Writing a Javascript REST client
Posted by
on underLast month I published an article on writing RESTful web services in Python, in which I developed a small web service.
Today I'm putting my "front-end" hat to show you how to write a Javascript client application that uses the Python service.
Source code for this tutorial
The source code for this tutorial is available on my REST-tutorial project on github. The incremental versions are tagged and linked in the appropriate sections of the article to save you from having to type or copy/paste the code yourself.
Download the initial version: zip | github
This version includes just the REST server. To execute it under Python's development web server you have to run the following command:
- For Linux, OS X and Cygwin:
./rest-server.py
- For Windows:
python rest-server.py
The development server will be listening for requests on port 5000 of the local host, so you'll access it as http://localhost:5000
.
The REST web service
In the aforementioned article I developed a simple web service that maintains a to-do list. The REST API endpoints for this service are:
HTTP Method | URI | Action |
---|---|---|
GET | http://[hostname]/todo/api/v1.0/tasks | Retrieve list of tasks |
GET | http://[hostname]/todo/api/v1.0/tasks/[task_id] | Retrieve a task |
POST | http://[hostname]/todo/api/v1.0/tasks | Create a new task |
PUT | http://[hostname]/todo/api/v1.0/tasks/[task_id] | Update an existing task |
DELETE | http://[hostname]/todo/api/v1.0/tasks/[task_id] | Delete a task |
All the endpoints in this service are secured by HTTP basic authentication.
The only resource exposed by this service is a "task", which is composed of the following data fields:
- uri: unique URI for the task. String type.
- title: short task description. String type.
- description: long task description. Text type.
- done: task completion state. Boolean type.
The REST server article shows how to place calls into this server using a command line utility called curl
. Please see that article for details on this if you are interested in learning about the server side.
We will not discuss any more server related matters today. Are you ready to cross to the client-side? Let's go!
Choosing the stack
We will develop a client application that will run on web browsers, so we need to decide what tools and/or frameworks we will use.
For the base stack we don't really have much of a choice: The layout will be done in HTML, styling will be done in CSS and scripting in Javascript. No surprises here. While there are other choices, these guarantee that most modern browsers will run our application.
But these technologies alone would make for a rough development experience. For example, while Javascript and CSS work in all browsers, implementations differ, many times in subtle or obscure ways. There are three areas in which we would benefit from higher level cross-browser frameworks:
- Presentation and styling
- REST request management
- Templates and event handling
Let's review each and evaluate what options there are.
Presentation and styling
We don't really have the patience nor the interest to test several browsers to make sure our HTML, CSS and Javascript works. There are a few frameworks that provide already tested CSS styles and Javascript functions to build websites with a modern look and user interface.
We will use Twitter Bootstrap, the most popular CSS/Javascript layout framework.
REST request management
Our client application running inside the web browser will need to issue requests to the REST web server. The browser's Javascript interpreter provides an API for this called XMLHttpRequest, but the actual implementation varies from browser to browser, so we would need to write browser specific code if we wanted to code against this API directly.
Lucky for us there are several cross-browser Javascript frameworks that hide these little differences and provide a uniform API. Once again we will pick the leading framework in this category, jQuery, which not only provides a uniform Ajax API but a large number of cross-browser helper functions.
Templates and event handling
Finally, our client application will need to generate dynamic content that will be inserted into an existing HTML document, and also update this content as a response to the actions issued by the user. We could use jQuery for all this, but jQuery's support in this area is pretty basic.
Many application frameworks adopt a pattern called Model View Controller to write maintainable applications that separate data from behavior. In MVC frameworks models store the data, views render the data and controllers update views and models according to user actions. The separation between data, presentation and behavior is very clear. There are some variations of MVC, like MVP (Model View Presenter) or MVVM (Model View ViewModel) that are popular as well. All these patterns are usually referred together as MV* frameworks.
MV* frameworks in the client side is a very hot topic these days, there are several projects that compete in this area without a clear winner. Here are the ones that I have evaluated:
AngularJS and Ember.js are the ones with the most features, in particular both have two-way data binding, which allows you to associate Javascript variables to elements in the HTML page so that when one changes the other updates automatically. They both look pretty good, but the learning curve is steep, and their documentation is pretty bad.
Backbone is the oldest framework of the four. It has no automatic data binding, instead you have to set up event handlers and write the code to perform the updates inside them.
Knockout was a surprise. This is a framework that is smaller than the other three, its main feature is two-way data binding. The documentation is excellent, very detailed and complete. There is a fun interactive tutorial followed by reference documentation and several examples, all integrated into an easy to navigate site.
Based on the above analysis, I've decided to give Knockout a chance.
Basic page layout
Let's begin by creating the main page skeleton:
<!DOCTYPE html>
<html>
<head>
<title>ToDo API Client Demo</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="http://netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/css/bootstrap-combined.min.css" rel="stylesheet">
<script src="http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.9.0.js"></script>
<script src="http://netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/js/bootstrap.min.js"></script>
<script src="http://ajax.aspnetcdn.com/ajax/knockout/knockout-2.2.1.js"></script>
</head>
<body>
<div class="navbar">
<div class="navbar-inner">
<a class="brand" href="#">ToDo API Client Demo</a>
</div>
</div>
<div id="main" class="container">
Main content here!
</div>
<script type="text/javascript">
// application code here!
</script>
</body>
</html>
This is a pretty standard HTML5 document.
The meta name="viewport"
comes from Bootstrap. It makes the page scale according to the browser dimensions, be it a browser on a desktop PC or one in a smartphone. What follows is the Bootstrap CSS file, which we import from a CDN (content delivery network) so that we don't have to host it ourselves. Next come the Javascript files for jQuery, Bootstrap and Knockout, also imported from CDNs.
In the body of the page we first have a top bar with the application title, created using Bootstrap's CSS styles. Then we have the main content area, where we will insert the application data. And finally, we will have our application code at the bottom, keeping in mind that for larger projects the application code should likely go into one or more independent Javascript source files.
Download the project at this stage: zip | github
To see how the page looks start the Python server and then navigate to http://localhost:5000/index.html
in your browser.
Content area layout
Using Bootstrap styles we can create a mock up of the content area of our application:
Task | Options | |
Done | Task title Task description |
|
In Progress | Task title Task description |
The HTML code that achieves the above look is:
<table class="table table-striped">
<tr><td style="width: 1px;"></td><td><b>Task</b></td><td><b>Options</b></td></tr>
<tr>
<td>
<span class="label label-success">Done</span>
</td>
<td><p><b>Task title</b></p><p>Task description</p></td>
<td>
<button class="btn">Edit</button>
<button class="btn">Delete</button>
<span><button class="btn">Mark In Progress</button></span>
</td>
</tr>
<tr>
<td>
<span class="label label-important">In Progress</span>
</td>
<td><p><b>Task title</b></p><p>Task description</p></td>
<td>
<button class="btn">Edit</button>
<button class="btn">Delete</button>
<span><button class="btn">Mark Done</button></span>
</td>
</tr>
</table>
<button class="btn">Add Task</button>
Download the project at this stage: zip | github
Once again, at this point you can start the Python server and then navigate to http://localhost:5000/index.html
in your browser to see the page.
Two-way data binding from the HTML side
The above HTML code looks great, but it is static, so it is of no use other than to prototype the look of our application. We now need to convert it into a Knockout view that can show actual data and respond to user clicks. For this we will use some constructs provided by Knockout:
<table class="table table-striped">
<tr><td style="width: 1px;"></td><td><b>Task</b></td><td><b>Options</b></td></tr>
<!-- ko foreach: tasks -->
<tr>
<td>
<span data-bind="visible: done" class="label label-success">Done</span>
<span data-bind="visible: !done()" class="label label-important">In Progress</span>
</td>
<td><p><b data-bind="text: title"></b></p><p data-bind="text: description"></p></td>
<td>
<button data-bind="click: $parent.beginEdit" class="btn">Edit</button>
<button data-bind="click: $parent.remove" class="btn">Delete</button>
<span data-bind="visible: done">
<button data-bind="click: $parent.markInProgress" class="btn">Mark In Progress</button>
</span>
<span data-bind="visible: !done()">
<button data-bind="click: $parent.markDone" class="btn">Mark Done</button>
</span>
</td>
</tr>
<!-- /ko -->
</table>
<button data-bind="click: beginAdd" class="btn">Add Task</button>
The ko foreach: tasks
directive is inside an HTML comment to avoid making the HTML document illegal. Even as a comment, Knockout will recognize it and interpret it, causing all the HTML elements that appear after it and until the closing /ko
comment to repeat once per item in the tasks
collection (that we haven't defined yet).
Note that the HTML element that will display the task title got a data-bind="text: title"
attribute added. This directive tells Knockout to bind the title
variable to the text of the element. The title
variable is obtained from the current context. Since we are inside a foreach
loop the context is the current task in the tasks
collection.
Knockout provides binding constructs that can connect to attributes of an element instead of its text. For example, the In progress
and Done
labels get their visible
attribute bound to the done
field of the task, so that only the label that reflects the current state of each task is visible while the other one is hidden. The same binding method is used for the buttons that change the task's done state.
To respond to user input Knockout provides the click
binding, which takes a method name. For example, at the very bottom we have the Add Task
button, which has a click
binding to method beginAdd
. Like variables, methods are searched in the current context. The button is outside the foreach
loop, so it is in the global context, which as we will see soon is the ViewModel instance that controls the element.
The buttons that are inside the foreach
are more tricky, because the context at the level is each task in the tasks
collection. We could add methods to the task objects, but that is a complication since task objects will be returned by the REST server. Instead, we use the $parent
prefix to indicate that the parent context should be used.
With the above changes our page is depending on a few things that don't exist yet:
- a
tasks
collection that has all the tasks to display, each with fields calledtitle
,description
, anddone
. - a method called
beginEdit
that opens a dialog box to edit the selected task. - a method called
remove
that deletes the selected task. - a method called
markDone
that changes that done state of the selected task totrue
. - a method called
markInProgress
that changes that done state of the selected task tofalse
. - a method called
beginAdd
that opens a dialog box to enter a new task.
Two-way data binding from the Javascript side
Knockout uses the MVVM pattern. So far we have worked on the V part, which is the View. The M (Model) will come as JSON data delivered by the REST server. The last component of the triangle is the VM, or ViewModel. This is a Javascript object that will hold the bindings between the models and the views, and will also include the event handlers for user generated actions.
Let's write a mock ViewModel that can interact with our view. This code will be inserted at the bottom of the page, in the <script>
area:
function TasksViewModel() {
var self = this;
self.tasks = ko.observableArray();
self.tasks([
{
title: ko.observable('title #1'),
description: ko.observable('description #1'),
done: ko.observable(false)
},
{
title: ko.observable('title #2'),
description: ko.observable('description #2'),
done: ko.observable(true)
}
]);
self.beginAdd = function() {
alert("Add");
}
self.beginEdit = function(task) {
alert("Edit: " + task.title());
}
self.remove = function(task) {
alert("Remove: " + task.title());
}
self.markInProgress = function(task) {
task.done(false);
}
self.markDone = function(task) {
task.done(true);
}
}
ko.applyBindings(new TasksViewModel(), $('#main')[0]);
The var self = this;
idiom the begins this function is common in Javascript functions that have callback functions, as it saves the original value of this
so that the callbacks, which may have a different this
, can use it.
The ko.observableArray()
and ko.observable()
are the magic that makes Knockout incredibly easy to use. Observables are special Javascript objects that connect a value from a Model to one or more data-bind
attributes that refer to it in the View. Once the connection is established any changes to the value will automatically update the view, and any changes to the view will automatically update the value.
Knockout provides the ko.observable()
object for single values and the ko.observableArray()
for a collection of values. The array version is particularly interesting, because adding or removing array elements will also automatically update what appears in a ko.foreach
section.
Something to keep in mind when working with observables is that they look like regular variables, but they are objects. One can be tempted to write this type of code to update an observable:
var myValue = ko.observable(5);
alert(myValue); // this does not work
myValue = 6; // this does not work
At first sight this appears to create an observable with the value 5, display the value in an alert window and then update it to 6. In reality, the alert will print an obscure string that represents the observable object itself, and the assignment will just replace the observable object with a regular value of 6. The correct way to access and modify and observable is to invoke it as a function:
var myValue = ko.observable(5);
alert(myValue()); // display value
myValue(6); // update value to 6
This is even more error prone on observable arrays, where the function call parenthesis sometimes have to be inserted before the square brackets:
var myArray = ko.observableArray([1, 2, 3]);
alert(myArray()[1]); // show second element
For our TasksViewModel
object we have defined an observable array called tasks
that will get connected to the ko.foreach: tasks
that we have in our view.
We initialize our tasks collection with a mock Model that includes two task objects, each having observables for its properties, so that there are also automatic updates for the data-bind
attributes that point to the fields of each task.
We then define the event handlers that will respond to click events. For now the beginAdd
, beginEdit
and remove
just show an alert dialog. Note that Knockout sends the task object for the events that were generated from inside the ko.foreach
.
The last two events are interesting, because instead of just alerting we are actually modifying our model. Since the task.done
field is an observable the simple act of changing the value will trigger updates to the appropriate parts of the web page.
The last statement in the example calls ko.applyBindings
to activate the ViewModel. The first argument is the created ViewModel object and the second argument is the root element in the HTML document to associate with it.
Download the project at this stage: zip | github
This is, again, a good time to check how the application is progressing. Go ahead and start the Python server and then open http://localhost:5000/index.html
in your browser to see Knockout in action. You will see that the two example tasks in our Model were automagically rendered to the page, and that all the buttons are active. In particular try the "Mark Done" and "Mark In Progress" buttons, to see how simple it is to update the page when data changes.
Connecting to the REST server
Now that we have the client rendering a mock model we are ready to switch to the real thing.
To make an HTTP request to our server we will use jQuery's $.ajax()
function. Here is a second version of our TasksViewModel
, modified to send a request to the server for the list of tasks:
function TasksViewModel() {
var self = this;
self.tasksURI = 'http://localhost:5000/todo/api/v1.0/tasks';
self.username = "miguel";
self.password = "python";
self.tasks = ko.observableArray();
self.ajax = function(uri, method, data) {
var request = {
url: uri,
type: method,
contentType: "application/json",
accepts: "application/json",
cache: false,
dataType: 'json',
data: JSON.stringify(data),
beforeSend: function (xhr) {
xhr.setRequestHeader("Authorization",
"Basic " + btoa(self.username + ":" + self.password));
},
error: function(jqXHR) {
console.log("ajax error " + jqXHR.status);
}
};
return $.ajax(request);
}
self.beginAdd = function() {
alert("Add");
}
self.beginEdit = function(task) {
alert("Edit: " + task.title());
}
self.remove = function(task) {
alert("Remove: " + task.title());
}
self.markInProgress = function(task) {
task.done(false);
}
self.markDone = function(task) {
task.done(true);
}
self.ajax(self.tasksURI, 'GET').done(function(data) {
for (var i = 0; i < data.tasks.length; i++) {
self.tasks.push({
uri: ko.observable(data.tasks[i].uri),
title: ko.observable(data.tasks[i].title),
description: ko.observable(data.tasks[i].description),
done: ko.observable(data.tasks[i].done)
});
}
});
}
ko.applyBindings(new TasksViewModel(), $('#main')[0]);
Let's go over the changes from top to bottom.
At the top of the TasksViewModel
class we define a few new member variables. We will use tasksURI
as our root URI to access the REST server. If you recall, this is the URI that when queried with the GET
HTTP method returns the list of tasks. We also have two variables that record the login information, which for now we are setting to values that are known to work (we will improve on this later).
The tasks
observable array is still there, but we do not initialize it with mock data anymore.
Then we have a new method, simply called ajax
. This is a helper function that wraps jQuery's $.ajax()
call and makes it more convenient. The function takes three arguments, the URI to connect to, the HTTP method to use and optionally the data to send in the body of the request.
Our ajax
function doesn't really do much, it just creates a request object and sends it over to $.ajax()
. In addition to the data given in the function arguments, the request object include the mime type for the request and the response, it disables caching and sets a couple of mysterious callback functions.
The first callback function is called beforeSend
, and jQuery will invoke it after it has created the jqXHR
object that will carry over the request. We need to use this callback to insert the HTTP Basic authentication credentials, because without that the server will not accept our request. For now we just encode the hardcoded username and password. We use the btoa
function to encode the credentials in base64 format, as required by the HTTP protocol.
The second callback function will be invoked by jQuery if the request comes back with an error code. This can happen if the username and/or password are incorrect, for example. In this case we just log the error.
Our ajax
wrapper function returns the return value from $.ajax
, which is a promise object. A promise acts as a proxy for a result of an asynchronous function. When $.ajax()
is invoked a request is sent to the server, but the function returns immediately without waiting for the response. The promise object represents that unknown response.
The last change is at the bottom of the class definition, where the actual request to the REST server is made. Here is that snippet of code copied again:
self.ajax(self.tasksURI, 'GET').done(function(data) {
for (var i = 0; i < data.tasks.length; i++) {
self.tasks.push({
uri: ko.observable(data.tasks[i].uri),
title: ko.observable(data.tasks[i].title),
description: ko.observable(data.tasks[i].description),
done: ko.observable(data.tasks[i].done)
});
}
});
We call the ajax()
wrapper function with the arguments to send a GET
request to the server on the main URI. Then on the return promise we call done()
. All jQuery promises provide a done
method that takes a callback. The callback will be invoked once the asynchronous function associated with the promise ends, with the result of the function passed as an argument.
Our done callback will receive the response data, which is a JSON object that contains the array of tasks returned by the server. We then take this array and for each element create a similar object to add to our tasks
observable array. Note that we can't add the task returned by the server directly because we need some of the fields in the tasks to be observables, so that they update the page automatically when they change.
Download the project at this stage: zip | github
If you try the application with these changes you will see the task list from the server rendered in the page.
Adding a new task
Adding a new task is fun because it requires us to create a dialog box where the user can enter the details.
The Boostrap documentation provides all the information required to create modal dialog boxes. Below is the code that creates a dialog box with a form inside to enter task information:
<div id="add" class="modal hide fade" tabindex="=1" role="dialog" aria-labelledby="addDialogLabel" aria-hidden="true">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
<h3 id="addDialogLabel">Add Task</h3>
</div>
<div class="modal-body">
<form class="form-horizontal">
<div class="control-group">
<label class="control-label" for="inputTask">Task</label>
<div class="controls">
<input data-bind="value: title" type="text" id="inputTask" placeholder="Task title" style="width: 150px;">
</div>
</div>
<div class="control-group">
<label class="control-label" for="inputDescription">Description</label>
<div class="controls">
<input data-bind="value: description" type="text" id="inputDescription" placeholder="Description" style="width: 300px;">
</div>
</div>
</form>
</div>
<div class="modal-footer">
<button data-bind="click: addTask" class="btn btn-primary">Add Task</button>
<button class="btn" data-dismiss="modal" aria-hidden="true">Cancel</button>
</div>
</div>
This dialog box will be hidden initially. The code can be inserted anywhere in the page, for example a good place is right after the main
div.
If you look carefully you will see that the <input>
elements have data-bind
attributes in them that connect to their values. This is so that we can bind variables to them. Likewise, the Add Task button at the bottom is bound to its click event, so that we can act when the user accepts the dialog box.
According to the Bootstrap documentation to display the dialog box we have to do this:
$('add').modal('show');
Since we want to display this dialog box when the user clicks the Add Task button we can now replace our alert with the real thing:
self.beginAdd = function()
{
$('#add').modal('show');
}
This dialog box is effectively our second View, it is a different entity than our task list. Since this is a different View, we also need a different Model and ViewModel:
function TasksViewModel() {
// ... same contents and before
self.add = function(task)
{
self.ajax(self.tasksURI, 'POST', task).done(function(data) {
self.tasks.push({
uri: ko.observable(data.task.uri),
title: ko.observable(data.task.title),
description: ko.observable(data.task.description),
done: ko.observable(data.task.done)
});
});
}
}
function AddTaskViewModel() {
var self = this;
self.title = ko.observable();
self.description = ko.observable();
self.addTask = function() {
$('#add').modal('hide');
tasksViewModel.add({
title: self.title(),
description: self.description()
});
self.title("");
self.description("");
}
}
var tasksViewModel = new TasksViewModel();
var addTaskViewModel = new AddTaskViewModel();
ko.applyBindings(tasksViewModel, $('#main')[0]);
ko.applyBindings(addTaskViewModel, $('#add')[0]);
The new AddTaskViewModel
is extremely simple. It has two observables, which connect to the two <input>
tags in the dialog box. It also has one event handler that connects to the Add Task button.
When the button is clicked the event handler simply calls the add()
method of the tasksViewModel
, passing the title and description values for the new task. The function finally resets the values of the two fields, so that the next time the user wants to add a task the fields appear empty again.
The add()
method of tasksViewModel
invokes the ajax()
function again, but this time it issues a POST
request, which according to the REST standard practices corresponds to a request to add a new resource. The response from the request will be the added task, so when our done()
callback is invoked we just push a new task into our tasks
array. Due to the data binding that exists between the array and the ko.foreach
in the HTML portion of the document as soon as we add an element to the array that element is rendered to the page.
The changes to edit an existing tasks are a bit more complex, but are largely similar.
A new dialog box is added to the document (we cannot use the same as the Add Task dialog because for editing we have the "done" checkbox that we don't have when adding a task).
We also have to add a new ViewModel:
function EditTaskViewModel() {
var self = this;
self.title = ko.observable();
self.description = ko.observable();
self.done = ko.observable();
self.setTask = function(task) {
self.task = task;
self.title(task.title());
self.description(task.description());
self.done(task.done());
$('edit').modal('show');
}
self.editTask = function() {
$('#edit').modal('hide');
tasksViewModel.edit(self.task, {
title: self.title(),
description: self.description() ,
done: self.done()
});
}
}
And here are the new and updated methods in the TasksViewModel
class to support task editing:
self.beginEdit = function(task) {
editTaskViewModel.setTask(task);
$('#edit').modal('show');
}
self.edit = function(task, data) {
self.ajax(task.uri(), 'PUT', data).done(function(res) {
self.updateTask(task, res.task);
});
}
self.updateTask = function(task, newTask) {
var i = self.tasks.indexOf(task);
self.tasks()[i].uri(newTask.uri);
self.tasks()[i].title(newTask.title);
self.tasks()[i].description(newTask.description);
self.tasks()[i].done(newTask.done);
}
The additional complication with the edit dialog box is that prior to showing it we have to fill out the form fields with the current data for the selected task. This is done in the setTask()
method of the EditTaskViewModel
class.
Once the dialog box is accepted the handler in the EditTaskViewModel
class calls the edit()
method of the TasksViewModel
, which sends a PUT
request into the server to update the task. Note how the URI for this request comes from the task itself, since each task has a unique URI. Finally, the callback for the ajax request calls a new helper functon updateTask()
to refresh the observables associated with the task that was edited.
Another method that we can complete is the one that deletes a task. This one is easy, as it does not require any HTML changes to the document:
self.remove = function(task) {
self.ajax(task.uri(), 'DELETE').done(function() {
self.tasks.remove(task);
});
}
And even though the "Mark Done" and "Mark In Progress" buttons appear to work, they aren't really working, all they are doing right now is change the model, but they do not communicate these changes to the server. Here are the updated versions that talk to the server:
self.markInProgress = function(task) {
self.ajax(task.uri(), 'PUT', { done: false }).done(function(res) {
self.updateTask(task, res.task);
});
}
self.markDone = function(task) {
self.ajax(task.uri(), 'PUT', { done: true }).done(function(res) {
self.updateTask(task, res.task);
});
}
Download the project at this stage: zip | github
The client application is nearing completion now. You can take a break and spend some time playing with the different options, since all of them are working now.
Authentication
And we now arrive to our final battle. Up to now the authentication credentials that we were sending to the REST server are hardcoded into the client application. We happen to know that these work, but in a real life situation we have to prompt the user to provide his own credentials.
Let's start by removing the hardcoded credentials:
self.username = "";
self.password = "";
We will also have to add a login dialog box, which I'm not going to show here since it is similar to the previous dialog boxes we created.
We need a ViewModel for our dialog box:
function LoginViewModel() {
var self = this;
self.username = ko.observable();
self.password = ko.observable();
self.login = function() {
$('#login').modal('hide');
tasksViewModel.login(self.username(), self.password());
}
}
And finally we need to add a few support methods to our TasksViewModel
class:
function TasksViewModel() {
// ... no changes here
self.beginLogin = function() {
$('#login').modal('show');
}
self.login = function(username, password) {
self.username = username;
self.password = password;
self.ajax(self.tasksURI, 'GET').done(function(data) {
for (var i = 0; i < data.tasks.length; i++) {
self.tasks.push({
uri: ko.observable(data.tasks[i].uri),
title: ko.observable(data.tasks[i].title),
description: ko.observable(data.tasks[i].description),
done: ko.observable(data.tasks[i].done)
});
}
}).fail(function(jqXHR) {
if (jqXHR.status == 403)
setTimeout(self.beginLogin, 500);
});
}
self.beginLogin();
}
Let's see how this works. At the bottom of TasksViewModel
we had the code that issued the request to get the task list. We now replaced that with a call to beginLogin()
which starts the login process by displaying the login dialog box.
When the user accepts the dialog box method login()
will be called, with the entered credentials. Only now we are ready to talk to the server, so we issue the request for the task list after we update our login variables. If the request succeeds then we populate our tasks
array as we did before.
If the request fails we now have a second callback attached to the ajax request promise. The fail
callback in a promise executes if the asynchronous function returns an error. What we do in this case is check the error code from the ajax request object and if found to be 403 we just call beginLogin()
again to ask for new credentials. Note we don't show the dialog immediately, instead we wait 0.5 sec with a timeout. This is just because the dialog box has animated events to appear and disappear, so we need to make sure the "show" animation does not collide with the "hide" animation for the previous dialog instance.
I just said that login errors return a 403 code. Those that are familiar with HTTP error codes will jump to correct me. Error 403 is the error code for the "Forbidden" error. The correct HTTP code for the "Not Authorized" error is 401. The problem with error code 401 is that browsers display their own login dialog box when they receive this error, even if the error came from an ajax request. We don't want the browser to show its login dialog since we have our own, so we trick the browser by having the server send error 403 instead of 401.
Download the completed project: zip | github
Security
If we were to deploy this application on a real web server for real users we have to take some security measures.
The REST server takes user credentials according to the HTTP Basic Authentication protocol, which sends usernames and passwords in clear text. Of course this is not acceptable, we should not risk leaking confidential information from our users to third parties.
The proper way to address this problem is by putting the server on secure HTTP, which ensures that communication between client and server is encrypted.
The recommended way to implement secure HTTP is with a proxy server. Our server remains the same, when it starts it listens, for example, on http://localhost:5000
, which is only reachable to other processes in the same machine. Then another web server is installed and configured to listen on the secure HTTP port and do all the proper encryption procedures. This server is then configured to act as a proxy for our server, so to us nothing changes, we just receive requests from the proxy server, which in turn receives requests from the user over an encrypted channel.
There are other measures to take if we were to deploy this application on a real server, at the very least the Flask development web server should be replaced with a more robust server. I recommend that you see the deployment chapters of my Flask Mega-Tutorial to learn about this topic.
Final words
Phew! Can you believe we are done?
The application is now fully functional and exercises all the functions of our REST server. A nice enhancement that I will leave as an exercise for those interested would be to save the login credentials in a browser cookie, so that the user does not need to enter them every time. You get bonus points if you add a "Remember Me" checkbox to the login dialog.
Writing rich client side applications in Javascript can be fun. Javascript is an interesting language that at first may seem odd to those of us used to more traditional languages, but once you familiarize with it you find it can do many cool things.
I hope this article and example code along with the previous one serve as a good introduction to the use of REST APIs. If you have any questions or suggestions you are welcome to write below in the comments area.
Miguel
-
#26 azu said
Hi, I'm trying to implement something close to this tutorial, the only change is no authentication yet in my own. I'm just trying to get the data.
When i run my client, nothing happens but when i check the Javascript console of the browser(chrome), i get a "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:5000' is therefore not allowed access. " But both the client and the server are running on the same machine. -
#27 Miguel Grinberg said
@azu: you can start Chrome with option --disable-web-security to bypass the code that does this.
-
#28 azu said
Hi Miguel, I have done that but a different error occurs which is 'Cannot read property 'length' of undefined' This error refers to the line 'i < data.task.length'
My Javascript is poor but i'm also wondering how the array task, became a property of data. -
#29 Miguel Grinberg said
@asu: in that context "data" represents the JSON blob returned by the server. The server responds with a "tasks" (not "task") property at the top-level of the JSON object, so you can say "data.tasks", and since tasks is an array you should also be able to say "data.tasks.length".
-
#30 Neal said
Great tutorial, thanks!
-
#31 Jordan Rein said
Hey Miguel, stupid question, but when is it appropriate to use a REST API + frontend as you did in this tutorial rather than simply building a web app? The reason I ask is that I'd like to build a single-page application (small comic book directory) and I'm not sure which direction to choose. I see a lot of bleed-over between this tutorial and the Flask Mega Tutorial... what do you recommend?
-
#32 Miguel Grinberg said
@Jordan: tough question, it really depends on a lot of factors. Traditional apps are easier for search engines to index, a single-page app requires extra work to make it engine friendly. A hybrid solution is a good option, where the app has different pages but each page provides a more responsive experience running a little sub-app that talks to a REST API.
-
#33 Deepsys9 said
Hi Miguel,
I have a question on whether it is possible for javascriot code to submit a POST request against a (REST) API that requires authentication, but without popping up a log in form, if the user is already authenticated with the Flask App.
To elaborate on the scenario, assume I'm using the core of Flasky from your book, and the user is signed in. The user has permissions to create a new resource (e.g., a blog post), and clearly, they can do so using the forms rendered by Flask. What I'd like to do instead, is have javascript code automatically, without user intervention (but triggered by certain actions on the page that are monitored by javascript), submit the data using a POST method..
I understand from the book and this article how to do it -- but, unless I'm mistaken, it appears that the ajax function will require authorization headers to be inserted, which in turn will require a new login-dialog to be presented to the user. I'm trying to avoid this login dialog since the user will already be signed into the application... Is there a way to reuse the session cookie that is maintained by Flasky with the client?
I do want to protect REST API routes, but don't want to hassle the user with having to provide log-in credentials every time the javascript function wants to make a POST.
thanks!
-
#34 Miguel Grinberg said
@Deepsys9: Are you asking if the application can log the user in for regular and Javascript access from a single login form?
For that type of situation you can add some Javascript to the login form so that the credentials are not only submitted for the regular access but also kept in the client for background Javascript requests. Once the client has a copy of the credentials it can request a token and use that for background requests. Does this make sense? -
#35 Deepsys9 said
Miguel -- never mind about my prior question. I think my brain was tangled up and I was overthinking it.
I believe the solution is that upon initial login, in javascript I create the authorization header and store it as a client side cookie or get a long lived token and store that as a cookie..
-
#36 Miguel Grinberg said
@Deepsys9: Exactly, if the Javascript side captures the login credentials then it can freely authenticate, regardless of the Flask-Login based auth that is used for the regular part of the application.
-
#37 Arne said
In your other blog post I've asked for a proper solution to do the DELETE call from the front end. Here is my approach, https://gist.github.com/wiesson/9173218 - except the missing authentication (it is just an example) - is there a better solution, or is my approach fine? Maybe you could add an example to your blogpost. Best
-
#38 Miguel Grinberg said
@Arne: the client side looks fine to me. On the server, why do you flash a message? This is an API, you should return a JSON response that includes a success/failure and any other information that might be useful to the client, but flashing a message has no purpose.
-
#39 Pedro Werneck said
A small correction: browsers display the authentication dialog when they received the WWW-Authenticate header, not necessarily the 401 response. If you don't want to remove the header by hand, or someone else in between is inserting it, the client may send the header Requested-With: XMLHttpRequest and the server should drop the WWW-Authenticate header.
-
#40 Miguel Grinberg said
@Pedro: where is this behavior you describe between the X-Requested-With and WWW-Authenticate headers documented?
-
#41 Anup Jayapal Rao said
First thing first, Miguel ...you have a wonderful blog. I have been following your Flask tutorials, and related articles. I like the ReST articles especially. I find them very well written with the reader in mind. Best of luck with your book.
I have one request, Can you publish an article on how to achieve Basic HTTP authentication with pure Javascript and Flask. No JQuery, just simple XmlHTTPRequest.
-
#42 Anup Jayapal Rao said
Ah ! In my previous comment, I forgot to mention a critical point. I was looking towards pure Jaavascript Basic HTTP Auth with Flask using a "Form" constructed in javascript instead of the dialog that the browser pops.
For the non form based authentication, the http://blog.miguelgrinberg.com/post/restful-authentication-with-flask
article is perfect. -
#43 Miguel Grinberg said
@Annup: creating a dialog in pure JavaScript is a lot of work, that is why jQuery or Bootstrap exist.
-
#44 Yomismo said
Hi Miguel,
Thanks for your awesome tutorials.
I saw on your code:
# return 403 instead of 401 to prevent browsers from displaying the default auth dialogIt turns out that if you just do:
@auth.error_handler
def unauthorized():
abort(401)you are able to return 401 error and the login dialog of the browser is not displayed. The explanation is that the dialog is triggered only when the field WWW-Authenticate is present in the header of the api response.
Keep it up!
-
#45 Miguel Grinberg said
@Yomismo: the Flask-HTTPAuth extension will insert the WWW-Authenticate header for you to comply with the HTTP authentication workflow.
-
#46 周凱 said
Hi Miguel. I've been using this tutorial to get insight in the python RESTful server, but I have problem when I try to use the Flask-HTTPAuth module. I get the same error as Dogukan Tufekci. I tried using what you told him and this is what I get:
$ pip install -r requirements.txt
Downloading/unpacking git+git://github.com/miguelgrinberg/flask-httpauth.git@v0.6 (from -r requirements.txt (line 2))
Cloning git://github.com/miguelgrinberg/flask-httpauth.git (to v0.6) to /tmp/pip-PNkqMx-build
Running setup.py egg_info for package from git+git://github.com/miguelgrinberg/flask-httpauth.git@v0.6Requirement already satisfied (use --upgrade to upgrade): flask==0.10 in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): Werkzeug>=0.7 in /usr/local/lib/python2.7/dist-packages (from flask==0.10->-r requirements.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): Jinja2>=2.4 in /usr/local/lib/python2.7/dist-packages (from flask==0.10->-r requirements.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): itsdangerous>=0.21 in /usr/local/lib/python2.7/dist-packages (from flask==0.10->-r requirements.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): markupsafe in /usr/local/lib/python2.7/dist-packages (from Jinja2>=2.4->flask==0.10->-r requirements.txt (line 1))
Cleaning up...Then when I try running the code, it still gives the same error:
Traceback (most recent call last):
File "app.py", line 3, in <module>
from flask.ext.httpauth import HTTPBasicAuth
File "/var/www/todo-api/flask/local/lib/python2.7/site-packages/flask/exthook.py", line 86, in load_module
raise ImportError('No module named %s' % fullname)
ImportError: No module named flask.ext.httpauthPlease help me. Thanks in advance!
-
#47 Miguel Grinberg said
@周凱: try this:
$ pip uninstall flask-httpauth
$ pip install flask-httpauth
$ pip freezeThe first line uninstalls your current extension, the next line installs the latest version, which is 2.2.1 (you were using 0.6). The third line lists all the installed extensions, you should see Flask-HTTPAuth==2.2.1 listed there.
-
#48 周凱 said
Hi Miguel. Thanks for the quick reply. I really appreciated. You know, I tried that and still gives the same error so what I did is to comment all the lines where it needed the user and password and now it works. The problem is when trying to access from a different domain than the localhost, then it will show me the error "No 'Access-Control-Allow-Origin' header is present on the requested resource." I have tried to solve the problem with some examples on the internet and I also tried what you suggested in the post but it still doesn't work. Any suggestions? Thanks again for the tutorial and for helping
-
#49 Miguel Grinberg said
Have you tried this decorator? http://flask.pocoo.org/snippets/56/
-
#50 Simon said
An issue I'm having with your authentication technique, and one that I can't find satisfactorily dealt with in Flask so far is the user session. At the moment, if I get it correctly, this looks like the user would need to sign in every time they want to use the todo app because their username and password are stored within javascript? Am I getting that right?