Request for comments on a new major API version proposal
herronjo
(he/him)
Taking STiBaRC back to its roots, it's time for some meta-discussion about the platform on itself.
I've been working on a new major version of the STiBaRC API (v5), and this time I've started with the specifications for it before the implementation. I'm trying to make sure I capture all the existing functionality of API v4, while providing an actually consistent (and documented!!!) interface. That being, a post, comment, or user looks the same everywhere it's used, both in responses and requests.
API v4 follows the traditional model of STiBaRC API design, which is a very PHP-like approach of making different SJS files for each type of operation there is to do (getpost.sjs vs newpost.sjs, for example). The API v5 proposal takes the approach of REST-ful API design by providing endpoints for each resource (user, post, clip, comments, etc.), organizing related resources under sub-paths, and using the HTTP method to change what you do with that resource.
For example, POST /v4/newpost.sjs would become POST /v5/posts, and GET /v4/getpost.sjs?id=4102 would become GET /v5/posts/4102
This also moves the session token out of the body and into the Authorization header, where it should have been the entire time, so requests that only wanted to get information no longer have to be a POST request instead.
It also eliminates the useless (because we still used HTTP status codes anyway) "status" property of the response in favor of providing a proper error response with 4xx and 5xx series status codes that follow RFC 9457 "Problem Details for HTTP APIs".
This gives developers a reliable and descriptive type to check against (which links to API documentation about the error), and user-facing information the application can show without needing to map error types to their own descriptions, under the "title" and "detail" properties.
Other large changes:
- Splitting off a user's posts, comments, clips, followers/following into separate endpoints.
- Splitting off post comments to its own endpoint
- Pagination on getting lists of resources (like search, global posts, user posts).
- Per-resource scopes and read-only versions of them. Existing scopes on sessions will be migrated to the appropriate new scopes.
Splitting these off into their own endpoints does not come with any major performance penalties due to request pipelining and parallelization, and allows for pagination without repeating common data (like profile or post information). Posts and profiles should load even faster actually, since common information will be able to load and render first without waiting on the comments/posts. And this allows API users to get only the information they care about.
The plan is to continue supporting API v4 for six months post v5 completion, before being removed. This should be plenty of time to move off, but I can extend the deadline if necessary. I tried to make it convenient to migrate, since the request and response bodies should be largely compatible with v4.
But before I even start with any of this, I want your feedback! You can view the API details at:
STiBaRC: https://editor.swagger.io/?url=https%3A%2F%2Ff-up.joshiepoo.com%2Fstibarc_api_v5%2Fapi_v5_oas.yaml
Identity service: https://editor.swagger.io/?url=https%3A%2F%2Ff-up.joshiepoo.com%2Fstibarc_api_v5%2Fidentity_oas.yaml
Pre-gaming some questions:
Q: I see some features on the new API that don't exist now. Do we have to wait for the new API to use those features?
A: No! The datastore API and notifications are planned for API v4 right now, I just wanted to include them in the API v5 proposal so they aren't forgotten about and have a clean implementation.
Q: Why is there a separate identity service?
A: To finally unify www.stibarc.com and stibarc.com, keep you signed in across other future services (like Messenger), and make it easier to manage multiple accounts.
The idea is that your identity.stibarc.com account is one thing, and your existing STiBaRC (the social media service) accounts are connected to it.
The migration plan would involve automatically creating an identity account for each existing STiBaRC account, and then users can choose to combine them together if they want to, picking which one they want to be the primary account. From then on you only have one password to worry about.
You'll have the ability to transfer them between Identity accounts if you'd like, which also lets you effectively disconnect them by making a new Identity account with nothing but the one STiBaRC account.
Also I wanted to move developer apps to the identity service so they can access Thinkblog resources as well.
Q: If I still want account switching without linking accounts, will that still be possible?
A: Yes, identity.stibarc.com will allow you to be logged into multiple independent Identity accounts at the same time.
Q: I thought Thinkblog was going to have its own, separate account system?
A: It still is! As promised, Thinkblog will continue to have its own account system, and will not require an identity.stibarc.com account to use.
But the option to link it will be there if you want to, and it will allow you to use the same credentials across both services and manage them together.
Using OAuth apps created in the Identity service for Thinkblog will not require end-users to have an Identity account, but to create an OAuth app that can access Thinkblog resources, you will need to have an Identity account. This is so I don't have to create a separate developer portal for Thinkblog.
Q: Are you still working on the Thinkblog redesign?
A: Yes. I'll probably try to finish it first actually. Identity account linking will come after that.
Q: When are RSS feeds coming back?
A: Sometime.
3
0
