RESTful API interview questions

1. What are HTTP methods?

• HTTP method is an operation performed by client.
• Some of the HTTP methods are
  - GET: to fetch resource details
  - POST: To create a new resource
  - PUT: To replace entire resource
  - PATCH: To update partial fields in the resource
  - Delete: To delete a resource

2. What is idempoteny? what are idempotent HTTP methods?

• Idempotency is a property of some operation, no matter how many times you call that operation, it always produce same result
• Idempotent methods are HTTP methods which always returns same resource irrespective how many times that method called.
• GET, DELETE and PUT methods are indempotent methods as they always return same resource, delete the same resource and update the same resource
• POST is not a idempotent method as for each POST call, it will create a new resource

3. What is the difference between PUT and PATCH?

• PUT and PATCH both methods have request body and used to update the resource
• PUT will update entire resource
• PATCH will only update resource partially(some fields )

4. What is the difference between GET and POST?

• GET Method:
  - GET method is used to retrieve the resource details from the back-end(Database)
  - Resource id provided in the GET URL
  - GET method doesn’t have request body
  _ GET method is idempotent
• POST Method:
  - POST method is used to create a new resource in the back-end(Database)
  - POST method have a request body
  - POST method is not idempotent

5. What is Authentication?

• Authentication is a process of verifying identity or showing something to be true
• Validating credentials is one kind of Authentication
• Authentication ensures that only authorized credentials can access to the secure systems

6. What is Authorization?

• Authorization is the process of giving permission/access to the resource
• Authorization is one kind of role based access control(RBAC)
• Downloading/reading a file after login is one kind of authorization

7 . What is the difference between authentication and authorization?

• Authentication:
  — Is required full credentials to validate
  - Is process of verifying identity
  - Some Authentication techniques are credentials, OTP, finger-prints, Face detection etc.
• Authorization:
  - is not required full credentials, but need valid token or similar
  - is the process of verifying user has permission to access the resource
  - Some of the authorization technique are role based access, OAuth, JWT token etc.

8. How to authenticate HTTP Request?

• To validate HTTP request, either request should have credentials or token/session data
• If HTTP method login(POST) request, body should contain credential details.
  - Validate the credentials at the server side
  - Generate token(Normally JWT token)
  - Append generated token in the POST response body
  - For all subsequent HTTP methods, validate token
• For GET or Normal HTTP methods
  - Always check headers (X header)for token value
  - Decrypt the token value and check for validity and expiry date
  - Return unauthorized status code if invalid

9. Best practices to design and develop RESTful API’s

Below are some of the best practices to develep RESTful API’s

• JSON format:
  - Always use JSON format for sending and receiving data
  - JSON format is light-wight and human readable
  - Make sure request header content-type supports json if sending JSON format
• Nouns, no verbs in endpoints:
  - Endpoint should only contain Nouns and not not verbs
  - /createArticle is not a good endpoint, using /article is good way
• Versioning
  - Versioning API’s really helpful for backward compatibility
  - Version number should be specified in the endpoint/URL
  - Sample endpoint is /v1/article
• Status codes:
  - Always return status codes in the HTTP response
  - Return appropriate status codes
  - Use JSON error message in the error responses
• Resource nesting
  - Always use simple resource nesting in the endpoint
  - Avoid complex resource nesting
  - /articles/:id is good example of using nested resources
• Filter and Pagination
  - Always use filter and Pagination in the query parameters if large data in the request
  - /article?page=1 example for page nation
  - /article?lang=python example for filtering data
• Security
  - Always use https and SSL for security
  - Always authorize HTTP request by validating authorization headers
• Caching
  - Caching response data will improve the response time
  - Sometimes Caching will give outdated data
• Clear documentation
  - One of the problem when developing/updating API is communication
  - Every API should be consumed by some other users, so sharing updated API documentation will really help them
  _ Should make clear documentation using tools like Swagger, Open API etc.