It&#39;s possible that those other vendors you listed have their own ID or hashing scheme to allow them to expose a smaller number while using something more akin to a UUID internally. But in the end, the question must be asked: as long as your URIs are intended to be consumed by code (API clients) rather than humans, why would it matter?

Don&#39;t get too freaked out by what those vendors have done. There&#39;s no guarantee that (a) they are doing the &quot;right&quot; thing and (b) that their needs are the same as yours.

Go ahead and use UUIDs.

I think you might consider the four main options here:

 1. use the UUID as your database Primary Keys, but it could be more [computationally expensive than using Long][1] 

 2. create an UUID to Long mapping layer, this way you can publish your REST resources, but maintain a clean database structure using Long PK

 3. create an Alternate Key column in your database tables in order to hold de UUID values.

 4. instead of using UUID you could have cryptographic IDs, generated on the fly using a custom seed for each customer and original PK. This approach imposes more execution overhead but could be interesting in some scenarios. The customer would have to use always encrypted data, since they will never have access to the seed or algorithm.

  [1]: https://stackoverflow.com/questions/517579/strings-as-primary-keys-in-sql-database

I need this all the time and am constantly frustrated that the Trim(), TrimStart() and TrimEnd() functions don&#39;t take strings as inputs. You call EndsWith() on a string, and find out if it ends with another string, but then if you want to remove it from the end, you have to do substring hacks to do it (or call Remove() and pray it is the only instance...)

Why is this basic function is missing in .NET? And second, any recommendations for a simple way to implement this (preferably not the regular expression route...)


Trim string from the end of a string in .NET - why is this missing?

How do I download JAR during a build in Maven script? 

How to simply download a JAR using Maven?

I&#39;m building a SaaS application and want to expose IDs for resources which are not tied to my current data storage implementation (Postgres auto-increment IDs). These Stack Overflow posts ([one][1] [two][2]) suggest that creating locally unique IDs is hard and that I might as well use UUIDs, which are of course easily and safely generated in pretty much any language.

I&#39;m happy with this approach, but I wonder why I can&#39;t find any APIs from big SaaS/hosted players which do the same? For example:

 - Shopify: [9 digit numbers][3]
 - Twilio: [34 character strings][4]
 - Twitter: [20+ digit numbers][5]
 - AMEE: [12 character A-Z0-9][6]

So basically nobody seems to use UUIDs. Is there a reason for this - not-invented-here, cleverer internal ID algorithms or something else? And in my case, in the absence of any internal algorithm, does it make most sense to go with UUIDs?

  [1]: https://stackoverflow.com/questions/6215639/use-of-guids-as-id-in-public-facing-data-integration-web-service
  [2]: https://stackoverflow.com/questions/3613120/what-is-the-preferred-method-for-generating-locally-unique-identifiers-in-vb-net
  [3]: http://api.shopify.com/transactions.html
  [4]: http://www.twilio.com/docs/api/rest/call
  [5]: https://dev.twitter.com/docs/api/1/get/statuses/retweets/:id
  [6]: http://www.amee.com/developer/docs/apc.php#uid_reference

Should I use UUIDs for resources in my public API?

I'm building a SaaS application and want to expose IDs for resources which are not tied to my current data storage implementation (Postgres auto-increment IDs). These Stack Overflow posts (<a href="https://stackoverflow.com/questions/6215639/use-of-guids-as-id-in-public-facing-data-integration-web-service" target="_blank" rel="noopener noreferrer">one</a> <a href="https://stackoverflow.com/questions/3613120/what-is-the-preferred-method-for-generating-locally-unique-identifiers-in-vb-net" target="_blank" rel="noopener noreferrer">two</a>) suggest that creating locally unique IDs is hard and that I might as well use UUIDs, which are of course easily and safely generated in pretty much any language.
I'm happy with this approach, but I wonder why I can't find any APIs from big SaaS/hosted players which do the same? For example:
<ul>
<li>Shopify: <a href="http://api.shopify.com/transactions.html" target="_blank" rel="noopener noreferrer">9 digit numbers</a></li>
<li>Twilio: <a href="http://www.twilio.com/docs/api/rest/call" target="_blank" rel="noopener noreferrer">34 character strings</a></li>
<li>Twitter: <a href="https://dev.twitter.com/docs/api/1/get/statuses/retweets/:id" target="_blank" rel="noopener noreferrer">20+ digit numbers</a></li>
<li>AMEE: <a href="http://www.amee.com/developer/docs/apc.php#uid_reference" target="_blank" rel="noopener noreferrer">12 character A-Z0-9</a></li>
</ul>
So basically nobody seems to use UUIDs. Is there a reason for this - not-invented-here, cleverer internal ID algorithms or something else? And in my case, in the absence of any internal algorithm, does it make most sense to go with UUIDs?

I was designing a web app and then stopped to think about how my api should be designed as a RESTful web service.  For now, most of my URI&#39;s are generic and might apply to various web apps:

    GET  /logout   // destroys session and redirects to /
    GET  /login    // gets the webpage that has the login form
    POST /login    // authenticates credentials against database and either redirects home with a new session or redirects back to /login
    GET  /register // gets the webpage that has the registration form
    POST /register // records the entered information into database as a new /user/xxx
    GET  /user/xxx // gets and renders current user data in a profile view
    POST /user/xxx // updates new information about user

I have a feeling I&#39;m doing a lot wrong here after poking around on SO and google.

Starting with `/logout`, perhaps since I don&#39;t really `GET` anything - it may be more appropriate to `POST` a request to `/logout`, destroy the session, and then `GET` the redirect.  And should the `/logout` term stay?

What about `/login` and `/register`.  I could change `/register` to `/registration` but that doesn&#39;t alter how my service fundamentally works - if it has deeper issues.

I notice now that I never expose a `/user` resource.  Perhaps that could be utilized somehow.  For instance, take the user `myUser`:

    foo.com/user/myUser

or

    foo.com/user

The end user doesn&#39;t require that extra verbosity in the URI.  However, which one is more appealing visually?

I noticed some other questions here on SO about this REST business, but I would really appreciate some guidance on what I&#39;ve laid out here if possible.

Thanks!

**UPDATE:**

I would also like some opinions on:

    /user/1

vs

    /user/myUserName

RESTfully design /login or /register resources?

I use Ubuntu and installed [cURL][1] on it. I want to test my Spring REST application with cURL. I wrote my POST code at the Java side. However, I want to test it with cURL. I am trying to post a JSON data. Example data is like this:

    {&quot;value&quot;:&quot;30&quot;,&quot;type&quot;:&quot;Tip 3&quot;,&quot;targetModule&quot;:&quot;Target 3&quot;,&quot;configurationGroup&quot;:null,&quot;name&quot;:&quot;Configuration Deneme 3&quot;,&quot;description&quot;:null,&quot;identity&quot;:&quot;Configuration Deneme 3&quot;,&quot;version&quot;:0,&quot;systemId&quot;:3,&quot;active&quot;:true}

I use this command:

    curl -i \
        -H &quot;Accept: application/json&quot; \
        -H &quot;X-HTTP-Method-Override: PUT&quot; \
        -X POST -d &quot;value&quot;:&quot;30&quot;,&quot;type&quot;:&quot;Tip 3&quot;,&quot;targetModule&quot;:&quot;Target 3&quot;,&quot;configurationGroup&quot;:null,&quot;name&quot;:&quot;Configuration Deneme 3&quot;,&quot;description&quot;:null,&quot;identity&quot;:&quot;Configuration Deneme 3&quot;,&quot;version&quot;:0,&quot;systemId&quot;:3,&quot;active&quot;:true \
        http://localhost:8080/xx/xxx/xxxx

It returns this error:

    HTTP/1.1 415 Unsupported Media Type
    Server: Apache-Coyote/1.1
    Content-Type: text/html;charset=utf-8
    Content-Length: 1051
    Date: Wed, 24 Aug 2011 08:50:17 GMT

The error description is this:

&gt; *The server refused this request because the request entity is in a format not supported by the requested resource for the requested method ().*

Tomcat log:
    &quot;POST /ui/webapp/conf/clear HTTP/1.1&quot; 415 1051

What is the right format of the cURL command?

This is my Java side `PUT` code (I have tested GET and DELETE and they work):

    @RequestMapping(method = RequestMethod.PUT)
    public Configuration updateConfiguration(HttpServletResponse response, @RequestBody Configuration configuration) { //consider @Valid tag
        configuration.setName(&quot;PUT worked&quot;);
        //todo If error occurs response.sendError(HttpServletResponse.SC_NOT_FOUND);
        return configuration;
    }


  [1]: https://en.wikipedia.org/wiki/CURL

How do I POST JSON data with cURL?

When designing REST API is it common to authenticate a user first?

The typical use case I am looking for is:

* User wants to get data.  Sure cool we like to share! Get a public API key and read away!
* User wants to store/update data... woah wait up! who are you, can you do this?

I would like to build it once and allow say a web-app, an android application or an iPhone application to use it.

A REST API appears to be a logical choice with requirements like this

To illustrate my question I&#39;ll use a simple example.

I have an item in a database, which has a **rating** attribute (integer 1 to 5).

If I understand REST correctly I would implement a GET request using the language of my choice that returns csv, xml or json like this:

    http://example.com/product/getrating/{id}/

Say we pick JSON we return:

    {
      &quot;id&quot;: &quot;1&quot;,
      &quot;name&quot;: &quot;widget1&quot;,
      &quot;attributes&quot;: { &quot;rating&quot;: {&quot;type&quot;:&quot;int&quot;, &quot;value&quot;:4} }
    }

This is fine for public facing APIs. I get that part.

Where I have tons of question is how do I combine this with a security model? I&#39;m used to web-app security where I have a session state identifying my user at all time so I can control what they can do no matter what they decide to send me.  As I understand it this isn&#39;t RESTful so would be a bad solution in this case.

I&#39;ll try to use another example using the same item/rating.

If user &quot;JOE&quot; wants to add a **rating** to an **item**

This could be done using:

    http://example.com/product/addrating/{id}/{givenRating}/

At this point I want to store the data saying that &quot;JOE&quot; gave product {id} a rating of {givenRating}.

Question: How do I know the request came from &quot;JOE&quot; and not &quot;BOB&quot;.

Furthermore, what if it was for more sensible data like a user&#39;s phone number?

What I&#39;ve got so far is:

1) Use the built-in feature of HTTP to authenticate at every request, either plain HTTP or HTTPS.

This means that every request now take the form of:

    https://joe:joepassword@example.com/product/addrating/{id}/{givenRating}/

2) Use an approach like Amazon&#39;s S3 with private and public key: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

3) Use a cookie anyway and break the stateless part of REST.

The second approach appears better to me, but I am left wondering do I really have to re-invent this whole thing? Hashing, storing, generating the keys, etc all by myself? 

This sounds a lot like using session in a typical web application and rewriting the entire stack yourself, which usually to me mean &quot;You&#39;re doing it wrong&quot; especially when dealing with security.

EDIT: I guess I should have mentioned OAuth as well.

Securing REST API without reinventing the wheel

Why would you use one over the other, for exposing an API for your Django app?

http://pypi.python.org/pypi/djangorestframework/

http://pypi.python.org/pypi/django-tastypie

What are the differences between django-tastypie and djangorestframework?

First up, where my knowledge is at:
-

*Unit Tests* are those which test a small piece of code (single methods, mostly). 

*Integration Tests* are those which test the interaction between multiple areas of code (which hopefully already have their own Unit Tests). Sometimes, parts of the code under test requires other code to act in a particular way. This is where Mocks &amp; Stubs come in. So, we mock/stub out a part of the code to perform very specifically. This allows our Integration Test to run predictably without side effects.

All tests should be able to be run stand-alone without data sharing. If data sharing is necessary, this is a sign the system isn&#39;t decoupled enough.

Next up, the situation I am facing:
-

When interacting with an external API (specifically, a RESTful API that will modify live data with a POST request), I understand we can (should?) mock out the interaction with that API (more eloquently stated in [this answer][1]) for an Integration Test. I also understand we can Unit Test the individual components of interacting with that API (constructing the request, parsing the result, throwing errors, etc). What I don&#39;t get is how to actually go about this.

So, finally: My question(s).
-

How do I test my interaction with an external API that has side effects?

A perfect example is [Google&#39;s Content API for shopping][2]. To be able to perform the task at hand, it requires a decent amount of prep work, then performing the actual request, then analysing the return value. Some of this is [without any &#39;sandbox&#39; environment][3].

The code to do this generally has quite a few layers of abstraction, something like:

&lt;!-- language: lang-php --&gt;

    &lt;?php
    class Request
    {
        public function setUrl(..){ /* ... */ }
        public function setData(..){ /* ... */ }
        public function setHeaders(..){ /* ... */ }
        public function execute(..){
            // Do some CURL request or some-such
        }   
        public function wasSuccessful(){
            // some test to see if the CURL request was successful
        }   
    }
    
    class GoogleAPIRequest
    {
        private $request;
        abstract protected function getUrl();
        abstract protected function getData();
    
        public function __construct() {
            $this-&gt;request = new Request();
            $this-&gt;request-&gt;setUrl($this-&gt;getUrl());
            $this-&gt;request-&gt;setData($this-&gt;getData());
            $this-&gt;request-&gt;setHeaders($this-&gt;getHeaders());
        }   
    
        public function doRequest() {
            $this-&gt;request-&gt;execute();
        }   
        public function wasSuccessful() {
            return ($this-&gt;request-&gt;wasSuccessful() &amp;&amp; $this-&gt;parseResult());
        }   
        private function parseResult() {
            // return false when result can&#39;t be parsed
        }   
    
        protected function getHeaders() {
            // return some GoogleAPI specific headers
        }   
    }
    
    class CreateSubAccountRequest extends GoogleAPIRequest
    {
        private $dataObject;
            
        public function __construct($dataObject) {
            parent::__construct();
            $this-&gt;dataObject = $dataObject;
        }   
        protected function getUrl() {
            return &quot;http://...&quot;;
        }
        protected function getData() {
            return $this-&gt;dataObject-&gt;getSomeValue();
        }
    }
    
    class aTest
    {
        public function testTheRequest() {
            $dataObject = getSomeDataObject(..);
            $request = new CreateSubAccountRequest($dataObject);
            $request-&gt;doRequest();
            $this-&gt;assertTrue($request-&gt;wasSuccessful());
        }
    }
    ?&gt;

*Note: This is a PHP5 / PHPUnit example*

Given that `testTheRequest` is the method called by the test suite, the example will execute a live request.

Now, this live request will (hopefully, provided everything went well) do a POST request that has the side effect of altering live data.

Is this acceptable? What alternatives do I have? I can&#39;t see a way to mock out the Request object for the test. And even if I did, it would mean setting up results / entry points for every possible code path that Google&#39;s API accepts (which in this case would have to be found by trial and error), but would allow me the use of fixtures.

A further extension is when certain requests rely on certain data being Live already. Using the Google Content API as an example again, to add a Data Feed to a Sub Account, the Sub Account must already exist.

One approach I can think of is the following steps;

 1. In `testCreateAccount`
  1. Create a sub-account
  1. Assert the sub-account was created
  1. Delete the sub-account
 1. Have `testCreateDataFeed` depend on `testCreateAccount` not having any errors
  1. In `testCreateDataFeed`, create a new account
  1. Create the data feed
  1. Assert the data feed was created
  1. Delete the data feed
  1. Delete the sub-account

This then raises the further question; how do I test the deletion of accounts / data feeds? `testCreateDataFeed` feels dirty to me - What if creating the data feed fails? The test fails, therefore the sub-account is never deleted... I can&#39;t test deletion without creation, so do I write another test (`testDeleteAccount`) that relies on `testCreateAccount` before creating then deleting an account of its own (since data shouldn&#39;t be shared between tests).

In Summary
-

 - How do I test interacting with an external API that effects live data?
 - How can I mock / stub objects in an Integration test when they&#39;re hidden behind layers of abstraction?
 - What do I do when a test fails and the live data is left in an inconsistent state?
 - How *in code* do I actually go about doing all this?

----
Related:

 - [How can mocking external services improve unit tests?][4]
 - [Writing unit tests for a REST-ful API][5]


  [1]: https://stackoverflow.com/questions/559092/how-can-mocking-external-services-improve-unit-tests/559177#559177
  [2]: http://code.google.com/apis/shopping/content/getting-started/usingapi-products.html
  [3]: https://groups.google.com/group/google-content-api-for-shopping/browse_thread/thread/ad6d1f482a7cae4d#msg_d4ab56ab47877fba
  [4]: https://stackoverflow.com/questions/559092/how-can-mocking-external-services-improve-unit-tests/559177
  [5]: https://stackoverflow.com/questions/7380903/writing-unit-tests-for-a-rest-ful-api

Content Type	Original Author	Original Content on Stackoverflow
Question	Alex Dean	View Question on Stackoverflow
Solution 1 - Rest	Brian Kelly	View Answer on Stackoverflow
Solution 2 - Rest	Alessandro Oliveira	View Answer on Stackoverflow

Should I use UUIDs for resources in my public API?

Rest Problem Overview

Rest Solutions

Solution 1 - Rest

Solution 2 - Rest

How to simply download a JAR using Maven?

Trim string from the end of a string in .NET - why is this missing?

Attributions