2013-06-15T20:12:57Z

Writing a Javascript REST client

Last month I published an article on writing RESTful web services in Python, in which I developed a small web service.

Today I'm putting my "front-end" hat to show you how to write a Javascript client application that uses the Python service.

Source code for this tutorial

The source code for this tutorial is available on my REST-tutorial project on github. The incremental versions are tagged and linked in the appropriate sections of the article to save you from having to type or copy/paste the code yourself.

Download the initial version: zip | github

This version includes just the REST server. To execute it under Python's development web server you have to run the following command:

  • For Linux, OS X and Cygwin: ./rest-server.py
  • For Windows: python rest-server.py

The development server will be listening for requests on port 5000 of the local host, so you'll access it as http://localhost:5000.

The REST web service

In the aforementioned article I developed a simple web service that maintains a to-do list. The REST API endpoints for this service are:

HTTP MethodURIAction
GEThttp://[hostname]/todo/api/v1.0/tasksRetrieve list of tasks
GEThttp://[hostname]/todo/api/v1.0/tasks/[task_id]Retrieve a task
POSThttp://[hostname]/todo/api/v1.0/tasksCreate a new task
PUThttp://[hostname]/todo/api/v1.0/tasks/[task_id]Update an existing task
DELETEhttp://[hostname]/todo/api/v1.0/tasks/[task_id]Delete a task

All the endpoints in this service are secured by HTTP basic authentication.

The only resource exposed by this service is a "task", which is composed of the following data fields:

  • uri: unique URI for the task. String type.
  • title: short task description. String type.
  • description: long task description. Text type.
  • done: task completion state. Boolean type.

The REST server article shows how to place calls into this server using a command line utility called curl. Please see that article for details on this if you are interested in learning about the server side.

We will not discuss any more server related matters today. Are you ready to cross to the client-side? Let's go!

Choosing the stack

We will develop a client application that will run on web browsers, so we need to decide what tools and/or frameworks we will use.

For the base stack we don't really have much of a choice: The layout will be done in HTML, styling will be done in CSS and scripting in Javascript. No surprises here. While there are other choices, these guarantee that most modern browsers will run our application.

But these technologies alone would make for a rough development experience. For example, while Javascript and CSS work in all browsers, implementations differ, many times in subtle or obscure ways. There are three areas in which we would benefit from higher level cross-browser frameworks:

  • Presentation and styling
  • REST request management
  • Templates and event handling

Let's review each and evaluate what options there are.

Presentation and styling

We don't really have the patience nor the interest to test several browsers to make sure our HTML, CSS and Javascript works. There are a few frameworks that provide already tested CSS styles and Javascript functions to build websites with a modern look and user interface.

We will use Twitter Bootstrap, the most popular CSS/Javascript layout framework.

REST request management

Our client application running inside the web browser will need to issue requests to the REST web server. The browser's Javascript interpreter provides an API for this called XMLHttpRequest, but the actual implementation varies from browser to browser, so we would need to write browser specific code if we wanted to code against this API directly.

Lucky for us there are several cross-browser Javascript frameworks that hide these little differences and provide a uniform API. Once again we will pick the leading framework in this category, jQuery, which not only provides a uniform Ajax API but a large number of cross-browser helper functions.

Templates and event handling

Finally, our client application will need to generate dynamic content that will be inserted into an existing HTML document, and also update this content as a response to the actions issued by the user. We could use jQuery for all this, but jQuery's support in this area is pretty basic.

Many application frameworks adopt a pattern called Model View Controller to write maintainable applications that separate data from behavior. In MVC frameworks models store the data, views render the data and controllers update views and models according to user actions. The separation between data, presentation and behavior is very clear. There are some variations of MVC, like MVP (Model View Presenter) or MVVM (Model View ViewModel) that are popular as well. All these patterns are usually referred together as MV* frameworks.

MV* frameworks in the client side is a very hot topic these days, there are several projects that compete in this area without a clear winner. Here are the ones that I have evaluated:

AngularJS and Ember.js are the ones with the most features, in particular both have two-way data binding, which allows you to associate Javascript variables to elements in the HTML page so that when one changes the other updates automatically. They both look pretty good, but the learning curve is steep, and their documentation is pretty bad.

Backbone is the oldest framework of the four. It has no automatic data binding, instead you have to set up event handlers and write the code to perform the updates inside them.

Knockout was a surprise. This is a framework that is smaller than the other three, its main feature is two-way data binding. The documentation is excellent, very detailed and complete. There is a fun interactive tutorial followed by reference documentation and several examples, all integrated into an easy to navigate site.

Based on the above analysis, I've decided to give Knockout a chance.

Basic page layout

Let's begin by creating the main page skeleton:

<!DOCTYPE html>
<html>
<head>
<title>ToDo API Client Demo</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="http://netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/css/bootstrap-combined.min.css" rel="stylesheet">
<script src="http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.9.0.js"></script>
<script src="http://netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/js/bootstrap.min.js"></script>
<script src="http://ajax.aspnetcdn.com/ajax/knockout/knockout-2.2.1.js"></script>
</head>
<body>
    <div class="navbar">
        <div class="navbar-inner">
            <a class="brand" href="#">ToDo API Client Demo</a>
        </div>
    </div>
    <div id="main" class="container">

        Main content here!

    </div>
    <script type="text/javascript">

        // application code here!

    </script>
</body>
</html>

This is a pretty standard HTML5 document.

The meta name="viewport" comes from Bootstrap. It makes the page scale according to the browser dimensions, be it a browser on a desktop PC or one in a smartphone. What follows is the Bootstrap CSS file, which we import from a CDN (content delivery network) so that we don't have to host it ourselves. Next come the Javascript files for jQuery, Bootstrap and Knockout, also imported from CDNs.

In the body of the page we first have a top bar with the application title, created using Bootstrap's CSS styles. Then we have the main content area, where we will insert the application data. And finally, we will have our application code at the bottom, keeping in mind that for larger projects the application code should likely go into one or more independent Javascript source files.

Download the project at this stage: zip | github

To see how the page looks start the Python server and then navigate to http://localhost:5000/index.html in your browser.

Content area layout

Using Bootstrap styles we can create a mock up of the content area of our application:

TaskOptions
Done

Task title

Task description

In Progress

Task title

Task description

The HTML code that achieves the above look is:

<table class="table table-striped">
    <tr><td style="width: 1px;"></td><td><b>Task</b></td><td><b>Options</b></td></tr>
    <tr>
        <td>
            <span class="label label-success">Done</span>
        </td>
        <td><p><b>Task title</b></p><p>Task description</p></td>
        <td>
            <button class="btn">Edit</button>
            <button class="btn">Delete</button>
            <span><button class="btn">Mark In Progress</button></span>
        </td>
    </tr>
    <tr>
        <td>
            <span class="label label-important">In Progress</span>
        </td>
        <td><p><b>Task title</b></p><p>Task description</p></td>
        <td>
            <button class="btn">Edit</button>
            <button class="btn">Delete</button>
            <span><button class="btn">Mark Done</button></span>
        </td>
    </tr>
</table>
<button class="btn">Add Task</button>

Download the project at this stage: zip | github

Once again, at this point you can start the Python server and then navigate to http://localhost:5000/index.html in your browser to see the page.

Two-way data binding from the HTML side

The above HTML code looks great, but it is static, so it is of no use other than to prototype the look of our application. We now need to convert it into a Knockout view that can show actual data and respond to user clicks. For this we will use some constructs provided by Knockout:

<table class="table table-striped">
    <tr><td style="width: 1px;"></td><td><b>Task</b></td><td><b>Options</b></td></tr>
    <!-- ko foreach: tasks -->
    <tr>
        <td>
            <span data-bind="visible: done" class="label label-success">Done</span>
            <span data-bind="visible: !done()" class="label label-important">In Progress</span>
        </td>
        <td><p><b data-bind="text: title"></b></p><p data-bind="text: description"></p></td>
        <td>
            <button data-bind="click: $parent.beginEdit" class="btn">Edit</button>
            <button data-bind="click: $parent.remove" class="btn">Delete</button>
            <span data-bind="visible: done">
                <button data-bind="click: $parent.markInProgress" class="btn">Mark In Progress</button>
            </span>
            <span data-bind="visible: !done()">
                <button data-bind="click: $parent.markDone" class="btn">Mark Done</button>
            </span>
        </td>
    </tr>
    <!-- /ko -->
</table>
<button data-bind="click: beginAdd" class="btn">Add Task</button>

The ko foreach: tasks directive is inside an HTML comment to avoid making the HTML document illegal. Even as a comment, Knockout will recognize it and interpret it, causing all the HTML elements that appear after it and until the closing /ko comment to repeat once per item in the tasks collection (that we haven't defined yet).

Note that the HTML element that will display the task title got a data-bind="text: title" attribute added. This directive tells Knockout to bind the title variable to the text of the element. The title variable is obtained from the current context. Since we are inside a foreach loop the context is the current task in the tasks collection.

Knockout provides binding constructs that can connect to attributes of an element instead of its text. For example, the In progress and Done labels get their visible attribute bound to the done field of the task, so that only the label that reflects the current state of each task is visible while the other one is hidden. The same binding method is used for the buttons that change the task's done state.

To respond to user input Knockout provides the click binding, which takes a method name. For example, at the very bottom we have the Add Task button, which has a click binding to method beginAdd. Like variables, methods are searched in the current context. The button is outside the foreach loop, so it is in the global context, which as we will see soon is the ViewModel instance that controls the element.

The buttons that are inside the foreach are more tricky, because the context at the level is each task in the tasks collection. We could add methods to the task objects, but that is a complication since task objects will be returned by the REST server. Instead, we use the $parent prefix to indicate that the parent context should be used.

With the above changes our page is depending on a few things that don't exist yet:

  • a tasks collection that has all the tasks to display, each with fields called title, description, and done.
  • a method called beginEdit that opens a dialog box to edit the selected task.
  • a method called remove that deletes the selected task.
  • a method called markDone that changes that done state of the selected task to true.
  • a method called markInProgress that changes that done state of the selected task to false.
  • a method called beginAdd that opens a dialog box to enter a new task.

Two-way data binding from the Javascript side

Knockout uses the MVVM pattern. So far we have worked on the V part, which is the View. The M (Model) will come as JSON data delivered by the REST server. The last component of the triangle is the VM, or ViewModel. This is a Javascript object that will hold the bindings between the models and the views, and will also include the event handlers for user generated actions.

Let's write a mock ViewModel that can interact with our view. This code will be inserted at the bottom of the page, in the <script> area:

    function TasksViewModel() {
        var self = this;
        self.tasks = ko.observableArray();

        self.tasks([
            {
                title: ko.observable('title #1'),
                description: ko.observable('description #1'),
                done: ko.observable(false)
            },
            {
                title: ko.observable('title #2'),
                description: ko.observable('description #2'),
                done: ko.observable(true)
            }
        ]);

        self.beginAdd = function() {
            alert("Add");
        }
        self.beginEdit = function(task) {
            alert("Edit: " + task.title());
        }
        self.remove = function(task) {
            alert("Remove: " + task.title());
        }
        self.markInProgress = function(task) {
            task.done(false);
        }
        self.markDone = function(task) {
            task.done(true);
        }
    }
    ko.applyBindings(new TasksViewModel(), $('#main')[0]);

The var self = this; idiom the begins this function is common in Javascript functions that have callback functions, as it saves the original value of this so that the callbacks, which may have a different this, can use it.

The ko.observableArray() and ko.observable() are the magic that makes Knockout incredibly easy to use. Observables are special Javascript objects that connect a value from a Model to one or more data-bind attributes that refer to it in the View. Once the connection is established any changes to the value will automatically update the view, and any changes to the view will automatically update the value.

Knockout provides the ko.observable() object for single values and the ko.observableArray() for a collection of values. The array version is particularly interesting, because adding or removing array elements will also automatically update what appears in a ko.foreach section.

Something to keep in mind when working with observables is that they look like regular variables, but they are objects. One can be tempted to write this type of code to update an observable:

var myValue = ko.observable(5);
alert(myValue); // this does not work
myValue = 6; // this does not work

At first sight this appears to create an observable with the value 5, display the value in an alert window and then update it to 6. In reality, the alert will print an obscure string that represents the observable object itself, and the assignment will just replace the observable object with a regular value of 6. The correct way to access and modify and observable is to invoke it as a function:

var myValue = ko.observable(5);
alert(myValue()); // display value
myValue(6); // update value to 6

This is even more error prone on observable arrays, where the function call parenthesis sometimes have to be inserted before the square brackets:

var myArray = ko.observableArray([1, 2, 3]);
alert(myArray()[1]); // show second element

For our TasksViewModel object we have defined an observable array called tasks that will get connected to the ko.foreach: tasks that we have in our view.

We initialize our tasks collection with a mock Model that includes two task objects, each having observables for its properties, so that there are also automatic updates for the data-bind attributes that point to the fields of each task.

We then define the event handlers that will respond to click events. For now the beginAdd, beginEdit and remove just show an alert dialog. Note that Knockout sends the task object for the events that were generated from inside the ko.foreach.

The last two events are interesting, because instead of just alerting we are actually modifying our model. Since the task.done field is an observable the simple act of changing the value will trigger updates to the appropriate parts of the web page.

The last statement in the example calls ko.applyBindings to activate the ViewModel. The first argument is the created ViewModel object and the second argument is the root element in the HTML document to associate with it.

Download the project at this stage: zip | github

This is, again, a good time to check how the application is progressing. Go ahead and start the Python server and then open http://localhost:5000/index.html in your browser to see Knockout in action. You will see that the two example tasks in our Model were automagically rendered to the page, and that all the buttons are active. In particular try the "Mark Done" and "Mark In Progress" buttons, to see how simple it is to update the page when data changes.

Connecting to the REST server

Now that we have the client rendering a mock model we are ready to switch to the real thing.

To make an HTTP request to our server we will use jQuery's $.ajax() function. Here is a second version of our TasksViewModel, modified to send a request to the server for the list of tasks:

    function TasksViewModel() {
        var self = this;
        self.tasksURI = 'http://localhost:5000/todo/api/v1.0/tasks';
        self.username = "miguel";
        self.password = "python";
        self.tasks = ko.observableArray();

        self.ajax = function(uri, method, data) {
            var request = {
                url: uri,
                type: method,
                contentType: "application/json",
                accepts: "application/json",
                cache: false,
                dataType: 'json',
                data: JSON.stringify(data),
                beforeSend: function (xhr) {
                    xhr.setRequestHeader("Authorization", 
                        "Basic " + btoa(self.username + ":" + self.password));
                },
                error: function(jqXHR) {
                    console.log("ajax error " + jqXHR.status);
                }
            };
            return $.ajax(request);
        }

        self.beginAdd = function() {
            alert("Add");
        }
        self.beginEdit = function(task) {
            alert("Edit: " + task.title());
        }
        self.remove = function(task) {
            alert("Remove: " + task.title());
        }
        self.markInProgress = function(task) {
            task.done(false);
        }
        self.markDone = function(task) {
            task.done(true);
        }

        self.ajax(self.tasksURI, 'GET').done(function(data) {
            for (var i = 0; i < data.tasks.length; i++) {
                self.tasks.push({
                    uri: ko.observable(data.tasks[i].uri),
                    title: ko.observable(data.tasks[i].title),
                    description: ko.observable(data.tasks[i].description),
                    done: ko.observable(data.tasks[i].done)
                });
            }
        });
    }
    ko.applyBindings(new TasksViewModel(), $('#main')[0]);

Let's go over the changes from top to bottom.

At the top of the TasksViewModel class we define a few new member variables. We will use tasksURI as our root URI to access the REST server. If you recall, this is the URI that when queried with the GET HTTP method returns the list of tasks. We also have two variables that record the login information, which for now we are setting to values that are known to work (we will improve on this later).

The tasks observable array is still there, but we do not initialize it with mock data anymore.

Then we have a new method, simply called ajax. This is a helper function that wraps jQuery's $.ajax() call and makes it more convenient. The function takes three arguments, the URI to connect to, the HTTP method to use and optionally the data to send in the body of the request.

Our ajax function doesn't really do much, it just creates a request object and sends it over to $.ajax(). In addition to the data given in the function arguments, the request object include the mime type for the request and the response, it disables caching and sets a couple of mysterious callback functions.

The first callback function is called beforeSend, and jQuery will invoke it after it has created the jqXHR object that will carry over the request. We need to use this callback to insert the HTTP Basic authentication credentials, because without that the server will not accept our request. For now we just encode the hardcoded username and password. We use the btoa function to encode the credentials in base64 format, as required by the HTTP protocol.

The second callback function will be invoked by jQuery if the request comes back with an error code. This can happen if the username and/or password are incorrect, for example. In this case we just log the error.

Our ajax wrapper function returns the return value from $.ajax, which is a promise object. A promise acts as a proxy for a result of an asynchronous function. When $.ajax() is invoked a request is sent to the server, but the function returns immediately without waiting for the response. The promise object represents that unknown response.

The last change is at the bottom of the class definition, where the actual request to the REST server is made. Here is that snippet of code copied again:

        self.ajax(self.tasksURI, 'GET').done(function(data) {
            for (var i = 0; i < data.tasks.length; i++) {
                self.tasks.push({
                    uri: ko.observable(data.tasks[i].uri),
                    title: ko.observable(data.tasks[i].title),
                    description: ko.observable(data.tasks[i].description),
                    done: ko.observable(data.tasks[i].done)
                });
            }
        });

We call the ajax() wrapper function with the arguments to send a GET request to the server on the main URI. Then on the return promise we call done(). All jQuery promises provide a done method that takes a callback. The callback will be invoked once the asynchronous function associated with the promise ends, with the result of the function passed as an argument.

Our done callback will receive the response data, which is a JSON object that contains the array of tasks returned by the server. We then take this array and for each element create a similar object to add to our tasks observable array. Note that we can't add the task returned by the server directly because we need some of the fields in the tasks to be observables, so that they update the page automatically when they change.

Download the project at this stage: zip | github

If you try the application with these changes you will see the task list from the server rendered in the page.

Adding a new task

Adding a new task is fun because it requires us to create a dialog box where the user can enter the details.

The Boostrap documentation provides all the information required to create modal dialog boxes. Below is the code that creates a dialog box with a form inside to enter task information:

<div id="add" class="modal hide fade" tabindex="=1" role="dialog" aria-labelledby="addDialogLabel" aria-hidden="true">
    <div class="modal-header">
        <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
        <h3 id="addDialogLabel">Add Task</h3>
    </div>
    <div class="modal-body">
        <form class="form-horizontal">
            <div class="control-group">
                <label class="control-label" for="inputTask">Task</label>
                <div class="controls">
                    <input data-bind="value: title" type="text" id="inputTask" placeholder="Task title" style="width: 150px;">
                </div>
            </div>
            <div class="control-group">
                <label class="control-label" for="inputDescription">Description</label>
                <div class="controls">
                    <input data-bind="value: description" type="text" id="inputDescription" placeholder="Description" style="width: 300px;">
                </div>
            </div>
        </form>
    </div>
    <div class="modal-footer">
        <button data-bind="click: addTask" class="btn btn-primary">Add Task</button>
        <button class="btn" data-dismiss="modal" aria-hidden="true">Cancel</button>
    </div>
</div>

This dialog box will be hidden initially. The code can be inserted anywhere in the page, for example a good place is right after the main div.

If you look carefully you will see that the <input> elements have data-bind attributes in them that connect to their values. This is so that we can bind variables to them. Likewise, the Add Task button at the bottom is bound to its click event, so that we can act when the user accepts the dialog box.

According to the Bootstrap documentation to display the dialog box we have to do this:

$('add').modal('show');

Since we want to display this dialog box when the user clicks the Add Task button we can now replace our alert with the real thing:

        self.beginAdd = function()
        {
            $('#add').modal('show');
        }

This dialog box is effectively our second View, it is a different entity than our task list. Since this is a different View, we also need a different Model and ViewModel:

    function TasksViewModel() {

        // ... same contents and before

        self.add = function(task)
        {
            self.ajax(self.tasksURI, 'POST', task).done(function(data) {
                self.tasks.push({
                    uri: ko.observable(data.task.uri),
                    title: ko.observable(data.task.title),
                    description: ko.observable(data.task.description),
                    done: ko.observable(data.task.done)
                });
            });
        }
    }
    function AddTaskViewModel() {
        var self = this;
        self.title = ko.observable();
        self.description = ko.observable();

        self.addTask = function() {
            $('#add').modal('hide');
            tasksViewModel.add({
                title: self.title(),
                description: self.description()
            });
            self.title("");
            self.description("");
        }
    }

    var tasksViewModel = new TasksViewModel();
    var addTaskViewModel = new AddTaskViewModel();
    ko.applyBindings(tasksViewModel, $('#main')[0]);
    ko.applyBindings(addTaskViewModel, $('#add')[0]);

The new AddTaskViewModel is extremely simple. It has two observables, which connect to the two <input> tags in the dialog box. It also has one event handler that connects to the Add Task button.

When the button is clicked the event handler simply calls the add() method of the tasksViewModel, passing the title and description values for the new task. The function finally resets the values of the two fields, so that the next time the user wants to add a task the fields appear empty again.

The add() method of tasksViewModel invokes the ajax() function again, but this time it issues a POST request, which according to the REST standard practices corresponds to a request to add a new resource. The response from the request will be the added task, so when our done() callback is invoked we just push a new task into our tasks array. Due to the data binding that exists between the array and the ko.foreach in the HTML portion of the document as soon as we add an element to the array that element is rendered to the page.

The changes to edit an existing tasks are a bit more complex, but are largely similar.

A new dialog box is added to the document (we cannot use the same as the Add Task dialog because for editing we have the "done" checkbox that we don't have when adding a task).

We also have to add a new ViewModel:

    function EditTaskViewModel() {
        var self = this;
        self.title = ko.observable();
        self.description = ko.observable();
        self.done = ko.observable();

        self.setTask = function(task) {
            self.task = task;
            self.title(task.title());
            self.description(task.description());
            self.done(task.done());
            $('edit').modal('show');
        }
        self.editTask = function() {
            $('#edit').modal('hide');
            tasksViewModel.edit(self.task, {
                title: self.title(),
                description: self.description() ,
                done: self.done()
            });
        }
    }

And here are the new and updated methods in the TasksViewModel class to support task editing:

        self.beginEdit = function(task) {
            editTaskViewModel.setTask(task);
            $('#edit').modal('show');
        }
        self.edit = function(task, data) {
            self.ajax(task.uri(), 'PUT', data).done(function(res) {
                self.updateTask(task, res.task);
            });
        }
        self.updateTask = function(task, newTask) {
            var i = self.tasks.indexOf(task);
            self.tasks()[i].uri(newTask.uri);
            self.tasks()[i].title(newTask.title);
            self.tasks()[i].description(newTask.description);
            self.tasks()[i].done(newTask.done);
        }

The additional complication with the edit dialog box is that prior to showing it we have to fill out the form fields with the current data for the selected task. This is done in the setTask() method of the EditTaskViewModel class.

Once the dialog box is accepted the handler in the EditTaskViewModel class calls the edit() method of the TasksViewModel, which sends a PUT request into the server to update the task. Note how the URI for this request comes from the task itself, since each task has a unique URI. Finally, the callback for the ajax request calls a new helper functon updateTask() to refresh the observables associated with the task that was edited.

Another method that we can complete is the one that deletes a task. This one is easy, as it does not require any HTML changes to the document:

        self.remove = function(task) {
            self.ajax(task.uri(), 'DELETE').done(function() {
                self.tasks.remove(task);
            });
        }

And even though the "Mark Done" and "Mark In Progress" buttons appear to work, they aren't really working, all they are doing right now is change the model, but they do not communicate these changes to the server. Here are the updated versions that talk to the server:

        self.markInProgress = function(task) {
            self.ajax(task.uri(), 'PUT', { done: false }).done(function(res) {
                self.updateTask(task, res.task);
            });
        }
        self.markDone = function(task) {
            self.ajax(task.uri(), 'PUT', { done: true }).done(function(res) {
                self.updateTask(task, res.task);
            });
        }

Download the project at this stage: zip | github

The client application is nearing completion now. You can take a break and spend some time playing with the different options, since all of them are working now.

Authentication

And we now arrive to our final battle. Up to now the authentication credentials that we were sending to the REST server are hardcoded into the client application. We happen to know that these work, but in a real life situation we have to prompt the user to provide his own credentials.

Let's start by removing the hardcoded credentials:

        self.username = "";
        self.password = "";

We will also have to add a login dialog box, which I'm not going to show here since it is similar to the previous dialog boxes we created.

We need a ViewModel for our dialog box:

    function LoginViewModel() {
        var self = this;
        self.username = ko.observable();
        self.password = ko.observable();

        self.login = function() {
            $('#login').modal('hide');
            tasksViewModel.login(self.username(), self.password());
        }
    }

And finally we need to add a few support methods to our TasksViewModel class:

    function TasksViewModel() {

        // ...  no changes here

        self.beginLogin = function() {
            $('#login').modal('show');
        }
        self.login = function(username, password) {
            self.username = username;
            self.password = password;
            self.ajax(self.tasksURI, 'GET').done(function(data) {
                for (var i = 0; i < data.tasks.length; i++) {
                    self.tasks.push({
                        uri: ko.observable(data.tasks[i].uri),
                        title: ko.observable(data.tasks[i].title),
                        description: ko.observable(data.tasks[i].description),
                        done: ko.observable(data.tasks[i].done)
                    });
                }
            }).fail(function(jqXHR) {
                if (jqXHR.status == 403)
                    setTimeout(self.beginLogin, 500);
            });
        }

        self.beginLogin();
    }

Let's see how this works. At the bottom of TasksViewModel we had the code that issued the request to get the task list. We now replaced that with a call to beginLogin() which starts the login process by displaying the login dialog box.

When the user accepts the dialog box method login() will be called, with the entered credentials. Only now we are ready to talk to the server, so we issue the request for the task list after we update our login variables. If the request succeeds then we populate our tasks array as we did before.

If the request fails we now have a second callback attached to the ajax request promise. The fail callback in a promise executes if the asynchronous function returns an error. What we do in this case is check the error code from the ajax request object and if found to be 403 we just call beginLogin() again to ask for new credentials. Note we don't show the dialog immediately, instead we wait 0.5 sec with a timeout. This is just because the dialog box has animated events to appear and disappear, so we need to make sure the "show" animation does not collide with the "hide" animation for the previous dialog instance.

I just said that login errors return a 403 code. Those that are familiar with HTTP error codes will jump to correct me. Error 403 is the error code for the "Forbidden" error. The correct HTTP code for the "Not Authorized" error is 401. The problem with error code 401 is that browsers display their own login dialog box when they receive this error, even if the error came from an ajax request. We don't want the browser to show its login dialog since we have our own, so we trick the browser by having the server send error 403 instead of 401.

Download the completed project: zip | github

Security

If we were to deploy this application on a real web server for real users we have to take some security measures.

The REST server takes user credentials according to the HTTP Basic Authentication protocol, which sends usernames and passwords in clear text. Of course this is not acceptable, we should not risk leaking confidential information from our users to third parties.

The proper way to address this problem is by putting the server on secure HTTP, which ensures that communication between client and server is encrypted.

The recommended way to implement secure HTTP is with a proxy server. Our server remains the same, when it starts it listens, for example, on http://localhost:5000, which is only reachable to other processes in the same machine. Then another web server is installed and configured to listen on the secure HTTP port and do all the proper encryption procedures. This server is then configured to act as a proxy for our server, so to us nothing changes, we just receive requests from the proxy server, which in turn receives requests from the user over an encrypted channel.

There are other measures to take if we were to deploy this application on a real server, at the very least the Flask development web server should be replaced with a more robust server. I recommend that you see the deployment chapters of my Flask Mega-Tutorial to learn about this topic.

Final words

Phew! Can you believe we are done?

The application is now fully functional and exercises all the functions of our REST server. A nice enhancement that I will leave as an exercise for those interested would be to save the login credentials in a browser cookie, so that the user does not need to enter them every time. You get bonus points if you add a "Remember Me" checkbox to the login dialog.

Writing rich client side applications in Javascript can be fun. Javascript is an interesting language that at first may seem odd to those of us used to more traditional languages, but once you familiarize with it you find it can do many cool things.

I hope this article and example code along with the previous one serve as a good introduction to the use of REST APIs. If you have any questions or suggestions you are welcome to write below in the comments area.

Miguel

122 comments

  • #26 azu said 2013-12-17T20:24:04Z

    Hi, I'm trying to implement something close to this tutorial, the only change is no authentication yet in my own. I'm just trying to get the data. When i run my client, nothing happens but when i check the Javascript console of the browser(chrome), i get a "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:5000' is therefore not allowed access. " But both the client and the server are running on the same machine.

  • #27 Miguel Grinberg said 2013-12-18T05:07:13Z

    @azu: you can start Chrome with option --disable-web-security to bypass the code that does this.

  • #28 azu said 2013-12-20T00:28:29Z

    Hi Miguel, I have done that but a different error occurs which is 'Cannot read property 'length' of undefined' This error refers to the line 'i < data.task.length' My Javascript is poor but i'm also wondering how the array task, became a property of data.

  • #29 Miguel Grinberg said 2013-12-21T18:37:16Z

    @asu: in that context "data" represents the JSON blob returned by the server. The server responds with a "tasks" (not "task") property at the top-level of the JSON object, so you can say "data.tasks", and since tasks is an array you should also be able to say "data.tasks.length".

  • #30 Neal said 2014-01-17T01:53:18Z

    Great tutorial, thanks!

  • #31 Jordan Rein said 2014-01-23T07:12:23Z

    Hey Miguel, stupid question, but when is it appropriate to use a REST API + frontend as you did in this tutorial rather than simply building a web app? The reason I ask is that I'd like to build a single-page application (small comic book directory) and I'm not sure which direction to choose. I see a lot of bleed-over between this tutorial and the Flask Mega Tutorial... what do you recommend?

  • #32 Miguel Grinberg said 2014-01-23T07:24:18Z

    @Jordan: tough question, it really depends on a lot of factors. Traditional apps are easier for search engines to index, a single-page app requires extra work to make it engine friendly. A hybrid solution is a good option, where the app has different pages but each page provides a more responsive experience running a little sub-app that talks to a REST API.

  • #33 Deepsys9 said 2014-02-20T00:21:11Z

    Hi Miguel,

    I have a question on whether it is possible for javascriot code to submit a POST request against a (REST) API that requires authentication, but without popping up a log in form, if the user is already authenticated with the Flask App.

    To elaborate on the scenario, assume I'm using the core of Flasky from your book, and the user is signed in. The user has permissions to create a new resource (e.g., a blog post), and clearly, they can do so using the forms rendered by Flask. What I'd like to do instead, is have javascript code automatically, without user intervention (but triggered by certain actions on the page that are monitored by javascript), submit the data using a POST method..

    I understand from the book and this article how to do it -- but, unless I'm mistaken, it appears that the ajax function will require authorization headers to be inserted, which in turn will require a new login-dialog to be presented to the user. I'm trying to avoid this login dialog since the user will already be signed into the application... Is there a way to reuse the session cookie that is maintained by Flasky with the client?

    I do want to protect REST API routes, but don't want to hassle the user with having to provide log-in credentials every time the javascript function wants to make a POST.

    thanks!

  • #34 Miguel Grinberg said 2014-02-20T07:26:36Z

    @Deepsys9: Are you asking if the application can log the user in for regular and Javascript access from a single login form? For that type of situation you can add some Javascript to the login form so that the credentials are not only submitted for the regular access but also kept in the client for background Javascript requests. Once the client has a copy of the credentials it can request a token and use that for background requests. Does this make sense?

  • #35 Deepsys9 said 2014-02-20T08:22:01Z

    Miguel -- never mind about my prior question. I think my brain was tangled up and I was overthinking it.

    I believe the solution is that upon initial login, in javascript I create the authorization header and store it as a client side cookie or get a long lived token and store that as a cookie..

  • #36 Miguel Grinberg said 2014-02-20T15:08:41Z

    @Deepsys9: Exactly, if the Javascript side captures the login credentials then it can freely authenticate, regardless of the Flask-Login based auth that is used for the regular part of the application.

  • #37 Arne said 2014-02-23T16:04:26Z

    In your other blog post I've asked for a proper solution to do the DELETE call from the front end. Here is my approach, https://gist.github.com/wiesson/9173218 - except the missing authentication (it is just an example) - is there a better solution, or is my approach fine? Maybe you could add an example to your blogpost. Best

  • #38 Miguel Grinberg said 2014-02-23T17:35:20Z

    @Arne: the client side looks fine to me. On the server, why do you flash a message? This is an API, you should return a JSON response that includes a success/failure and any other information that might be useful to the client, but flashing a message has no purpose.

  • #39 Pedro Werneck said 2014-03-04T15:53:43Z

    A small correction: browsers display the authentication dialog when they received the WWW-Authenticate header, not necessarily the 401 response. If you don't want to remove the header by hand, or someone else in between is inserting it, the client may send the header Requested-With: XMLHttpRequest and the server should drop the WWW-Authenticate header.

  • #40 Miguel Grinberg said 2014-03-04T16:36:49Z

    @Pedro: where is this behavior you describe between the X-Requested-With and WWW-Authenticate headers documented?

  • #41 Anup Jayapal Rao said 2014-03-27T17:48:05Z

    First thing first, Miguel ...you have a wonderful blog. I have been following your Flask tutorials, and related articles. I like the ReST articles especially. I find them very well written with the reader in mind. Best of luck with your book.

    I have one request, Can you publish an article on how to achieve Basic HTTP authentication with pure Javascript and Flask. No JQuery, just simple XmlHTTPRequest.

  • #42 Anup Jayapal Rao said 2014-03-27T17:53:37Z

    Ah ! In my previous comment, I forgot to mention a critical point. I was looking towards pure Jaavascript Basic HTTP Auth with Flask using a "Form" constructed in javascript instead of the dialog that the browser pops.

    For the non form based authentication, the http://blog.miguelgrinberg.com/post/restful-authentication-with-flask article is perfect.

  • #43 Miguel Grinberg said 2014-03-29T04:50:12Z

    @Annup: creating a dialog in pure JavaScript is a lot of work, that is why jQuery or Bootstrap exist.

  • #44 Yomismo said 2014-03-30T15:45:38Z

    Hi Miguel,

    Thanks for your awesome tutorials.

    I saw on your code: # return 403 instead of 401 to prevent browsers from displaying the default auth dialog

    It turns out that if you just do: @auth.error_handler def unauthorized(): abort(401)

    you are able to return 401 error and the login dialog of the browser is not displayed. The explanation is that the dialog is triggered only when the field WWW-Authenticate is present in the header of the api response.

    Keep it up!

  • #45 Miguel Grinberg said 2014-03-30T17:23:57Z

    @Yomismo: the Flask-HTTPAuth extension will insert the WWW-Authenticate header for you to comply with the HTTP authentication workflow.

  • #46 周凱 said 2014-05-05T12:38:14Z

    Hi Miguel. I've been using this tutorial to get insight in the python RESTful server, but I have problem when I try to use the Flask-HTTPAuth module. I get the same error as Dogukan Tufekci. I tried using what you told him and this is what I get: $ pip install -r requirements.txt Downloading/unpacking git+git://github.com/miguelgrinberg/flask-httpauth.git@v0.6 (from -r requirements.txt (line 2)) Cloning git://github.com/miguelgrinberg/flask-httpauth.git (to v0.6) to /tmp/pip-PNkqMx-build Running setup.py egg_info for package from git+git://github.com/miguelgrinberg/flask-httpauth.git@v0.6

    Requirement already satisfied (use --upgrade to upgrade): flask==0.10 in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 1)) Requirement already satisfied (use --upgrade to upgrade): Werkzeug>=0.7 in /usr/local/lib/python2.7/dist-packages (from flask==0.10->-r requirements.txt (line 1)) Requirement already satisfied (use --upgrade to upgrade): Jinja2>=2.4 in /usr/local/lib/python2.7/dist-packages (from flask==0.10->-r requirements.txt (line 1)) Requirement already satisfied (use --upgrade to upgrade): itsdangerous>=0.21 in /usr/local/lib/python2.7/dist-packages (from flask==0.10->-r requirements.txt (line 1)) Requirement already satisfied (use --upgrade to upgrade): markupsafe in /usr/local/lib/python2.7/dist-packages (from Jinja2>=2.4->flask==0.10->-r requirements.txt (line 1)) Cleaning up...

    Then when I try running the code, it still gives the same error: Traceback (most recent call last): File "app.py", line 3, in from flask.ext.httpauth import HTTPBasicAuth File "/var/www/todo-api/flask/local/lib/python2.7/site-packages/flask/exthook.py", line 86, in load_module raise ImportError('No module named %s' % fullname) ImportError: No module named flask.ext.httpauth

    Please help me. Thanks in advance!

  • #47 Miguel Grinberg said 2014-05-05T16:02:57Z

    @周凱: try this:

    $ pip uninstall flask-httpauth $ pip install flask-httpauth $ pip freeze

    The first line uninstalls your current extension, the next line installs the latest version, which is 2.2.1 (you were using 0.6). The third line lists all the installed extensions, you should see Flask-HTTPAuth==2.2.1 listed there.

  • #48 周凱 said 2014-05-06T11:43:36Z

    Hi Miguel. Thanks for the quick reply. I really appreciated. You know, I tried that and still gives the same error so what I did is to comment all the lines where it needed the user and password and now it works. The problem is when trying to access from a different domain than the localhost, then it will show me the error "No 'Access-Control-Allow-Origin' header is present on the requested resource." I have tried to solve the problem with some examples on the internet and I also tried what you suggested in the post but it still doesn't work. Any suggestions? Thanks again for the tutorial and for helping

  • #49 Miguel Grinberg said 2014-05-06T14:17:52Z

    Have you tried this decorator? http://flask.pocoo.org/snippets/56/

  • #50 Simon said 2014-05-26T23:09:16Z

    An issue I'm having with your authentication technique, and one that I can't find satisfactorily dealt with in Flask so far is the user session. At the moment, if I get it correctly, this looks like the user would need to sign in every time they want to use the todo app because their username and password are stored within javascript? Am I getting that right?

Leave a Comment