do the best practice of programming. No, it's not about, oh, if you always send 25 records, you're doing good, no. If that thing is not what the user wants, It doesn't matter what best practice.
Does it make sense to give them delay or If You know that they always browse through these orders one by one. It means you should be doing all the lazy loading in the back, preparing for it. Or if the performance is more important than doing multiple calls.
And then you will get the whenever When did you get 201? Pause it. Yeah, whenever you post.
And whenever you get a get, of course you get 200. And then you get internal server error, but it cannot find the server. 400, can I find that?
There's something called resiliencyAbaddon's. What it does is whenever you're making, first thing is you need to understand what is the reason why you're not getting from SQL, right? What are the reasons that you don't get something from Sita? What could be the reason? I'm making fun of people.
Connection pulling, right, could be connection is timed out like you're used to all the connections. That's one possibility. And it's really possible the sequence over is down. Right? It's a machine, so a vendor. I'm changing the logic. Yeah. And there's also a possibility that You're bouncing it and it cannot take anymore. It's input-output bound. Right? Because it's so busy that it cannot.
Now when it's so busy, If you keep sending more requests, What will happen? It'll get worse.
Because You treat each one of them as a new request and you get even more waiting, you know, you're blocking the threat.
The other pattern is Do not pound it. Give it some time. Again, make a call and see if the reason is still. But give it some break. That's a better option than constantly pounding it. You make things worse. So there are a lot of resiliency patterns that when you're working with the backend.
And this is where your simple business logic is no longer enough.
So Just For this case, just to be different, instead of using Visual Studio Code, I'm using Visual Studio. How many people have used Visual Studio itself? You may not be... Too heavy. Huh? Too heavy. Too heavy? I attempted it once.
These are all sisters I don't desire for such Yeah, but it's pretty good if you're in C# and Azure related things.
Yeah, I mean, that's why when Microsoft came up with VSCode, many people abandonedTo be. It's much faster and it just loads the extensions that you need.
Okay, so in this case, What I did was I created a Web API application is in Visual Studio.
There are few things that I hear it, wait. I will explain to you. So In this So... In the In the Is it studio? Here I'm using an object relational mapping which is called entity framework. Now, you don't have to do this in your distinct, but when you're using the C#, that's a good practice. So what it does is, it defines a class, right? It creates an object. and then match that to a database. What does that mean?
Because every database table, right, Ideally, it should not be table to table, but there is a table, let's say I have a customer table, right? That customer table is seen as a customer object.
When I'm programming, I want to use that object. But when I'm updating data, I want to use the database. The connecting layer is what the object relational mapping tool does. Here is the object. This means these are the fields. So, MindSouth has something called Entity Framework. That does that. So Now, First I thought I wanted to show you how to use Visual Studio Code. I did the basic API. So I said maybe I'll just give them a different view, right?
So if you're doing in Java, you have the same concept, right? And what kind of ORM tool do you use? Actually I use Hibernate.
Hybrid name. Yeah. Yes.
Same concept. At Hibernate what you do is that you say here's the object And here's the database table. It's because The object-oriented programming is not table-oriented programming.
So this is the DB, the database context.
And then when this thing, when the DD context comes, it reads it from this to connect to the back end. So the DB context is saying is that, hey, You create The weather forecast is the model.
Like the first thing you do is initiate the database.
So it takes the object and creates the equivalent table in your database. That's for initial migration.
And all this is done when you initially start it. So you initially create a database connection, define your class, and when you do the initial migration, it takes that and creates an empty table. without anything, so that it's ready. There is another way to do this. You can go create the table already and then come back and connect to the database. But if you don't have anything, you can actually initiate the whole table by connecting to the database.
And so the main logic is in our program. Now this one is built in open API. So what is an open API?
Yeah. So whenever you, and I'll show you one that you'll understand it. What I would like you to do, and I'm going to give you an exercise, and there is a very nice tool called Time is back, right?
This is the Mitesub tool. It's one of the best tools. It helps you design your Tight, right?
So What is it saying? that hate This is my spec. for the open API. Why is this important?
Any system that is in complying with OpenAPA can parse it. And you can test. Your API based on the spec.
So it is a specification for your API. So it says that, hey, this is the title. and this is the URL from which it's coming. And then what does the path mean? What does the pattern just mean? Where is the end point? End point. So what would be the path based on what you're seeing on top?
When it says pack/weather forecast, What does that mean?
that I will have an endpoint with localhost 7186/Breathe for the Past And if you do this, what should you be expecting? That is the specification itself. Right? Again, if you have the thing, that is a jet car. Right? That's what it say, if you do this. And we can try this, right? That's it.
It is telling you what the problem is Yeah, they don't have access Don't have access? AP address is not allowed to access the server. What does that mean? The Azure SQL is blocked by this IP address. Yeah. So you get to cook it. So What that means Yeah.
See, it worked because now the firewall, I only have one entry.
But when you deploy what happens, you can tell the SQL server to allow API to connect through managed identity or through IP of the web app.
But now when I'm running in local host, depending on where I'm running, my IP will change and then it blocks it, which is a very good secure way so that people randomly cannot access.
Now, there is a beautiful tool Who are your good friends?
Which can be used, I like this better than post-match.
And it's got the APA dog. So I can. Do this. Right? I get it. So it returns it?
Thank you. We haven't been getting trained to do so, let's say two. Boom and pause. Right? So let's see if this will do this.
So success, right? And so if I go to this And refresh.
to show a put, post, delete, write, create operation. So that is going to be an extra sign.
I didn't give you very detailed thing, we'll go through that, but You will create a database You will create a class. And then you create the, now here you're not using any business logic except mapping the database to the thing and just creating, right? So you're not doing any business logic. We will do that for the final project where we will have some more-here, it's just a pure-database manipulation through API, create, put, delete.
One is a database that's running on the cloud of your choice. So I use the SQL. You can use MongoDB or whatever.
But they'll definitely give you a free Azure SQL. Take the freak here.
By default it will give you the highest queue.
So you have to go and make sure that when you're creating an database, you're picking the free tier. It's small size, it's good for our demos, right? It's not a production ready. So pick the free SQL here in Azure. How many people are just working on Azure?
So if you try to create two SQL servers in the same region, it won't let you. and you think something is wrong. So a lot of times, because you're getting free, they try to restrict you from-Using their resources. So, pick a database Take an API, connect that API to the database, Anything to do with course or anything to do with authentication, anything to do with firewall, deal with it. So if it doesn't work, one of those things are the reasons.
And a screen shot of working with APA dog, postman, our visual studio code, HTTP. How many people have used VS Code HTTP? It's got something called HTTP. and extension and you can just, instead of, if you're building a Visual Studio Code, you don't have to get out of it. You just use HTTP to send the request. Considering nobody wants to use Visual Studio, they are using VS Code. You don't have to put another Postman, do it from there.
You don't need a postman. If you use something called Swagger, What the Swagger does is Here I have it as a UI where I have a get and it will tell you the schema. And then you can do it. And the Swagger uses this information to say, "Hey, if you want to get a weather specification, you should supply an ID." So you can execute if you have a Swagger UI.
Execute this API without Postman.
And you can do that in express, in Java, everything. Swagger is a, like, so what it does is that, I'll see if I can add Swagger to this and I'll show you. Bye. I don't have to go to APA doc. I can go to that swagger and do everything there. And then when you have authorization, Swagger can actually make your login. Get the token.
Here, in Postman, what do you do when you have to authorize? You have to find a way to go log in, go to your F2L, get your token that it generates for your log in and then pass it on.
Postman now has the ability to make you log in. It's a bit complicated, but that thing is smooth when you have the swagger. So if anyone does with the swagger Thanks.
And hence, that ID has to be an integer and is the rejects pattern, right? That's what this schema says. And here, this whole Remember, it said under component and weather forecast. You got this from the class.
So when the schema is there, what it's saying is, hey, go to the component section, look for the schema, and where did this thing get all this from?
Even when you build it with Java, you'll be delivering exactly the same thing. That's why the openAPA standard for APA is very, very important. It's a universal standard. That will be delivered by, irrespective of the tool that you use. So that's why I'm not asking you to follow my example. As long as you have the spec. then Anybody can consume. A client can consume this without knowing whether it was in Java.
You go to the endpoint, you'll get the JSON. So that's the idea of building a standardized API using OpenAPI.
So what is Typespec now? Typespec will help you to create this. OpenAP is a big one.
So you can use it in Visual Studio Code and do WebHttp. If you really want it, I can demo it next time.