Book Image

Hands-On RESTful Web Services with Go - Second Edition

By : Naren Yellavula
Book Image

Hands-On RESTful Web Services with Go - Second Edition

By: Naren Yellavula

Overview of this book

Building RESTful web services can be tough as there are countless standards and ways to develop API. In modern architectures such as microservices, RESTful APIs are common in communication, making idiomatic and scalable API development crucial. This book covers basic through to advanced API development concepts and supporting tools. You’ll start with an introduction to REST API development before moving on to building the essential blocks for working with Go. You’ll explore routers, middleware, and available open source web development solutions in Go to create robust APIs, and understand the application and database layers to build RESTful web services. You’ll learn various data formats like protocol buffers and JSON, and understand how to serve them over HTTP and gRPC. After covering advanced topics such as asynchronous API design and GraphQL for building scalable web services, you’ll discover how microservices can benefit from REST. You’ll also explore packaging artifacts in the form of containers and understand how to set up an ideal deployment ecosystem for web services. Finally, you’ll cover the provisioning of infrastructure using infrastructure as code (IaC) and secure your REST API. By the end of the book, you’ll have intermediate knowledge of web service development and be able to apply the skills you’ve learned in a practical way.

Related Content you might be interested in

Current Title:

Small book image
Hands-On RESTful Web Services with Go - Second Edition
Naren Yellavula
Feb, 2020 | 404 pages
Small book image
Go Web Development Cookbook
Arpit Aggarwal
Apr, 2018 | 338 pages
Small book image
Building Distributed Applications in Gin
Mohamed Labouardy
Jul, 2021 | 482 pages
Small book image
Practical gRPC
Joshua B Humphries | Robert Ross | David Konsumer | David Muto | Carles Sistare
Nov, 2019 | 169 pages
Table of Contents (16 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
1
Getting Started with REST API Development
Getting Started with REST API Development
Technical requirements
Types of web services
REST verbs and status codes
The rise of the REST API with SPAs
Setting up the project and running the development server
Building our first service – finding the fastest mirror site from a list
Open API and Swagger
Summary
Free Chapter
2
Handling Routing for our REST Services
Handling Routing for our REST Services
Technical requirements
Understanding Go's net/http package
ServeMux – a basic router in Go
Understanding httprouter – a lightweight HTTP router
Introducing gorilla/mux – a powerful HTTP router
SQL injection in URLs and ways to avoid them
Reader's challenge – an API for URL shortening
Summary
3
Working with Middleware and RPC
Working with Middleware and RPC
Technical requirements
What is middleware?
Multiple middleware and chaining
Painless middleware chaining with Alice
Using Gorilla handlers middleware for logging
What is RPC?
JSON-RPC using Gorilla RPC
Summary
4
Simplifying RESTful Services with Popular Go Frameworks
Simplifying RESTful Services with Popular Go Frameworks
Technical requirements
Introducing go-restful – a REST API framework
SQLite3 basics and CRUD operations
Building a Metro Rail API with go-restful
Building RESTful API with the Gin framework
Building a RESTful API with revel.go
Summary
5
Working with MongoDB and Go to Create a REST API
Working with MongoDB and Go to Create a REST API
Technical requirements
Introduction to MongoDB
Installing MongoDB and using the shell
Introducing mongo-driver, an official MongoDB driver for Go
RESTful API with gorilla/mux and MongoDB
Boosting the querying performance with indexing
Designing MongoDB documents for a delivery logistics API
Summary
6
Working with Protocol Buffers and gRPC
Working with Protocol Buffers and gRPC
Technical requirements
Introduction to protocol buffers
Protocol buffer language
Compiling a protocol buffer with protoc
Introduction to gRPC
Bidirectional streaming with gRPC
Summary
7
Working with PostgreSQL, JSON, and Go
Working with PostgreSQL, JSON, and Go
Technical requirements
Discussing PostgreSQL installation options
Introducing pq, a pure PostgreSQL database driver for Go
Implementing a URL-shortening service using PostgreSQL and pq
Exploring the JSONStore feature in PostgreSQL
Summary
8
Building a REST API Client in Go
Building a REST API Client in Go
Technical requirements
Plan for building a REST API client
Basics for writing a command-line tool in Go
Cobra, an advanced CLI library
grequests a REST API package for Go
Getting comfortable with the GitHub REST API
Creating a CLI tool as an API client for the GitHub REST API
Using Redis to cache the API data
Summary
9
Asynchronous API Design
Asynchronous API Design
Technical requirements
Understanding sync/async API requests
Fan-in/fan-out of services
Delaying API jobs with queuing
Long-running task design
Caching strategies for APIs
Event-driven API
Summary
10
GraphQL and Go
GraphQL and Go
Technical requirements
What is GraphQL?
Over-fetching and under-fetching problems in the REST API
GraphQL basics
Creating GraphQL clients in Go
Creating GraphQL servers in Go
Summary
11
Scaling our REST API Using Microservices
Scaling our REST API Using Microservices
Technical requirements
What are microservices?
Monoliths versus microservices
Introducing Go Micro, a package for building microservices
Adding logging to microservices
Summary
12
Containerizing REST Services for Deployment
Containerizing REST Services for Deployment
Technical requirements
Installing the Nginx server
What is a reverse proxy server?
Deploying a Go service using Nginx
Monitoring our Go API server with Supervisord
Makefile and Docker Compose-based deployment
Summary
13
Deploying REST Services on Amazon Web Services
Deploying REST Services on Amazon Web Services
Technical requirements
Basics for working with AWS
IaC with Terraform
Why is an API Gateway required?
Introducing Amazon API Gateway
Other API Gateways
Summary
14
Handling Authentication for our REST Services
Handling Authentication for our REST Services
Technical requirements
How simple authentication works
Introducing Postman, a visual client for testing a REST API
Persisting client sessions with Redis
Introducing JWT and OAuth2
JWT in an OAuth2.0 workflow
Exercise
Security aspects of an API
Summary
15
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

SQL injection in URLs and ways to avoid them

SQL injection is a process of attacking a database with malicious scripts. If one is not careful when defining URL routes, there may be an opportunity for SQL injection. These attacks can happen for all kinds of REST operations. For example, if we are allowing the client to pass parameters to the server, then there is a chance for an attacker to append an ill-formed string to those parameters. If we are using those variables/parameters directly into an SQL query executing on our database, it could lead to a potential vulnerability.

Look at the following Go code snippet that inserts username and password details into the database. It collects values from an HTTP POST request and appends raw values to the SQL query:

username := r.Form.Get("id")
password := r.Form.Get("category")
sql := "SELECT * FROM article WHERE id='" + username + "' AND category='" + password + "'"
Db.Exec(sql)

In the snippet, we are executing a database SQL query, but since we are appending the values directly, we may include malicious SQL statements such as -- comments and ORDER BY n range clauses in the query:

?category=books&id=10 ORDER BY 10--

If the application returns the database response directly to the client, it can leak information about the columns the table has. An attacker can change the ORDER BY to another number and extract sensitive information:

Unknown column '10' in 'order clause'

We will see more about this in our upcoming chapters where we build fully-fledged REST services with other methods, such as POST, PUT, and so on:

Now, how to avoid these injections. There are several precautions:

  • Set the user level permissions to various tables in the database
  • Log the requests and find the suspicious ones
  • Use the HTMLEscapeString function from Go's text/template package to escape special characters in the API parameters, such as body and path
  • Use a driver program instead of executing raw SQL queries
  • Stop relaying database debug messages back to the client
  • Use security tools such as sqlmap to find out vulnerabilities

With the basics of routing and security covered, in the next section we present an interesting challenge for the reader. It is to create a URL shortening service. We provide all the background details briefly in the next section.

Previous Section
End of Section 7
Next Section