是否有必要建立移动应用程序访问的Rails Web应用程序一个单独的API终点?
我有on Rails的4 Ruby实现的web应用程序,需要为它的Android原生应用程序,我是真正的新的移动开发。
I have a web app implemented in Ruby on Rails 4, need an Android native app for it, I am really new to mobile development.
我有点困惑,在移动网络架构应该是什么样子在这种情况下。我做了一些研究网上,似乎有这样做的几种方法,但我仍然有一些问题,我一直没能找到答案的。预先感谢所有的指针。
I am a bit confused as to what the mobile-web architecture should look like in this case. I've done some research online, there seems to be a few ways of doing this, but I still have some questions that I haven't been able to find answers for. Thanks in advance for all pointers.
1)我真的需要为移动应用的独立的API?什么是用我的Rails应用现有的控制器与的respond_to format.json ?
1) do I really need a separate API for the mobile app? what are the issues in using my Rails app's existing controllers with respond_to format.json?
2),我已经看到了建议使用一个单独的API的命名空间中的Rails应用程序服务于移动的要求,例如类API :: ApiController&LT一些网上的例子;在routes.rb中做API :ActionController的:: Base的为新的控制器,然后加入命名空间。通过这种方法,是不是意味着我需要重复相当多的我的控制器功能在这个新的命名空间只为移动?
2) I've seen some online examples that suggest using an separate API namespace in the Rails app to serve mobile requests, e.g class Api::ApiController < ActionController::Base for the new controller, then add namespace :api do in routes.rb. With this approach, doesn't it imply that I'll need to duplicate quite a bit of my controller functionality in this new namespace just for mobile?
3)关于认证,例子很多建议使用令牌认证,是内置的Rails的会话管理框架没有针对移动应用的不够好?还是因为会话cookie在移动应用中的工作完全不同?
3) Regarding authentication, many examples suggest using token authentication, is the built-in Rails sessions management framework not good enough for mobile apps? or is it because session cookies work completely differently in a mobile app?
鸭preciate你的时间。
Appreciate your time.
这是没有必要的,但它是,像你说的,最好的做法。
It is not necessary, but it is, like you said, considered a best practice.
1 + 2),有带的respond_to / respond_with逻辑相同的控制器是一见钟情一个不错的主意。但是,从我的经验,我可以说,总会的前一天,其中API code开始与HTML客户code不同。移动客户端可能有不同的用户界面,这是很自然的,它会期待您的网络客户端不会消耗您的数据的另一种方式。 Web客户端是专门为一个用例,其中的API应该是比较通用的,允许多个消费方式。
1+2) Having same controllers with respond_to/respond_with logic is a nice idea at first sight. But, from my experience, I can say, there always comes a day where API code start to differ with HTML client code. The mobile client might have a different UI and it is just natural that it will expect to consume your data another way as your web client does. The web client is specialized to one use case where an API should be more generic allowing multiple consuming ways.
这将产生第二个问题是,你不能依靠你的移动用户始终拥有最新版本的应用程序,其中一个Web应用程序就可以了。所以对于HTML应用程序,你可以因为你在正确的范围内,其中用于移动API打破了API至少涉及提供一个合适的客户轻松地推出非兼容的改变。也许,你会希望保持向后兼容性,这将使你的所有目的控制器丑陋的地狱。而如果没有合适的API / V1命名空间,你甚至不能在同一时间两个不同的API版本。
The second issue that will arise is the fact that you cannot rely on your mobile users to always have the latest app version where with a webapp you can. So for the HTML app you can easily introduce non-compatible changes because you are delivering a proper client right within where for the mobile API breaking the API is at least concerning. Perhaps, you will want to maintain a backwards compatibility which will make your all purpose controllers ugly as hell. And without a proper api/v1 namespace you even can't have two different API versions at the same time.
您可以通过保持你的控制器很骨感避免你的逻辑的重复和移出逻辑到模型(服务对象是型号太多,不仅主动记录)。
You can avoid duplication of your logic by keeping your controllers very skinny and move the logic out into models (Service Objects are models too, not only Active Records).
3)您的移动HTTP LIB意愿高的概率有一个适当的自动cookie管理。具有基于令牌认证仅仅是再次的最佳做法。如果它仅仅是一个象征VS cookie中的session_id,会有没有多少取胜。我只能认为,这将是对CSRF攻击自动安全,您可以为API只是(也许是一个额外的好处),登录到该网站完全禁用此保护,因为你的网站的用户将不会被允许消耗的API, 。随着基于会话的认证,你将不得不生成第一API请求的CSRF令牌和 X-CSRF令牌的cookie。
3) Your mobile HTTP lib will to a high probability have a proper automatic cookie management. Having token based authentication is just again a best practice. If it is just a token vs session_id within cookie, there will be not much win. I can only think that it will be automatically secure against CSRF attack and you can disable this protection entirely for the API because your website users won't be allowed to consume the API, just by logging in to the site (an additional benefit perhaps). With session based authentication you will have to generate a CSRF token on first API request and set it within X-CSRF-Token cookie.
根据令牌认证的一大优点是,它是扩展到更高的安全性,如引入到期令牌,令牌HMAC等,其中会话验证是没有的。
见Using会话数和令牌API认证
The big advantage of token based authentication is that it is extendable to more security, like introducing expire tokens, HMAC tokens etc, whereby session authentication is not. See Using Sessions vs Tokens for API authentication
我也建议你看看 JSON:API 。它来自ember.js的创造者,谁曾想过污染减量的决定拿地,建设API时。另一个有趣的事情是 active_model_serializers 宝石。给它的前奏中的Rails给出:由耶胡达·卡茨在未来五年
I would also encourage you to look at json:api. It comes from the creators of ember.js, who have thought about minifying decisions to take, when building APIs. Another interesting thing is an active_model_serializers gem. An intro to it is given within Rails: The Next Five Years by Yehuda Katz