Why APIs?
In today’s world if we are using any service on the internet, we are consuming some sort of APIs in many ways. Even the article you are reading is coming as a response to an API request to our servers.
Have you ever thought how you are able to see Google Maps on websites other than Google? That is where the APIs comes into picture.
When you see Google ads on different websites, Login with X on Y website, travel ticket booking applications which shows flights from multiple sources, all of these are also the response of an API request.
What is an API?
API stands for Application Programming Interface. It is an essential part of Software development. You can think of an API as a method which when called do some processing and returns a value.
APIs are the way of accessing information for different components of an application.
The APIs defines rules that must be followed in order to communicate effectively with system and get the required information.
What is a Web API?
An API that we can access over the internet using HTTP protocols is called a web API. A web API can be called using following methods –
1. GET – Used when requesting data from server.
2. POST – Used when creating a new record on the server.
3. PUT – Used to update an item on the server.
4. DELETE – Used to delete an item from the server.
Benefits of using an API
There are a lot of benefits of using an API some of them are –
- Code Sharing: We can share code between multiple websites or devices. For example, we can use the same Google map API in all our websites. And, we can consume same API for CRUD operation on website as well as on mobile app.
- Flexibility: We can also make our API public so that other developers can use our API to build their custom applications. Best example of this is Google Map and Google auth API.
- Easy Debugging: It is also easier to debug application since all the functionality are separated from each other in a modular fashion.
- Integration: We can integrate an API to multiple platforms for example we can integrate CRM APIs to our own customized mobile app which can help us in data-sharing within both the applications.
- Customizable: APIs are also customizable i.e. one can only get the data he wants by specifying parameters in the request object.
- CORS: It also helps in sharing cross-origin data, i.e. data between multiple domains.
Best Practices for Web API development
There are some best practices that should be followed to make an easy to use web API. These are:
- Endpoints should be descriptive like an endpoint to update a user should be something look like /users/:id , where :id should be replaced with appropriate user id.
- Errors should be handled gracefully and should return proper standard status codes like 404, 500, etc.
- A Web API should also allow filtering and pagination for a collection of objects like users, articles, products, etc.
- Should be secure using any method like API tokens, JWT, etc.
- Proper documentation is also an important part of API development, it should contain the endpoints description such as what type of data it accepts and sends back, what security parameters are required, etc.
- Performance is also an important aspect of API development. Developer should also implement caching wherever required.
Web APIs in DNN
To make web API we use Services Framework in DNN. To enable web API in DNN we need to reference the following dlls –
- DotNetNuke.dll
- DotNetNuke.Web.dll
- System.Net.Http.dll
- System.Net.Http.Formatting.dll
- System.Web.Http.dll
Now we need to access it via URL, so we need to register the controller class. To do so add the following code to the Components/RouteMapper.cs class.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using DotNetNuke.Web.Api;
namespace Xrmlabs.Modules.ApiTest.Components
{
public class RouteMapper : IServiceRouteMapper
{
public void RegisterRoutes(IMapRoute mapRouteManager)
{
mapRouteManager.MapHttpRoute("ApiTest", "default", "{controller}/{action}", new string[] { "Xrmlabs.Modules.ApiTest.Components" });
}
}
}
The RouteMapper class extends the IServiceRouteMapper class which helps in defining routes by which we can access the web API from the frontend.
Now we can start creating web APIs. Add the following code to the Components/FeatureController.cs class.
using System;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using DotNetNuke.Web.Api;
public class FeatureController : DnnApiController
{
[HttpGet]
public HttpResponseMessage GetData()
{
var data = "Test data from API";
return Request.CreateResponse(HttpStatusCode.OK, data);
}
}
Here the controller name is Feature which extends DnnApiController class. The HttpGet attribute defines that this method only accepts the GET requests, to make a method which accepts POST request we can replace this with [HttpPost].
To access the API go to the url ~/desktopmodules/<module-name>/API/<controller-name>/<method-name> you will see a string “Test data from API”.
Accessing URL Parameters
To accept URL parameters we can easily pass them as a parameters to the method as shown below –
[HttpGet]
public HttpResponseMessage GetData(int Id)
{
var data = "You passed: " + Id;
return Request.CreateResponse(HttpStatusCode.OK, data);
}
Securing the Web API
Security is important consideration when developing an API. An API should implement the best practices for security. Some of the possible threats are
- CSRF attack.
- DOS attack
- Broken authentication
- Broken access control
Using built in authentication mechanism
DNN provides built-in authentication mechanism. We can implement authentication to an action using the DNNAuthorize attribute.
[HttpGet]
[DNNAuthorize]
public HttpResponseMessage GetData()
{
var dt = "Test data from API";
return Request.CreateResponse(HttpStatusCode.OK, dt);
}
The above method is only accessible to the authorized users and prevents anonymous access to the API.
Protecting against CSRF
DNN has built-in functionality to prevent against CSRF (Cross-site request forgery). We can use a ValidateAntiForgeryToken attribute with the method which validates whether the CSRF token is received and valid or not.
[HttpGet]
[ValidateAntiForgeryToken]
public HttpResponseMessage GetData()
{
var dt = "Test data from API";
return Request.CreateResponse(HttpStatusCode.OK, dt);
}
Preventing SQL injection attacks
DNN also allows us to validate the received data since it may contain some malicious content like HTML/scripts. By using ValidateInput attribute, we can prevent submitting harmful content.
Example client-side request
You can do a GET request normally like a ajax request. But to do a POST request or a request with CSRF protection enabled you have tomust pass the CSRF token along with the request headers.
var sf = $.ServicesFramework(<%= ModuleId%>);
$.ajax({
url: "<api-url>",
"beforeSend": sf.setModuleHeaders,
"contentType": 'application/json; charset=UTF-8',
"accepts": "application/json; charset=utf-8",
"async": true,
"success”:function(result){
console.log(result);
}
});
After running above code, you will see the output something like below in your JavaScript console.
