Create a ready-to-go express router for a REST API with filters, input validation, output checking, versioning, automatic routes and logging.
See on npm
npm install api-lift
This module is built on top of express and lift-it and is meant to be very opinionated.
Stable, missing some docs
This module is locked down by some strong assumptions:
- The routes are created and named after the files in the file system
- The endpoints are to be implemented as supported by lift-it. See details in section "Endpoint handler"
- Works with REST pattern, generating the following routes for each http method:
- DELETE /resource/id -> call resource/rest_delete.js
- GET /resource -> call resource/rest_list.js
- GET /resource/id -> call resource/rest_read.js
- PUT /resource/id -> call resource/rest_update.js
- POST /resource -> call resource/rest_create.js
- POST /resource/id/action -> call resource/action.js
- Query params (in GET method), resource id (from url) and header (apiKey if hasApiKey, Authorization if hasOAuth) will be added to json body in the endpoints calls
- Standard output for success:
{failure:null}
, for error:{failure:{code:Number,message:String}}
Okay, after complying to all the rules outlined above, you get:
- Filters, input validation, output checking and profiling (by
lift-it
) - Versioning: don't break old consumers and yet let the API evolve
- Logging: simple logging interface to connect to any logging solution (like log-sink)
let apiLift = require('api-lift')
let api = apiLift({
// All options are optional :P
// The default values are described bellow
// Some are not configurable and can not be changed,
// those are listed only for your information
// Options for `lift-it`
folder: './api',
profile: false,
errorClass: apiLift.APIError, // <-- can't be changed
enableErrorCode: true, // <-- can't be changed
// Custom lift-it plugins to use
plugins: [],
// Options for validate plugin of `lift-it`
validate: {
// Use the plugin defaults
},
// Options for validate plugin of `lift-it`
validateOutput: {
direction: 'output', // <-- can't be changed
exportName: 'outFields',
optional: true,
getDefaultValue: function () {
return {}
},
code: 100,
errorHandler: function (action, value, err) {
throw err
},
options: {
strict: true
}
},
// Options for filters plugin of `lift-it`
filters: './filters',
// Options for bodyParser.json() of `body-parser`
bodyParser: {},
// Options for this module
minVersion: 1, // the min version to support
dataScrub: [/session|password|serial|token/i], // describe fields to hide in the body
isRest: true,
hasApiKeyAuth: false // HTTP header apiKey will be passed in json to the endpoints,
hasOAuth: true // HTTP header Authorization will be passed in json to the endpoints
checkId: function(x){
// Checks whether the string x is an id of the resource
},
callToJSON: function (x) {
// function to convert log value to JSON
return x.toJSON()
},
onsuccess: function (response, runInfo, body, endpoint) {
// Called right before a request is answered with success
// `response` is the JSON object to send
// `runInfo` carries data about the execution
// `runInfo.req` is the express request object (if routed with express)
// `runInfo.requestId` a unique identifier for this execution
// `runInfo.beginTime` is the value of Date.now() when the request was received
// `runInfo.profileData` is the profile data (if enabled)
// `body` is the cleaned (see bellow) JSON input
// `endpoint` is the instance of the executed Endpoint
},
onfailure: function (response, runInfo, body, endpoint, error) {
// Called right before a request is answered with error
// `response`, `runInfo`, `body` and `endpoint` behave the same as onsuccess
// `endpoint` may be undefined if the error is not linked to any
// `error` is the original error object
},
timeout: 30e3,
ontimeout: function (runInfo, body, endpoint) {
// Called when an endpoint does not resolve within time
// `runInfo`, `body` and `endpoint` behave the same as onsuccess
// The timeout will not interfere on the endpoint's normal operation, that is,
// the request won't be modified in any way and the endpoint still have
// oportunity to answer the request properly
},
// Options for generating openApi spec
// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md
openApi: {
// Whether to add routes to serve the spec, like:
// /swagger.json -> all versions
// /v3/swagger.json -> specific version
// /v-last/swagger.json -> last version
serve: false,
// File name used to serve
serveAs: 'swagger.json',
// Base swagger to start completing
// Usually, we have info, basePath, host and schemes properties from root object
middleware: function (req, res, next) {
// An express middleware, set on the spec-serving rout
// May be used to implement authentication, for example
next()
},
prepareEndpoint: function (endpoint, pathItem) {
// Called for each "Path Item Object" created
// `endpoint` is the instance of Endpoint
// `pathItem` is an object following the OpenAPI spec for "Path Item Object"
// The pathItem to use should be returned
// If nothing is returned, this endpoint will be omitted from the output
return pathItem
},
prepareSpec: function (spec) {
// Called for each "Path Item Object" created
// `endpoint` is the instance of Endpoint
// `pathItem` is an object following the OpenAPI spec for "Path Item Object"
return spec
}
}
})
// `api.router` is an express router object
// You can, for example:
let app = apiLift.express() // see note bellow about apiLift.express
app.use('/api', api.router)
require('http').createServer(app).listen(80)
This module uses express
internally to create the router object. To avoid compatibility problems, it's adviced to use the same lib this module is using. This is exported as require('api-lift').express
The parameter body
given to onsuccess
and onfailure
has properties matching one of the regular expressions in dataScrub
scrubbed (even in deep objects and arrays). This is meant to make it log-safe. Example: {password: '123456'}
becomes {password: '[HIDDEN]'}
The return of apiLift()
call is an instance of API
. Its properties are:
{express:Router} router
: an express Router instance{number} minVersion
: the minimum supported version{number} maxVersion
: the maximum supported version{Array<string>} versions
: The list of supported versions, ordered from oldest to newest. Example:['v3', 'v4']
{Array<Endpoint>} endpoints
: the list of available endpoints{Object<Endpoint>} endpointByUrl
: a map from url to an Endpoint instance
If you are not interested in the router, but in the returned meta-data (like max version), use apiLift.info(options)
instead:
let apiLift = require('api-lift')
let info = apiLift.info({
// The default values are described bellow
folder: './api',
minVersion: 1
})
info.maxVersion // a number
All public methods and properties are described in the generated docs
This module aims to make endpoint versioning very simple, pragmatic and source-control friendly. The system only cares about backwards-incompatible changes, that is, MAJOR changes (as defined by semantic versioning).
By default (options.minVersion
), all endpoints start at version 1. That is, a file in the path api/user/create.js
is served at the url /v1/user/create
. If a breaking change is to be made in this endpoint, the API version must be bumped to 2. To do this, the current file is copied to api/user/create-v1.js
and new changes can be freely applied to the current api/user/create.js
file. The new url will be /v2/user/create
and will be mapped to the current file. The old url will keep working and will point to the old v1 file. Any other endpoint that hasn't been changed will be served equally in v1 and v2. Magic!
Note that the v1 file is like a snapshot. From the point of view of a revision control system (like git), the file has evolved linearly: no move/rename or any other trick (like symlinks).
After some time, the support for version 1 may be dropped, by increasing the minVersion
option and removing old v1 files.
For the following files in the api folder:
api
user
create.js
create-v2.js
findbyname-v1.js
getinfo.js
Assuming minVersion
is 1, those endpoints will be created:
/v1
/user/create -> api/user/create-v2.js
/user/findbyname -> api/user/findbyname-v1.js
/user/getinfo -> api/user/getinfo.js
/v2
/user/create -> api/user/create-v2.js
/user/getinfo -> api/user/getinfo.js
/v3
/user/create -> api/user/create.js
/user/getinfo -> api/user/getinfo.js
The file api/user/getinfo.js
is available in all versions. api/user/create-v2.js
is the snapshot for v1 and v2, api/user/create.js
is used in v3. api/user/findbyname-v1.js
is the snapshot for v1 only and is not available in next versions.
While processing the request, process.domain.runInfo
is an express request instance. req.requestId
is a string, unique for each request. As a result, in any async process created by the request, process.domain.runInfo.requestId
can be used. Useful for logs, for example.
TODO
TODO
Each endpoint can set its own body size limit by setting the module.exports.bodyLimit
property (syntax from bytes). If it doesn't set this property, the limit will be the one defined in the bodyParser
field from options
.
The default HTTP status code to a correct execution of success
is 200 Ok
.
If the success function has in its output
the property HTTPStatusCode
, this one is answered.
Note: HTTPStatusCode
is a private property and will be deleted after sent. Do not use it as a property in your output
.
The generated erros respects the APIError class, this is, always have an internal code and a message. A HTTP status code is optional, and if not set the 500 Internal Server Error
is answered.
The APIError will always respect the information received from error
function.
The invalid path
errors are always 404 Not Found
and invalid content-type/json 400 Bad Request