Flask: Building REST APIs with Flask-RESTful
Flask-RESTful is an extension for Flask that simplifies the development of RESTful APIs by providing tools for creating structured, resource-based endpoints. Building on Flask Authentication, Flask User Registration, Flask User Login and Logout, Flask Password Hashing with Flask-Bcrypt, Flask Role-Based Access Control, Flask Protecting Routes with Flask-Login, Flask Managing User Sessions, Flask Using Flask Sessions, Flask Session Security, Flask Custom Session Backends, Flask Querying the Database, Flask Relationships in Models, and Flask APIs and Microservices, Flask-RESTful integrates with Flask-JWT-Extended, Flask-SQLAlchemy, and NumPy Array Operations for robust API development. This tutorial explores building REST APIs with Flask-RESTful, covering resource creation, request parsing, authentication, and practical applications in web development.
01. Why Use Flask-RESTful for REST APIs?
Flask-RESTful streamlines REST API development by offering: - Resource-Based Structure: Organizes endpoints around resources (e.g., users, products). - Request Parsing: Simplifies input validation and parsing. - Extensibility: Integrates with authentication, databases, and microservices. - Standardized Responses: Ensures consistent HTTP responses. It’s ideal for applications like e-commerce platforms, content management systems, or IoT backends, leveraging Flask-Login and custom session backends for secure user management.
Example: Basic Flask-RESTful API
from flask import Flask
from flask_restful import Api, Resource
app = Flask(__name__)
api = Api(app)
class HelloWorld(Resource):
def get(self):
return {'message': 'Hello, World!'}
api.add_resource(HelloWorld, '/api/hello')
if __name__ == '__main__':
app.run(debug=True)
Output:
GET /api/hello:
{"message": "Hello, World!"}
Explanation:
Api- Initializes Flask-RESTful for the Flask app.Resource- Defines a RESTful resource with HTTP methods.api.add_resource- Maps the resource to a URL endpoint.
02. Key Techniques for Flask-RESTful APIs
Flask-RESTful provides tools to build robust REST APIs. Below is a summary of key techniques and their applications:
| Technique | Description | Use Case |
|---|---|---|
| Resource Creation | Define RESTful endpoints | Manage users, products |
| Request Parsing | Validate and parse inputs | Ensure valid data |
| JWT Authentication | Secure endpoints with tokens | Protect sensitive data |
| Database Integration | Persist data with SQLAlchemy | Store user information |
| Error Handling | Manage API errors | Improve user experience |
2.1 Resource Creation
Example: User Resource
from flask import Flask
from flask_restful import Api, Resource, reqparse
app = Flask(__name__)
api = Api(app)
users = [{'id': 1, 'name': 'Alice'}, {'id': 2, 'name': 'Bob'}]
class UserResource(Resource):
def get(self, user_id):
user = next((u for u in users if u['id'] == user_id), None)
if user:
return user
return {'message': 'User not found'}, 404
def delete(self, user_id):
global users
users = [u for u in users if u['id'] != user_id]
return {'message': 'User deleted'}, 200
class UserListResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('name', type=str, required=True, help='Name is required')
def get(self):
return users
def post(self):
args = self.parser.parse_args()
user = {'id': len(users) + 1, 'name': args['name']}
users.append(user)
return user, 201
api.add_resource(UserListResource, '/api/users')
api.add_resource(UserResource, '/api/users/<int:user_id>')
if __name__ == '__main__':
app.run(debug=True)
Output:
GET /api/users:
[{"id": 1, "name": "Alice"}, {"id": 2, "name": "Bob"}]
POST /api/users with {"name": "Charlie"}:
{"id": 3, "name": "Charlie"}
GET /api/users/1:
{"id": 1, "name": "Alice"}
DELETE /api/users/1:
{"message": "User deleted"}
Explanation:
UserResource- Handles operations for a single user (GET, DELETE).UserListResource- Manages the user collection (GET, POST).
2.2 Request Parsing
Example: Request Parsing with Validation
from flask import Flask
from flask_restful import Api, Resource, reqparse
app = Flask(__name__)
api = Api(app)
class ProductResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('name', type=str, required=True, help='Name is required')
parser.add_argument('price', type=float, required=True, help='Price is required')
def post(self):
args = self.parser.parse_args()
product = {'id': 1, 'name': args['name'], 'price': args['price']}
return product, 201
api.add_resource(ProductResource, '/api/products')
if __name__ == '__main__':
app.run(debug=True)
Output:
POST /api/products with {"name": "Laptop", "price": 999.99}:
{"id": 1, "name": "Laptop", "price": 999.99}
POST /api/products with {"name": "Laptop"}:
{"message": {"price": "Price is required"}}
Explanation:
reqparse.RequestParser- Validates required fields and types.- Automatically returns error messages for invalid inputs.
2.3 JWT Authentication
Example: JWT-Protected Resource
from flask import Flask
from flask_restful import Api, Resource, reqparse
from flask_jwt_extended import JWTManager, jwt_required, create_access_token
from flask_bcrypt import Bcrypt
app = Flask(__name__)
app.config['SECRET_KEY'] = 'secure-key-123'
app.config['JWT_SECRET_KEY'] = 'jwt-secret-456'
api = Api(app)
jwt = JWTManager(app)
bcrypt = Bcrypt(app)
users = {'alice': bcrypt.generate_password_hash('password123').decode('utf-8')}
class LoginResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('username', type=str, required=True, help='Username is required')
parser.add_argument('password', type=str, required=True, help='Password is required')
def post(self):
args = self.parser.parse_args()
if args['username'] in users and bcrypt.check_password_hash(users[args['username']], args['password']):
access_token = create_access_token(identity=args['username'])
return {'access_token': access_token}
return {'message': 'Invalid credentials'}, 401
class UserResource(Resource):
@jwt_required()
def get(self, username):
if username in users:
return {'username': username}
return {'message': 'User not found'}, 404
api.add_resource(LoginResource, '/api/login')
api.add_resource(UserResource, '/api/users/<string:username>')
if __name__ == '__main__':
app.run(debug=True)
Output:
POST /api/login with {"username": "alice", "password": "password123"}:
{"access_token": "eyJ..."}
GET /api/users/alice with Authorization: Bearer <token>:
{"username": "alice"}
Explanation:
Flask-JWT-Extended- Secures endpoints with JWT tokens.- Integrates with Flask-Bcrypt for secure password verification.
2.4 Database Integration with SQLAlchemy
Example: REST API with SQLAlchemy
from flask import Flask
from flask_sqlalchemy import SQLAlchemy
from flask_restful import Api, Resource, reqparse
app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
db = SQLAlchemy(app)
api = Api(app)
class User(db.Model):
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(80), nullable=False)
class UserResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('name', type=str, required=True, help='Name is required')
def get(self, user_id):
user = User.query.get_or_404(user_id)
return {'id': user.id, 'name': user.name}
def put(self, user_id):
args = self.parser.parse_args()
user = User.query.get_or_404(user_id)
user.name = args['name']
db.session.commit()
return {'id': user.id, 'name': user.name}
def delete(self, user_id):
user = User.query.get_or_404(user_id)
db.session.delete(user)
db.session.commit()
return {'message': 'User deleted'}, 200
class UserListResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('name', type=str, required=True, help='Name is required')
def get(self):
users = User.query.all()
return [{'id': u.id, 'name': u.name} for u in users]
def post(self):
args = self.parser.parse_args()
user = User(name=args['name'])
db.session.add(user)
db.session.commit()
return {'id': user.id, 'name': user.name}, 201
api.add_resource(UserListResource, '/api/users')
api.add_resource(UserResource, '/api/users/<int:user_id>')
with app.app_context():
db.create_all()
if __name__ == '__main__':
app.run(debug=True)
Output:
POST /api/users with {"name": "Charlie"}:
{"id": 1, "name": "Charlie"}
GET /api/users:
[{"id": 1, "name": "Charlie"}]
PUT /api/users/1 with {"name": "Charles"}:
{"id": 1, "name": "Charles"}
DELETE /api/users/1:
{"message": "User deleted"}
Explanation:
- Uses Flask-SQLAlchemy for persistent storage.
- Supports CRUD operations (Create, Read, Update, Delete).
2.5 Error Handling
Example: Custom Error Handling
from flask import Flask
from flask_restful import Api, Resource, reqparse, abort
app = Flask(__name__)
api = Api(app)
users = [{'id': 1, 'name': 'Alice'}]
class UserResource(Resource):
def get(self, user_id):
user = next((u for u in users if u['id'] == user_id), None)
if not user:
abort(404, message=f"User {user_id} not found")
return user
def put(self, user_id):
parser = reqparse.RequestParser()
parser.add_argument('name', type=str, required=True, help='Name is required')
args = parser.parse_args()
user = next((u for u in users if u['id'] == user_id), None)
if not user:
abort(404, message=f"User {user_id} not found")
user['name'] = args['name']
return user
api.add_resource(UserResource, '/api/users/<int:user_id>')
if __name__ == '__main__':
app.run(debug=True)
Output:
GET /api/users/1:
{"id": 1, "name": "Alice"}
GET /api/users/999:
{"message": "User 999 not found"}
PUT /api/users/1 with {"name": "Alicia"}:
{"id": 1, "name": "Alicia"}
PUT /api/users/999 with {"name": "Alicia"}:
{"message": "User 999 not found"}
Explanation:
abort- Returns custom error messages with appropriate HTTP status codes.- Improves API usability with clear error responses.
2.6 Insecure API Design
Example: Insecure Flask-RESTful API
from flask import Flask
from flask_restful import Api, Resource
app = Flask(__name__)
api = Api(app)
users = [{'id': 1, 'name': 'Alice', 'password': 'secret'}]
class UserResource(Resource):
def get(self, user_id):
# No authentication
user = next((u for u in users if u['id'] == user_id), None)
return user if user else {'message': 'User not found'}, 404
def post(self):
# No validation
user = request.get_json()
users.append(user)
return user, 201
api.add_resource(UserResource, '/api/users/<int:user_id>')
if __name__ == '__main__':
app.run(debug=True)
Output:
GET /api/users/1:
{"id": 1, "name": "Alice", "password": "secret"}
POST /api/users/2 with {"id": 2, "name": "Bob", "password": "secret"}:
{"id": 2, "name": "Bob", "password": "secret"}
Explanation:
- Lacks authentication, exposing sensitive data like passwords.
- No input validation, risking malformed data.
- Solution: Add JWT authentication and use
reqparse.
03. Effective Usage
3.1 Recommended Practices
- Use Flask-RESTful with Flask-JWT-Extended, Flask-SQLAlchemy, and secure session backends.
Example: Comprehensive REST API
from flask import Flask
from flask_sqlalchemy import SQLAlchemy
from flask_restful import Api, Resource, reqparse, abort
from flask_jwt_extended import JWTManager, jwt_required, create_access_token
from flask_bcrypt import Bcrypt
app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///secure_api.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
app.config['SECRET_KEY'] = 'secure-key-101'
app.config['JWT_SECRET_KEY'] = 'jwt-secret-202'
db = SQLAlchemy(app)
api = Api(app)
jwt = JWTManager(app)
bcrypt = Bcrypt(app)
class User(db.Model):
id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String(80), unique=True, nullable=False)
password_hash = db.Column(db.String(120), nullable=False)
class UserResource(Resource):
@jwt_required()
def get(self, user_id):
user = User.query.get_or_404(user_id)
return {'id': user.id, 'username': user.username}
@jwt_required()
def put(self, user_id):
parser = reqparse.RequestParser()
parser.add_argument('username', type=str, required=True, help='Username is required')
args = parser.parse_args()
user = User.query.get_or_404(user_id)
if User.query.filter_by(username=args['username']).first() and args['username'] != user.username:
abort(400, message='Username already exists')
user.username = args['username']
db.session.commit()
return {'id': user.id, 'username': user.username}
@jwt_required()
def delete(self, user_id):
user = User.query.get_or_404(user_id)
db.session.delete(user)
db.session.commit()
return {'message': 'User deleted'}, 200
class UserListResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('username', type=str, required=True, help='Username is required')
parser.add_argument('password', type=str, required=True, help='Password is required')
def post(self):
args = self.parser.parse_args()
if User.query.filter_by(username=args['username']).first():
abort(400, message='Username already exists')
user = User(username=args['username'], password_hash=bcrypt.generate_password_hash(args['password']).decode('utf-8'))
db.session.add(user)
db.session.commit()
return {'id': user.id, 'username': user.username}, 201
class LoginResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('username', type=str, required=True, help='Username is required')
parser.add_argument('password', type=str, required=True, help='Password is required')
def post(self):
args = self.parser.parse_args()
user = User.query.filter_by(username=args['username']).first()
if user and bcrypt.check_password_hash(user.password_hash, args['password']):
access_token = create_access_token(identity=user.id)
return {'access_token': access_token}
return {'message': 'Invalid credentials'}, 401
api.add_resource(UserListResource, '/api/users')
api.add_resource(UserResource, '/api/users/<int:user_id>')
api.add_resource(LoginResource, '/api/login')
with app.app_context():
db.create_all()
if __name__ == '__main__':
app.run(debug=True)
Output:
POST /api/users with {"username": "frank", "password": "secure123"}:
{"id": 1, "username": "frank"}
POST /api/login with {"username": "frank", "password": "secure123"}:
{"access_token": "eyJ..."}
GET /api/users/1 with Authorization: Bearer <token>:
{"id": 1, "username": "frank"}
PUT /api/users/1 with {"username": "frankie"} and Bearer token:
{"id": 1, "username": "frankie"}
DELETE /api/users/1 with Bearer token:
{"message": "User deleted"}
- Combines Flask-RESTful, Flask-JWT-Extended, Flask-SQLAlchemy, and Flask-Bcrypt.
- Implements secure CRUD operations with JWT authentication.
- Uses request parsing and custom error handling.
3.2 Practices to Avoid
- Avoid unauthenticated endpoints, unvalidated inputs, or exposing sensitive data.
Example: Insecure REST API
from flask import Flask
from flask_restful import Api, Resource
app = Flask(__name__)
api = Api(app)
users = [{'id': 1, 'name': 'Alice', 'password': 'secret'}]
class UserResource(Resource):
def get(self, user_id):
# No authentication
user = next((u for u in users if u['id'] == user_id), None)
return user if user else {'message': 'User not found'}, 404
def post(self):
# No validation
user = request.get_json()
users.append(user)
return user, 201
api.add_resource(UserResource, '/api/users/<int:user_id>')
if __name__ == '__main__':
app.run(debug=True)
Output:
GET /api/users/1:
{"id": 1, "name": "Alice", "password": "secret"}
POST /api/users/2 with {"id": 2, "name": "Bob", "password": "secret"}:
{"id": 2, "name": "Bob", "password": "secret"}
- Exposes sensitive data and lacks input validation.
- Solution: Use JWT authentication and
reqparse.
04. Common Use Cases in Web Development
4.1 E-commerce Product API
Build a RESTful API for managing products in an e-commerce platform.
Example: Product API
from flask import Flask
from flask_sqlalchemy import SQLAlchemy
from flask_restful import Api, Resource, reqparse
from flask_jwt_extended import JWTManager, jwt_required
app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///products.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
app.config['JWT_SECRET_KEY'] = 'jwt-secret-303'
db = SQLAlchemy(app)
api = Api(app)
jwt = JWTManager(app)
class Product(db.Model):
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(100), nullable=False)
price = db.Column(db.Float, nullable=False)
class ProductResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('name', type=str, required=True, help='Name is required')
parser.add_argument('price', type=float, required=True, help='Price is required')
@jwt_required()
def get(self, product_id):
product = Product.query.get_or_404(product_id)
return {'id': product.id, 'name': product.name, 'price': product.price}
@jwt_required()
def put(self, product_id):
args = self.parser.parse_args()
product = Product.query.get_or_404(product_id)
product.name = args['name']
product.price = args['price']
db.session.commit()
return {'id': product.id, 'name': product.name, 'price': product.price}
@jwt_required()
def delete(self, product_id):
product = Product.query.get_or_404(product_id)
db.session.delete(product)
db.session.commit()
return {'message': 'Product deleted'}, 200
class ProductListResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('name', type=str, required=True, help='Name is required')
parser.add_argument('price', type=float, required=True, help='Price is required')
@jwt_required()
def get(self):
products = Product.query.all()
return [{'id': p.id, 'name': p.name, 'price': p.price} for p in products]
@jwt_required()
def post(self):
args = self.parser.parse_args()
product = Product(name=args['name'], price=args['price'])
db.session.add(product)
db.session.commit()
return {'id': product.id, 'name': product.name, 'price': product.price}, 201
api.add_resource(ProductListResource, '/api/products')
api.add_resource(ProductResource, '/api/products/<int:product_id>')
with app.app_context():
db.create_all()
if __name__ == '__main__':
app.run(debug=True)
Output:
POST /api/products with {"name": "Laptop", "price": 999.99} and Bearer token:
{"id": 1, "name": "Laptop", "price": 999.99}
GET /api/products with Bearer token:
[{"id": 1, "name": "Laptop", "price": 999.99}]
PUT /api/products/1 with {"name": "Laptop Pro", "price": 1299.99} and Bearer token:
{"id": 1, "name": "Laptop Pro", "price": 1299.99}
DELETE /api/products/1 with Bearer token:
{"message": "Product deleted"}
Explanation:
- Secures product endpoints with JWT authentication.
- Uses SQLAlchemy for persistent storage and Flask-RESTful for structure.
4.2 Task Management API
Create a RESTful API for managing tasks in a productivity app.
Example: Task Management API
from flask import Flask
from flask_sqlalchemy import SQLAlchemy
from flask_restful import Api, Resource, reqparse
from flask_jwt_extended import JWTManager, jwt_required, get_jwt_identity
app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///tasks.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
app.config['JWT_SECRET_KEY'] = 'jwt-secret-404'
db = SQLAlchemy(app)
api = Api(app)
jwt = JWTManager(app)
class Task(db.Model):
id = db.Column(db.Integer, primary_key=True)
title = db.Column(db.String(100), nullable=False)
user_id = db.Column(db.Integer, nullable=False)
class TaskResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('title', type=str, required=True, help='Title is required')
@jwt_required()
def get(self, task_id):
task = Task.query.get_or_404(task_id)
if task.user_id != get_jwt_identity():
return {'message': 'Unauthorized'}, 403
return {'id': task.id, 'title': task.title, 'user_id': task.user_id}
@jwt_required()
def put(self, task_id):
args = self.parser.parse_args()
task = Task.query.get_or_404(task_id)
if task.user_id != get_jwt_identity():
return {'message': 'Unauthorized'}, 403
task.title = args['title']
db.session.commit()
return {'id': task.id, 'title': task.title, 'user_id': task.user_id}
@jwt_required()
def delete(self, task_id):
task = Task.query.get_or_404(task_id)
if task.user_id != get_jwt_identity():
return {'message': 'Unauthorized'}, 403
db.session.delete(task)
db.session.commit()
return {'message': 'Task deleted'}, 200
class TaskListResource(Resource):
parser = reqparse.RequestParser()
parser.add_argument('title', type=str, required=True, help='Title is required')
@jwt_required()
def get(self):
user_id = get_jwt_identity()
tasks = Task.query.filter_by(user_id=user_id).all()
return [{'id': t.id, 'title': t.title, 'user_id': t.user_id} for t in tasks]
@jwt_required()
def post(self):
args = self.parser.parse_args()
user_id = get_jwt_identity()
task = Task(title=args['title'], user_id=user_id)
db.session.add(task)
db.session.commit()
return {'id': task.id, 'title': task.title, 'user_id': task.user_id}, 201
api.add_resource(TaskListResource, '/api/tasks')
api.add_resource(TaskResource, '/api/tasks/<int:task_id>')
with app.app_context():
db.create_all()
if __name__ == '__main__':
app.run(debug=True)
Output:
POST /api/tasks with {"title": "Write report"} and Bearer token:
{"id": 1, "title": "Write report", "user_id": 1}
GET /api/tasks with Bearer token:
[{"id": 1, "title": "Write report", "user_id": 1}]
PUT /api/tasks/1 with {"title": "Finalize report"} and Bearer token:
{"id": 1, "title": "Finalize report", "user_id": 1}
DELETE /api/tasks/1 with Bearer token:
{"message": "Task deleted"}
Explanation:
- Ensures tasks are accessible only to their owners using
get_jwt_identity. - Integrates with SQLAlchemy for task storage.
Conclusion
Building REST APIs with Flask-RESTful, integrated with Flask-JWT-Extended, Flask-SQLAlchemy, Flask APIs and Microservices, and NumPy Array Operations, enables secure and scalable web applications. Key takeaways:
- Use Flask-RESTful for structured, resource-based APIs.
- Secure endpoints with JWT and validate inputs with
reqparse. - Integrate with SQLAlchemy for persistent storage and handle errors effectively.
- Apply in e-commerce, task management, or other domains for robust APIs.
With these techniques, you can build Flask-RESTful APIs that are secure, maintainable, and developer-friendly, meeting the demands of modern web development!
Comments
Post a Comment