| Securing APIs: Part 1 - Setup
The starting point for a series on APIs implemented with Rust and Actix-web.
Dec

Introduction

I’m going to come clean and say that I’ve spent the last decade plus in the classroom, not in tech, so, if you see any errors or misconceptions, feel free to point them out so I can feel bad about myself. It’s not that I haven’t spent plenty of time coding, it’s that I lack the industry level knowledge that comes from working alongside more experienced developers. There is a slight benefit to that, in that in this series I’ll stop and explain things which your average programmer or network admin will gloss over, assuming it to be common knowledge.

You can consider this post, and those which follow, my notes on the parts which make up an API, and how that might be implemented using Rust and Actix-web. It’s something I’ve done a few times before, and I have a general understanding of how the pieces are put together, but on this iteration I want to wade into the guts.

A friendly voice (we’ll call him mr_k) on darkscience gave me this topic. I had some extra time at work, and he offered secure APIs as a research point, which in hindsight was probably pulled from whatever documentation he was reading at the time, or related to whatever one of his colleagues had managed to bork. Regardless, he sent me off on somewhat of a snipe hunt, because what makes an API secure is about as clear as glass of turds. Neverthless, I managed to cobble something together while learning a thing or three.

What the hell is an API?

The term API is an old one, and if you want to dive into its history then Wikipedia is not a bad place to start.

An application programming interface (API) is a way for two or more programs to communicate with each other.

That doesn’t seem like a lot to cover, just every single method of program-to-program communication used in the last 80 years. How many could there possibly be?

On day one I started following links and making notes, and within minutes I’d gone from the somewhat familiar territory of JWT secured APIs to SOAP, WSDL and gRPC. I soon found myself reading 15 year old Roy Fielding blog posts to get to the root of the matter. The man does have an enviable domain name.

After a couple of hours and pages of notes which only scratched the surface of a handful of API-related topics, I decided to narrow my scope. I needed to zoom and enhance until I found something I could sink my teeth into. I’d circle back around to SOAP and gRPC later on I told myself, and instead focus on RESTful APIs.

The setup

We’ll do all this through a series of programs written in Rust and using the Actix framework (specifically Actix-web).

The get set up in order to follow along without writing the code from scratch, clone or download the repo https://github.com/kilroyjones/notes-on-secure-apis. In it you will find a server folder and a client folder. There are a number of different servers, which are basically snapshots of the API we’re building, and they can be found in the server/src/bin folder. To run them you can do the following:

$ cargo run --bin simple-api-1

In the client folder you’ll find a series of different clients, each in their own folder, that will be used with the servers. To run these, navigate to the folder and do:

$ python -m http.server

You should then be able to go to http://localhost:8000 to find the page. These are all minimal, so as to avoid cluttering with unnecessary code, which means I’ve avoided CSS styling, logging, and such.

In the server/src folder you’ll find an SQLite database named chinook.db which is a stripped down version of this. I’ve changed the names to avoid getting warnings from our models in Rust, and also taken out a number of tables. We’ll mostly just use one table (albums), but I left a few others in there in case anyone wants to play with other queries.

You can also create your environment and follow along from scratch, but I don’t provide step-by-step instructions in order to do so.

Hopefully you’ve got everything set and are ready to go on to part 2: Simple API.


Referenced links