RFC 9205 - REST API versioning considered harmful.
Eric J Bowman <mellowmutt@zoho.com> Wed, 13 March 2024 06:48 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92BFDC14F5F8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 12 Mar 2024 23:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.855
X-Spam-Level:
X-Spam-Status: No, score=-7.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="Yi7IcEdj"; dkim=pass (2048-bit key) header.d=w3.org header.b="c+az/IXH"; dkim=pass (1024-bit key) header.d=zoho.com header.b="HY17dNP9"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faRZgoyI1-uX for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 12 Mar 2024 23:48:09 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1EF1C14F6A7 for <httpbisa-archive-bis2Juki@ietf.org>; Tue, 12 Mar 2024 23:48:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:MIME-Version:In-Reply-To:Message-Id:To:From:Date :Cc:Reply-To:References; bh=wft3bMu/oTNm7ynnri3OTe9+rJpKY0X6uqacwBO3xyA=; b=Y i7IcEdjdgZIdKvYYDKQAt9lI3TUO54DbzIKu3oqOnyB0QUXF+/KbJecVqpS/BVQrkQjPJBVE5EXdz +jaFcSZFuVz69pQm95/2PEmrtQ4ewT5d8hgj0TK2PZqD9JAZ6SIaCEyEiEcT2roNNSfNTjGvqnLCh Unqk+5o6bDqO3rc3RhbyWT9J1z10OiqffmnEbocUZAz7TMO2I/pYmdoyTMQXgWVt0UNcFXu+upUTu ZMAqtxH4X65lIAPWDRubeA5Ybp9xIoeSd18e4NHR5GFafFKkBzmALp6LxILaRKsrzyTTOJ5TYvPcV ws3vQbcIYmzEMBmZGj53V91sQJx+AKy0A==;
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1rkIP7-004CHo-Jl for ietf-http-wg-dist@listhub.w3.org; Wed, 13 Mar 2024 06:47:57 +0000
Resent-Date: Wed, 13 Mar 2024 06:47:57 +0000
Resent-Message-Id: <E1rkIP7-004CHo-Jl@lyra.w3.org>
Received: from puck.w3.org ([34.196.82.207]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <mellowmutt@zoho.com>) id 1rkIP3-004CGn-L5 for ietf-http-wg@listhub.w3.org; Wed, 13 Mar 2024 06:47:53 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:MIME-Version:Subject:In-Reply-To:Message-Id:To:From:Date :Cc:Reply-To:References; bh=wft3bMu/oTNm7ynnri3OTe9+rJpKY0X6uqacwBO3xyA=; t=1710312473; x=1711176473; b=c+az/IXH3+/SyPW7dUdtwmo8g2GGNHTfqdofGQtbt2UzDgC 0yEQa/+x8fK4f3S+WFMzVcu8Nd/tmz4DqaEzJxaG+AYnXzQ64mu6y1m6vGKzclzpAvg3pM18uDexw VZ8pRPkuh6Mr0OA4MsKCVhCS5K9i/9CFUhwQ3x8oY6+UGt1UB/J/9pqbm/E42MpCrlVZwKl0Jq8hO XaQASSn50Hkx0pu2FtaGoHLHkuAZS4DpO3o9cIF7FBqmqKOPxfxfo6x+ndAtucPk1xwZqPtly6jL/ dMyWpR8Q/yUjxC+P7h3iQaHkyIussJtVaGVxBGqE6avAy6cZnSk5jh/lYwwsztkw==;
Received-SPF: pass (puck.w3.org: domain of zoho.com designates 136.143.188.91 as permitted sender) client-ip=136.143.188.91; envelope-from=mellowmutt@zoho.com; helo=sender4-pp-o91.zoho.com;
Received: from sender4-pp-o91.zoho.com ([136.143.188.91]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <mellowmutt@zoho.com>) id 1rkIP2-007S44-2T for ietf-http-wg@w3.org; Wed, 13 Mar 2024 06:47:53 +0000
ARC-Seal: i=1; a=rsa-sha256; t=1710312468; cv=none; d=zohomail.com; s=zohoarc; b=VjbqUT3ZyS/iIirJwPoJhbSGwh1c7url9tEiWM/URxsrXOT1ngAIIeMRpX3AmqsCnEleXii9kGOHq1oHOKCSbGotx/Sr1MnfBmwUMJ6sMqTvfYMlIFhMkUbnOKJSxHd2M6zbvmsjeZDBQflvzeQSmnZQgRHr5TtKynN7G5ezpL0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1710312468; h=Content-Type:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=wft3bMu/oTNm7ynnri3OTe9+rJpKY0X6uqacwBO3xyA=; b=iAEVsk69pWIp5xXdQX+y3PpkA7dRx5BtG81C81+eZj/m7hhDvNQau3w8AJl7CA1HiDqaasiP/QAbNIu0veClTPG6rYkVa7V4FaLCFDlxfn4fdzlTJmptvcbHl392HGW7KXvtVYQ1v4rhlxbs87c9cLS/O1wIBCsyr4+Hs8bFDPU=
ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=zoho.com; spf=pass smtp.mailfrom=mellowmutt@zoho.com; dmarc=pass header.from=<mellowmutt@zoho.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1710312468; s=zm2022; d=zoho.com; i=mellowmutt@zoho.com; h=Date:Date:From:From:To:To:Message-Id:Message-Id:In-Reply-To:Subject:Subject:MIME-Version:Content-Type:Feedback-ID:Reply-To:Cc; bh=wft3bMu/oTNm7ynnri3OTe9+rJpKY0X6uqacwBO3xyA=; b=HY17dNP9o3Bt20M0SBTiinXlKJKKJkDpZa5rg06gUamOztqDkv28P8RmVFLv0aQI EDyPYBXdApmnOZhUuVOrg/l8b9KbvbdUW1ijQti1mq3U2jste7bpUqmeGkdUetu3ndr kYQwjDyMO+xiBHRPP80IC3CfQElevItEJEYSPmis=
Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1710312467126401.2844607691276; Tue, 12 Mar 2024 23:47:47 -0700 (PDT)
Received: from [65.117.211.248] by mail.zoho.com with HTTP;Tue, 12 Mar 2024 23:47:47 -0700 (PDT)
Date: Tue, 12 Mar 2024 23:47:47 -0700
From: Eric J Bowman <mellowmutt@zoho.com>
To: Ietf Http Wg <ietf-http-wg@w3.org>
Message-Id: <18e36912a9a.107313d6f235.3971853298110295147@zoho.com>
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_609_517779883.1710312467098"
Importance: Medium
User-Agent: Zoho Mail
X-Mailer: Zoho Mail
Feedback-ID: rr08011228905827fc46e3a4c7c25356a9000004af81a84402e3f1b0beae7ac094bac76be1c6c5b05c5bdbd795:zu08011227115317a05e79a5e728b5f7d300001e766ce722828702055d65a1b78fb3d71b2d6575713ca695f0:rf08011226d5e76ab9704c125f2560fa2d0000ebf9e88fe51624830fcca56bdce94c5cab073e510a64ed16:ZohoMail
X-W3C-Hub-DKIM-Status: validation passed: (address=mellowmutt@zoho.com domain=zoho.com), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mellowmutt@zoho.com domain=mellowmutt@zoho.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1rkIP2-007S44-2T 2503c3e0b0640b39269d93927238e873
X-Original-To: ietf-http-wg@w3.org
Subject: RFC 9205 - REST API versioning considered harmful.
Archived-At: <https://www.w3.org/mid/18e36912a9a.107313d6f235.3971853298110295147@zoho.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51876
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Best practices means putting this in a positive light. I recently searched YouTube for "REST API versioning" and got a plethora of videos to choose from, all along the lines of how to pass a job interview to be a REST API developer. Point #1 is REST = CRUD, I'll tilt at that windmill some other day. Point #2 is REST APIs MUST be versioned. So I commented and got some creator feedback, which I'll anonymously re-use here.
Honestly, I'm more geared towards writing a worst-practices document. I'm not ready to publish my actual text for RFC 9205, just soliciting feedback. Maybe we can address a couple of common arguments in favor of versioning, starting with the easy one: management decided /cart should be /carts, so we had to change our URI allocation scheme from .../v1/... to .../v2/... to reflect this change?
Sigh. HTTP has a concept of redirection. On to a specific example of the "our data format changed" reasoning, this:
payment mode: net banking
Bank name: Bank of America
was changed to this:
payment mode: NB
Bank name: BOA
Sigh. HTTP is an application protocol with some wonderful features many developers miss out on. Say you're changing your API to deprecate some URIs, introduce others, and change from application/xml to application/json. Do you need to change your URI allocation scheme? No. The above change is not at the conceptual layer of resource definition, mapped to URIs.
Deprecated URIs can redirect, or only Accept: application/xml. New URIs could only Accept: application/json. URIs carried over between versions can Accept: application/json, application/xml in that order, with the latter dropped at some future point in time. This allows for incremental change on the client and server sides, and if your resources are defined correctly, you don't need to version your URI allocation scheme. It probably has enough aliases to deal with anyway.
In my case, any file or handle under /var/www may be accessed by one or more protocols including http, ftp, bittorrent, imap, and ya gotta love the kids bringing back gopher... There's already an aliasing issue beyond this, inherent to HTTP as used in the real world... it's been over 20 years since I've included 'www' in a URI, those aliases redirect because there's no 'www' subdomain in my DNS. But, in terms of sysadmin tradition, /var/www it is for shared-over-the-wire resources (even if they're just handles not files), regardless of protocol.
So why square+ your number of HTTP URIs for v2, cube+ for v3, etc.? Yikes. Whole lotta symlinking going on behind-the-scenes, but has the definition of the underlying resource changed? Expanding BOA to Bank of America is at best a change in the schema applied to a known media type, at the representation level -- not the resource level. At worst, application/vnd.api.v{x}+json. If you're versioning your URIs, you're getting REST wrong because you've failed to apply what's probably the primary constraint -- identification of resources -- from which all else follows or none of it would make any sense.
Don't make things hard on maintainers down the road. Ever tried updating PHP code for 8? It's like porting to another language, what with all the enforced syntax changes. Don't be PHP. Do... start by identifying your resources, at the abstract level which applies on the Internet regardless of protocol. What sets HTTP apart is representations -- embrace that.
Do... here's where I have a problem, stating best practices in a positive way which implies the aforementioned don'ts. I'm all ears for a practical reason to version APIs like that, but all I get is weak sauce even from competent coders, somehow this is "received wisdom" on REST which certainly didn't come from Roy. Can the above real-world snippet be used in RFC 9205 to illustrate the sort of change best handled by media types, schema, or Accept headers?
I won't name names of the BigCorp that versioned their API over this syntax change. It's become accepted common practice.
-Eric
- RFC 9205 - REST API versioning considered harmful. Eric J Bowman
- Re: RFC 9205 - REST API versioning considered har… Anders Rundgren