Thursday, December 26, 2013

Is REST really just CRUD over HTTP?

Over the last week I had an interesting discussion about API design. It's often said that a good web API must be RESTful. Many modern web APIs claim to be designed that way so REST seems to be a good idea. Unfortunately the most examples I've found on the web reminded me of CRUD. People tell you that one of the key principles of REST is to separate your api into logical resources and let the client manipulate these resources using the HTTP verbs (POST, GET, PUT, DELETE). At the first glance this sounds pretty much like CRUD. Are people still considering "our grand failure" as best practice for web applications? (I'm not saying CRUD is the failure. CRUD works very well for databases. The failure is trying to enforce a CRUD interface on applications! Feel free to use CRUD, but you have to understand the implications!)

But is REST really just another name for CRUD? I don't think so. Like Christopher Atkins says in his blog post "Three Common Fallacies Concerning REST" the idea that REST is simply CRUD over HTTP is "perhaps the most common fallacy in RESTful computing". REST does not depend on a certain protocol. It's an architectural style that defines some constraints for web architectures. According to "Architectural Styles and the Design of Network-based Software Architectures", Chapter 5 these constraints are:

  1. Client and server for separation of concerns (to improve portability and scalability).
  2. Stateless communication between client and server (to enable visibility, reliability, and scalability).
  3. Cache to improve network efficiency.
  4. Uniform interface to decouple implementations from the services they provide.
  5. Layered system to facilitate scalability.
  6. Code on demand (optional).

None of these constraints force you to use CRUD. But probably it's the uniform interface constraint that is often confused with CRUD. However Roy T. Fielding writes in a blog post: "Search my dissertation and you won’t find any mention of CRUD ..." (It's ok to use POST). He also says: "The only thing REST requires of methods is that they be uniformly defined for all resources (i.e., so that intermediaries don’t have to know the resource type in order to understand the meaning of the request)." So like mentioned before REST doesn't depend on a certain protocol, i.e. it doesn't require HTTP.  Therefore you don't have to use POST, GET, PUT and DELETE in a RESTful API. Not all of the four nor a subset of them. But regardless of what methods you use, each method must have the same meaning for all resources. As I understand it, one reason for this constraint is to distinguish between safe and unsafe operations without any knowledge of the resource type, e.g. if GET is a safe operation for all resources the results can be cached regardless of the resource type. Furthermore I think a uniform interface doesn't mean that every method must be defined for all resource types, e.g. if GET is defined for A you don't have to define it for every other resource type. But if you do you have to ensure that GET has the same meaning as for A.

So REST doesn't require a CRUD interface and even less a "CRUD-style architecture". A CRUD architecture exposes the entities to the client and lets the client manipulate them. A REST architecture makes resources addressable through URIs. But a resource is a "logical concept" which I think is not the same thing as an entity in terms of CRUD. Moreover in a REST architecture the client does not operate on resources but on their representations: "Defining resource such that a URI identifies a concept rather than a document leaves us with another question: how does a user access, manipulate, or transfer a concept such that they can get something useful when a hypertext link is selected? REST answers that question by defining the things that are manipulated to be representations of the identified resource, rather than the resource itself." ("Architectural Styles and the Design of Network-based Software Architectures", Section 6.2)

Doing research for this blog post I learned a few things about REST but I still don't have the feeling that I fully understand REST. There are also some questions that remain unanswered for me, e.g. how do I make behavior accessible through a uniform REST interface? A web service provides behavior not data. Can I model something that provides behavior as a logical concept? What are the representations of behaviors? How can I build a RESTful interface that captures the intent of the client?

Edit: Nice explanation about differences between CRUD and REST: http://programmers.stackexchange.com/a/120800