Tutorial: Requesting database in REST

REST API Requesting database in REST

Prerequisites

  • Create an account on Webcom
  • Create an application (or namespace), in this documentation we will use the fictional test-rest application
  • Have the curl command available (or another tool to build HTTP requests)

Look at the following sample, which makes it possible to browse data level per level: https://io.datasync.orange.com/samples/tree/.

Write Data

WARNING: Security rules concerns are explained later in this document!

Writing data is as easy as sending a PUT request (this request is equivalent to the set() method):

$ curl -X PUT -H 'Content-Type: application/json' "https://io.datasync.orange.com/datasync/v2/<application>/data/<path/of/your/data>" -d '<JSON data>'

Command example:

$ curl -X PUT -H 'Content-Type: application/json' "https://io.datasync.orange.com/datasync/v2/test-rest/data/main/sub/infos" -d '{"id": 22, "version": 42, "detail": "this is a test", "level2": {"level21": "22", "level22": true}}' 

The server answers with the "204 No Content" HTTP status.

After sending the request, you should see your data in the data tab of the Webcom developer console. Notice that the main / sub / infos path levels (or path segments) have been created automatically. Be careful, some characters are forbidden in path levels (. $ [ ] # /), and no more than 32 levels are authorized in the database (comprehensive limitations can be found here).

In order to store new element data into an ordered list at a given level, use the HTTP POST method instead of PUT (this request is equivalent to the push() method). It makes the Webcom server create a new level in your tree, with a unique and temporally ordered name.

Command example:

$ curl -X POST -H 'Content-Type: application/json' "https://io.datasync.orange.com/datasync/v2/test-rest/data/history/main/sub" -d '{"id": 22, "version": 42, "detail": "this is a test", "level2": {"level21": "22", "level22": true}}' 

In this case, the server answers with the "201 Created" HTTP status, and returns the path of the newly created level within the "Location" header.

Server response:

HTTP/1.1 201 Created
Location: https://io.datasync.orange.com/datasync/v2/test-rest/data/history/main/sub/-KolzsgbVnMc4s7lr-c-

Read Data

To retrieve data, a simple GET is needed:

$ curl –X GET "https://io.datasync.orange.com/datasync/v2/<application>/data/<path/of/your/data>"

Command example:

$ curl -X GET "https://io.datasync.orange.com/datasync/v2/test-rest/data/main/sub/infos"

The server answers with the "200 OK" HTTP status and provides the following content:

{"id":22,"version":42,"detail":"this is a test","level2":{"level21":"22","level22":true}}

Other command example, which applies to a sub-level:

$ curl -X GET "https://io.datasync.orange.com/datasync/v2/test-rest/data/main/sub/infos/level2"

Server response content:

{"level21":"22","level22":true}

Other command example, which applies to the whole database:

$ curl -X GET "https://io.datasync.orange.com/datasync/v2/test-rest/data"

Server response content:

{"main":{"sub":{"infos":{"id":22,"version":42,"detail":"this  is a  test","level2":{"level21":"22","level22":true}}}},"history":{"main":{"sub":{"-KolzsgbVnMc4s7lr-c-":{"id":22,"version":42,"detail":"this  is a test","level2":{"level21":"22","level22":true}}}}}}

Server can format the data returned within the response content in a pretty way, using the print=pretty parameter:

Command example, requesting the whole database in a pretty format:

$ curl -X GET "https://io.datasync.orange.com/datasync/v2/test-rest/data?print=pretty"

Server response content:

{
  "main": {
    "sub": {
      "infos": {
        "id": 22,
        "version": 42,
        "detail": "this is a test",
        "level2": {
          "level21": "22",
          "level22": true
        }
      }
    }
  },
  "history": {
    "main": {
      "sub": {
        "-KolzsgbVnMc4s7lr-c-": {
          "id": 22,
          "version": 42,
          "detail": "this is a test",
          "level2": {
            "level21": "22",
            "level22": true
          }
        }
      }
    }
  }
}

Tips for further needs

When your database gets bigger, a GET request at the root level may result in a too_big error. In such a case, you can add the shallow=true parameter to your GET request. This parameter makes the request never end in a too_big error by returning only the actual sub-levels of the requested path, without their attached data.

Example:

$ curl -X GET "https://io.datasync.orange.com/datasync/v2/test-rest/data?shallow=true&print=pretty"

Server response content:

{
  "main": true,
  "history": true
}

Security of your data

Easy way with a secret key

By default, all your data is entirely accessible from the Web for all people knowing the name of your Webcom application. In order to secure access to your data, you have to define security rules for each part of your data model within the security tab of your application in the Webcom developer console. These rules are then permanently checked by Webcom servers for each attempt of read or write access.

A very basic test to start playing with security rules consists in removing all read and write rights, using the following security rules:

{
  "rules": {
    ".read": false,
    ".write": false
  }
}

Then, if you try a GET (or PUT) request, it will end in a permission denied:
{"error":{"message":"Permission denied Get on /","code":"permission_denied"},"status":"permission_denied","success":false}

To enable your application to send data to your Webcom database, we will use a secret key. This key allows the read/write actions on the data even if security rules forbid them (it's like a "root" right, so be careful: With great power, comes great responsibility).

Go to the authentication tab of the Webcom developer console. Add a new key with the add a secret button (always consider generating a new key before attempting to revoke the default one) and copy it using the show button.

Now you just have to put the key prefixed with "Bearer " in the Authorization header of the HTTP requests to access your data:

curl -X PUT "https://io.datasync.orange.com/datasync/v2/test-rest/data" -H "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxx" -H "Content-Type: application/json" -d '{"id": 22, "version": 42, "firmware": "1.3.4.2", "level2": {"level21": "22", "level22": true}}'

Or for a GET:

curl -X GET "https://io.datasync.orange.com/datasync/v2/test-rest/data" -H "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxx"

If the key is compromised, you can revoke it in the Webcom developer console (authentication tab, show button, then revoke button).

A simple security mode for a web application that only shows some data that are produced by a backend server (for which we can imagine that the secret key will be well secured), is to forbid write actions (".write" : false in the security rules) and to authorize all people for read actions (".read" : true in the security rules). The main drawback is that someone that knows the identifier of your Webcom application and how Webcom works can easily retrieve all your data.

You can also forbid reading at the root level and authorize reading only at some explicit paths of the application data. For instance in our test case, it could be something like:

{
  "rules": {
    ".read": false,
    ".write": false,
    "history": {
      ".read": true
    },
    "main": {
      ".read": true
    }
  }
}

Here, a GET request at root level will fail whereas a GET request at the /history path will work. Beware it's not enough to secure your data. The best way is to rely on users authentication methods provided by Webcom and then to define related security rules. Please have a look at the Authentication and Security detailed documentation pages.