Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
This is a Deliv only version of this gem locked at 0.8.0 with backported fixes for https://nvd.nist.gov/vuln/detail/CVE-2018-3769.
Edit this gem with extream care! - David
Grape is a REST-like API micro-framework for Ruby. It's designed to run on Rack or complement existing web application frameworks such as Rails and Sinatra by providing a simple DSL to easily develop RESTful APIs. It has built-in support for common conventions, including multiple formats, subdomain/prefix restriction, content negotiation, versioning and much more.
You're reading the documentation for the stable release of Grape, 0.8.0. Please read UPGRADING when upgrading from a previous version.
Grape is available as a gem, to install it just install the gem:
gem install grape
If you're using Bundler, add the gem to Gemfile.
gem 'grape'
Run bundle install
.
Grape APIs are Rack applications that are created by subclassing Grape::API
.
Below is a simple example showing some of the more common features of Grape in
the context of recreating parts of the Twitter API.
module Twitter
class API < Grape::API
version 'v1', using: :header, vendor: 'twitter'
format :json
helpers do
def current_user
@current_user ||= User.authorize!(env)
end
def authenticate!
error!('401 Unauthorized', 401) unless current_user
end
end
resource :statuses do
desc "Return a public timeline."
get :public_timeline do
Status.limit(20)
end
desc "Return a personal timeline."
get :home_timeline do
authenticate!
current_user.statuses.limit(20)
end
desc "Return a status."
params do
requires :id, type: Integer, desc: "Status id."
end
route_param :id do
get do
Status.find(params[:id])
end
end
desc "Create a status."
params do
requires :status, type: String, desc: "Your status."
end
post do
authenticate!
Status.create!({
user: current_user,
text: params[:status]
})
end
desc "Update a status."
params do
requires :id, type: String, desc: "Status ID."
requires :status, type: String, desc: "Your status."
end
put ':id' do
authenticate!
current_user.statuses.find(params[:id]).update({
user: current_user,
text: params[:status]
})
end
desc "Delete a status."
params do
requires :id, type: String, desc: "Status ID."
end
delete ':id' do
authenticate!
current_user.statuses.find(params[:id]).destroy
end
end
end
end
The above sample creates a Rack application that can be run from a rackup config.ru
file
with rackup
:
run Twitter::API
And would respond to the following routes:
GET /statuses/public_timeline(.json)
GET /statuses/home_timeline(.json)
GET /statuses/:id(.json)
POST /statuses(.json)
PUT /statuses/:id(.json)
DELETE /statuses/:id(.json)
Grape will also automatically respond to HEAD and OPTIONS for all GET, and just OPTIONS for all other routes.
If you wish to mount Grape alongside another Rack framework such as Sinatra, you can do so easily using
Rack::Cascade
:
# Example config.ru
require 'sinatra'
require 'grape'
class API < Grape::API
get :hello do
{ hello: "world" }
end
end
class Web < Sinatra::Base
get '/' do
"Hello world."
end
end
use Rack::Session::Cookie
run Rack::Cascade.new [API, Web]
Place API files into app/api
. Rails expects a subdirectory that matches the name of the Ruby module and a file name that matches the name of the class. In our example, the file name location and directory for Twitter::API
should be app/api/twitter/api.rb
.
Modify application.rb
:
config.paths.add File.join('app', 'api'), glob: File.join('**', '*.rb')
config.autoload_paths += Dir[Rails.root.join('app', 'api', '*')]
Modify config/routes
:
mount Twitter::API => '/'
See below for additional code that enables reloading of API changes in development.
You can mount multiple API implementations inside another one. These don't have to be different versions, but may be components of the same API.
class Twitter::API < Grape::API
mount Twitter::APIv1
mount Twitter::APIv2
end
You can also mount on a path, which is similar to using prefix
inside the mounted API itself.
class Twitter::API < Grape::API
mount Twitter::APIv1 => '/v1'
end
There are four strategies in which clients can reach your API's endpoints: :path
,
:header
, :accept_version_header
and :param
. The default strategy is :path
.
version 'v1', using: :path
Using this versioning strategy, clients should pass the desired version in the URL.
curl -H http://localhost:9292/v1/statuses/public_timeline
version 'v1', using: :header, vendor: 'twitter'
Using this versioning strategy, clients should pass the desired version in the HTTP Accept
head.
curl -H Accept:application/vnd.twitter-v1+json http://localhost:9292/statuses/public_timeline
By default, the first matching version is used when no Accept
header is
supplied. This behavior is similar to routing in Rails. To circumvent this default behavior,
one could use the :strict
option. When this option is set to true
, a 406 Not Acceptable
error
is returned when no correct Accept
header is supplied.
When an invalid Accept
header is supplied, a 406 Not Acceptable
error is returned if the :cascade
option is set to false
. Otherwise a 404 Not Found
error is returned by Rack if no other route
matches.
version 'v1', using: :accept_version_header
Using this versioning strategy, clients should pass the desired version in the HTTP Accept-Version
header.
curl -H "Accept-Version:v1" http://localhost:9292/statuses/public_timeline
By default, the first matching version is used when no Accept-Version
header is
supplied. This behavior is similar to routing in Rails. To circumvent this default behavior,
one could use the :strict
option. When this option is set to true
, a 406 Not Acceptable
error
is returned when no correct Accept
header is supplied.
version 'v1', using: :param
Using this versioning strategy, clients should pass the desired version as a request parameter, either in the URL query string or in the request body.
curl -H http://localhost:9292/statuses/public_timeline?apiver=v1
The default name for the query parameter is 'apiver' but can be specified using the :parameter
option.
version 'v1', using: :param, parameter: "v"
curl -H http://localhost:9292/statuses/public_timeline?v=v1
You can add a description to API methods and namespaces.
desc "Returns your public timeline."
get :public_timeline do
Status.limit(20)
end
Request parameters are available through the params
hash object. This includes GET
, POST
and PUT
parameters, along with any named parameters you specify in your route strings.
get :public_timeline do
Status.order(params[:sort_by])
end
Parameters are automatically populated from the request body on POST
and PUT
for form input, JSON and
XML content-types.
The request:
curl -d '{"text": "140 characters"}' 'http://localhost:9292/statuses' -H Content-Type:application/json -v
The Grape endpoint:
post '/statuses' do
Status.create!(text: params[:text])
end
Multipart POSTs and PUTs are supported as well.
The request:
curl --form image_file=@image.jpg http://localhost:9292/upload
The Grape endpoint:
post "upload" do
# file in params[:image_file]
end
In the case of conflict between either of:
GET
, POST
and PUT
parametersPOST
and PUT
route string parameters will have precedence.
You can define validations and coercion options for your parameters using a params
block.
params do
requires :id, type: Integer
optional :text, type: String, regexp: /^[a-z]+$/
group :media do
requires :url
end
optional :audio do
requires :format, type: Symbol, values: [:mp3, :wav, :aac, :ogg], default: :mp3
end
mutually_exclusive :media, :audio
end
put ':id' do
# params[:id] is an Integer
end
When a type is specified an implicit validation is done after the coercion to ensure the output type is the one declared.
Optional parameters can have a default value.
params do
optional :color, type: String, default: 'blue'
optional :random_number, type: Integer, default: -> { Random.rand(1..100) }
optional :non_random_number, type: Integer, default: Random.rand(1..100)
end
Parameters can be restricted to a specific set of values with the :values
option.
Default values are eagerly evaluated. Above :non_random_number
will evaluate to the same
number for each call to the endpoint of this params
block. To have the default evaluate
at calltime use a lambda, like :random_number
above.
params do
requires :status, type: Symbol, values: [:not_started, :processing, :done]
end
The :values option can also be supplied with a Proc
to be evalutated at runtime. For example, given a status
model you may want to restrict by hashtags that you have previously defined in the HashTag
model.
params do
required :hashtag, type: String, values: -> { Hashtag.all.map(&:tag) }
end
Parameters can be nested using group
or by calling requires
or optional
with a block.
In the above example, this means params[:media][:url]
is required along with params[:id]
,
and params[:audio][:format]
is required only if params[:audio]
is present.
With a block, group
, requires
and optional
accept an additional option type
which can
be either Array
or Hash
, and defaults to Array
. Depending on the value, the nested
parameters will be treated either as values of a hash or as values of hashes in an array.
params do
optional :preferences, type: Array do
requires :key
requires :value
end
requires :name, type: Hash do
requires :first_name
requires :last_name
end
end
Parameters can be defined as mutually_exclusive
, ensuring that they aren't present at the same time in a request.
params do
optional :beer
optional :wine
mutually_exclusive :beer, :wine
end
Multiple sets can be defined:
params do
optional :beer
optional :wine
mutually_exclusive :beer, :wine
optional :scotch
optional :aquavit
mutually_exclusive :scotch, :aquavit
end
Warning: Never define mutually exclusive sets with any required params. Two mutually exclusive required params will mean params are never valid, thus making the endpoint useless. One required param mutually exclusive with an optional param will mean the latter is never valid.
Parameters can be defined as 'exactly_one_of', ensuring that exactly one parameter gets selected.
params do
optional :beer
optional :wine
exactly_one_of :beer, :wine
end
Namespaces allow parameter definitions and apply to every method within the namespace.
namespace :statuses do
params do
requires :user_id, type: Integer, desc: "A user ID."
end
namespace ":user_id" do
desc "Retrieve a user's status."
params do
requires :status_id, type: Integer, desc: "A status ID."
end
get ":status_id" do
User.find(params[:user_id]).statuses.find(params[:status_id])
end
end
end
The namespace
method has a number of aliases, including: group
, resource
,
resources
, and segment
. Use whichever reads the best for your API.
You can conveniently define a route parameter as a namespace using route_param
.
namespace :statuses do
route_param :id do
desc "Returns all replies for a status."
get 'replies' do
Status.find(params[:id]).replies
end
desc "Returns a status."
get do
Status.find(params[:id])
end
end
end
class AlphaNumeric < Grape::Validations::Validator
def validate_param!(attr_name, params)
unless params[attr_name] =~ /^[[:alnum:]]+$/
raise Grape::Exceptions::Validation, param: @scope.full_name(attr_name), message: "must consist of alpha-numeric characters"
end
end
end
params do
requires :text, alpha_numeric: true
end
You can also create custom classes that take parameters.
class Length < Grape::Validations::SingleOptionValidator
def validate_param!(attr_name, params)
unless params[attr_name].length <= @option
raise Grape::Exceptions::Validation, param: @scope.full_name(attr_name), message: "must be at the most #{@option} characters long"
end
end
end
params do
requires :text, length: 140
end
Validation and coercion errors are collected and an exception of type Grape::Exceptions::ValidationErrors
is raised.
If the exception goes uncaught it will respond with a status of 400 and an error message.
You can rescue a Grape::Exceptions::ValidationErrors
and respond with a custom response.
rescue_from Grape::Exceptions::ValidationErrors do |e|
Rack::Response.new({
status: e.status,
message: e.message,
errors: e.errors
}.to_json, e.status)
end
The validation errors are grouped by parameter name and can be accessed via Grape::Exceptions::ValidationErrors#errors
.
Grape supports I18n for parameter-related error messages, but will fallback to English if translations for the default locale have not been provided. See en.yml for message keys.
Request headers are available through the headers
helper or from env
in their original form.
get do
error!('Unauthorized', 401) unless headers['Secret-Password'] == 'swordfish'
end
get do
error!('Unauthorized', 401) unless env['HTTP_SECRET_PASSWORD'] == 'swordfish'
end
You can set a response header with header
inside an API.
header 'X-Robots-Tag', 'noindex'
When raising error!
, pass additional headers as arguments.
error! 'Unauthorized', 401, 'X-Error-Detail' => 'Invalid token.'
Optionally, you can define requirements for your named route parameters using regular expressions on namespace or endpoint. The route will match only if all requirements are met.
get ':id', requirements: { id: /[0-9]*/ } do
Status.find(params[:id])
end
namespace :outer, requirements: { id: /[0-9]*/ } do
get :id do
end
get ":id/edit" do
end
end
You can define helper methods that your endpoints can use with the helpers
macro by either giving a block or a module.
module StatusHelpers
def user_info(user)
"#{user} has statused #{user.statuses} status(s)"
end
end
class API < Grape::API
# define helpers with a block
helpers do
def current_user
User.find(params[:user_id])
end
end
# or mix in a module
helpers StatusHelpers
get 'info' do
# helpers available in your endpoint and filters
user_info(current_user)
end
end
You can define reusable params
using helpers
.
class API < Grape::API
helpers do
params :pagination do
optional :page, type: Integer
optional :per_page, type: Integer
end
end
desc "Get collection"
params do
use :pagination # aliases: includes, use_scope
end
get do
Collection.page(params[:page]).per(params[:per_page])
end
end
You can also define reusable params
using shared helpers.
module SharedParams
extend Grape::API::Helpers
params :period do
optional :start_date
optional :end_date
end
params :pagination do
optional :page, type: Integer
optional :per_page, type: Integer
end
end
class API < Grape::API
helpers SharedParams
desc "Get collection."
params do
use :period, :pagination
end
get do
Collection
.from(params[:start_date])
.to(params[:end_date])
.page(params[:page])
.per(params[:per_page])
end
end
Helpers support blocks that can help set default values. The following API can return a collection sorted by id
or created_at
in asc
or desc
order.
module SharedParams
extend Grape::API::Helpers
params :order do |options|
optional :order_by, type:Symbol, values:options[:order_by], default:options[:default_order_by]
optional :order, type:Symbol, values:%i(asc desc), default:options[:default_order]
end
end
class API < Grape::API
helpers SharedParams
desc "Get a sorted collection."
params do
use :order, order_by:%i(id created_at), default_order_by: :created_at, default_order: :asc
end
get do
Collection.send(params[:order], params[:order_by])
end
end
You can attach additional documentation to params
using a documentation
hash.
params do
optional :first_name, type: String, documentation: { example: 'Jim' }
requires :last_name, type: String, documentation: { example: 'Smith' }
end
You can set, get and delete your cookies very simply using cookies
method.
class API < Grape::API
get 'status_count' do
cookies[:status_count] ||= 0
cookies[:status_count] += 1
{ status_count: cookies[:status_count] }
end
delete 'status_count' do
{ status_count: cookies.delete(:status_count) }
end
end
Use a hash-based syntax to set more than one value.
cookies[:status_count] = {
value: 0,
expires: Time.tomorrow,
domain: '.twitter.com',
path: '/'
}
cookies[:status_count][:value] +=1
Delete a cookie with delete
.
cookies.delete :status_count
Specify an optional path.
cookies.delete :status_count, path: '/'
You can redirect to a new url temporarily (302) or permanently (301).
redirect '/statuses'
redirect '/statuses', permanent: true
When you add a GET
route for a resource, a route for the HEAD
method will also be added automatically. You can disable this
behavior with do_not_route_head!
.
class API < Grape::API
do_not_route_head!
get '/example' do
# only responds to GET
end
end
When you add a route for a resource, a route for the OPTIONS
method will also be added. The response to an OPTIONS request will
include an "Allow" header listing the supported methods.
class API < Grape::API
get '/rt_count' do
{ rt_count: current_user.rt_count }
end
params do
requires :value, type: Integer, desc: 'Value to add to the rt count.'
end
put '/rt_count' do
current_user.rt_count += params[:value].to_i
{ rt_count: current_user.rt_count }
end
end
curl -v -X OPTIONS http://localhost:3000/rt_count
> OPTIONS /rt_count HTTP/1.1
>
< HTTP/1.1 204 No Content
< Allow: OPTIONS, GET, PUT
You can disable this behavior with do_not_route_options!
.
If a request for a resource is made with an unsupported HTTP method, an HTTP 405 (Method Not Allowed) response will be returned.
curl -X DELETE -v http://localhost:3000/rt_count/
> DELETE /rt_count/ HTTP/1.1
> Host: localhost:3000
>
< HTTP/1.1 405 Method Not Allowed
< Allow: OPTIONS, GET, PUT
You can abort the execution of an API method by raising errors with error!
.
error! 'Access Denied', 401
You can also return JSON formatted objects by raising error! and passing a hash instead of a message.
error!({ error: "unexpected error", detail: "missing widget" }, 500)
By default Grape returns a 500 status code from error!
. You can change this with default_error_status
.
class API < Grape::API
default_error_status 400
get '/example' do
error! "This should have http status code 400"
end
end
For Grape to handle all the 404s for your API, it can be useful to use a catch-all. In its simplest form, it can be like:
route :any, '*path' do
error! # or something else
end
It is very crucial to define this endpoint at the very end of your API, as it literally accepts every request.
Grape can be told to rescue all exceptions and return them in the API format.
class Twitter::API < Grape::API
rescue_from :all
end
You can also rescue specific exceptions.
class Twitter::API < Grape::API
rescue_from ArgumentError, UserDefinedError
end
In this case UserDefinedError
must be inherited from StandardError
.
The error format will match the request format. See "Content-Types" below.
Custom error formatters for existing and additional types can be defined with a proc.
class Twitter::API < Grape::API
error_formatter :txt, lambda { |message, backtrace, options, env|
"error: #{message} from #{backtrace}"
}
end
You can also use a module or class.
module CustomFormatter
def self.call(message, backtrace, options, env)
{ message: message, backtrace: backtrace }
end
end
class Twitter::API < Grape::API
error_formatter :custom, CustomFormatter
end
You can rescue all exceptions with a code block. The error_response
wrapper
automatically sets the default error code and content-type.
class Twitter::API < Grape::API
rescue_from :all do |e|
error_response({ message: "rescued from #{e.class.name}" })
end
end
You can also rescue specific exceptions with a code block and handle the Rack response at the lowest level.
class Twitter::API < Grape::API
rescue_from :all do |e|
Rack::Response.new([ e.message ], 500, { "Content-type" => "text/error" }).finish
end
end
Or rescue specific exceptions.
class Twitter::API < Grape::API
rescue_from ArgumentError do |e|
Rack::Response.new([ "ArgumentError: #{e.message}" ], 500).finish
end
rescue_from NotImplementedError do |e|
Rack::Response.new([ "NotImplementedError: #{e.message}" ], 500).finish
end
end
By default, rescue_from
will rescue the exceptions listed and all their subclasses.
Assume you have the following exception classes defined.
module APIErrors
class ParentError < StandardError; end
class ChildError < ParentError; end
end
Then the following rescue_from
clause will rescue exceptions of type APIErrors::ParentError
and its subclasses (in this case APIErrors::ChildError
).
rescue_from APIErrors::ParentError do |e|
Rack::Response.new({
error: "#{e.class} error",
message: e.message
}.to_json, e.status).finish
end
To only rescue the base exception class, set rescue_subclasses: false
.
The code below will rescue exceptions of type RuntimeError
but not its subclasses.
rescue_from RuntimeError, rescue_subclasses: false do |e|
Rack::Response.new({
status: e.status,
message: e.message,
errors: e.errors
}.to_json, e.status).finish
end
When mounted inside containers, such as Rails 3.x, errors like "404 Not Found" or
"406 Not Acceptable" will likely be handled and rendered by Rails handlers. For instance,
accessing a nonexistent route "/api/foo" raises a 404, which inside rails will ultimately
be translated to an ActionController::RoutingError
, which most likely will get rendered
to a HTML error page.
Most APIs will enjoy preventing downstream handlers from handling errors. You may set the
:cascade
option to false
for the entire API or separately on specific version
definitions,
which will remove the X-Cascade: true
header from API responses.
cascade false
version 'v1', using: :header, vendor: 'twitter', cascade: false
Grape::API
provides a logger
method which by default will return an instance of the Logger
class from Ruby's standard library.
To log messages from within an endpoint, you need to define a helper to make the logger available in the endpoint context.
class API < Grape::API
helpers do
def logger
API.logger
end
end
post '/statuses' do
# ...
logger.info "#{current_user} has statused"
end
end
You can also set your own logger.
class MyLogger
def warning(message)
puts "this is a warning: #{message}"
end
end
class API < Grape::API
logger MyLogger.new
helpers do
def logger
API.logger
end
end
get '/statuses' do
logger.warning "#{current_user} has statused"
end
end
By default, Grape supports XML, JSON, and TXT content-types. The default format is :txt
.
Serialization takes place automatically. For example, you do not have to call to_json
in each JSON API implementation.
Your API can declare which types to support by using content_type
. Response format is determined by the
request's extension, an explicit format
parameter in the query string, or Accept
header.
The following API will only respond to the JSON content-type and will not parse any other input than application/json
,
application/x-www-form-urlencoded
, multipart/form-data
, multipart/related
and multipart/mixed
. All other requests
will fail with an HTTP 406 error code.
class Twitter::API < Grape::API
format :json
end
When the content-type is omitted, Grape will return a 406 error code unless default_format
is specified.
The following API will try to parse any data without a content-type using a JSON parser.
class Twitter::API < Grape::API
format :json
default_format :json
end
If you combine format
with rescue_from :all
, errors will be rendered using the same format.
If you do not want this behavior, set the default error formatter with default_error_formatter
.
class Twitter::API < Grape::API
format :json
content_type :txt, "text/plain"
default_error_formatter :txt
end
Custom formatters for existing and additional types can be defined with a proc.
class Twitter::API < Grape::API
content_type :xls, "application/vnd.ms-excel"
formatter :xls, lambda { |object, env| object.to_xls }
end
You can also use a module or class.
module XlsFormatter
def self.call(object, env)
object.to_xls
end
end
class Twitter::API < Grape::API
content_type :xls, "application/vnd.ms-excel"
formatter :xls, XlsFormatter
end
Built-in formats are the following.
:json
and :jsonapi
: use object's to_json
when available, otherwise call MultiJson.dump
:xml
: use object's to_xml
when available, usually via MultiXml
, otherwise call to_s
:txt
: use object's to_txt
when available, otherwise to_s
:serializable_hash
: use object's serializable_hash
when available, otherwise fallback to :json
Use default_format
to set the fallback format when the format could not be determined from the Accept
header.
See below for the order for choosing the API format.
class Twitter::API < Grape::API
default_format :json
end
The order for choosing the format is the following.
format
parameter in the query string, if specified.format
option, if specified.Accept
header.default_format
option.:txt
.You can override this process explicitly by specifying env['api.format']
in the API itself.
For example, the following API will let you upload arbitrary files and return their contents as an attachment with the correct MIME type.
class Twitter::API < Grape::API
post "attachment" do
filename = params[:file][:filename]
content_type MIME::Types.type_for(filename)[0].to_s
env['api.format'] = :binary # there's no formatter for :binary, data will be returned "as is"
header "Content-Disposition", "attachment; filename*=UTF-8''#{URI.escape(filename)}"
params[:file][:tempfile].read
end
end
Grape supports JSONP via Rack::JSONP, part of the
rack-contrib gem. Add rack-contrib
to your Gemfile
.
require 'rack/contrib'
class API < Grape::API
use Rack::JSONP
format :json
get '/' do
'Hello World'
end
end
Grape supports CORS via Rack::CORS, part of the
rack-cors gem. Add rack-cors
to your Gemfile
,
then use the middleware in your config.ru file.
require 'rack/cors'
use Rack::Cors do
allow do
origins '*'
resource '*', headers: :any, methods: :get
end
end
run Twitter::API
Content-type is set by the formatter. You can override the content-type of the response at runtime
by setting the Content-Type
header.
class API < Grape::API
get '/home_timeline_js' do
content_type "application/javascript"
"var statuses = ...;"
end
end
Grape accepts and parses input data sent with the POST and PUT methods as described in the Parameters
section above. It also supports custom data formats. You must declare additional content-types via
content_type
and optionally supply a parser via parser
unless a parser is already available within
Grape to enable a custom format. Such a parser can be a function or a class.
With a parser, parsed data is available "as-is" in env['api.request.body']
.
Without a parser, data is available "as-is" and in env['api.request.input']
.
The following example is a trivial parser that will assign any input with the "text/custom" content-type
to :value
. The parameter will be available via params[:value]
inside the API call.
module CustomParser
def self.call(object, env)
{ value: object.to_s }
end
end
content_type :txt, "text/plain"
content_type :custom, "text/custom"
parser :custom, CustomParser
put "value" do
params[:value]
end
You can invoke the above API as follows.
curl -X PUT -d 'data' 'http://localhost:9292/value' -H Content-Type:text/custom -v
You can disable parsing for a content-type with nil
. For example, parser :json, nil
will disable JSON parsing altogether. The request data is then available as-is in env['api.request.body']
.
Grape supports a range of ways to present your data with some help from a generic present
method,
which accepts two arguments: the object to be presented and the options associated with it. The options
hash may include :with
, which defines the entity to expose.
Add the grape-entity gem to your Gemfile. Please refer to the grape-entity documentation for more details.
The following example exposes statuses.
module API
module Entities
class Status < Grape::Entity
expose :user_name
expose :text, documentation: { type: "string", desc: "Status update text." }
expose :ip, if: { type: :full }
expose :user_type, :user_id, if: lambda { |status, options| status.user.public? }
expose :digest { |status, options| Digest::MD5.hexdigest(status.txt) }
expose :replies, using: API::Status, as: :replies
end
end
class Statuses < Grape::API
version 'v1'
desc 'Statuses index', {
params: API::Entities::Status.documentation
}
get '/statuses' do
statuses = Status.all
type = current_user.admin? ? :full : :default
present statuses, with: API::Entities::Status, type: type
end
end
end
You can use entity documentation directly in the params block with using: Entity.documentation
.
module API
class Statuses < Grape::API
version 'v1'
desc 'Create a status'
params do
requires :all, except: [:ip], using: API::Entities::Status.documentation.except(:id)
end
post '/status' do
Status.create! params
end
end
end
You can present with multiple entities using an optional Symbol argument.
get '/statuses' do
statuses = Status.all.page(1).per(20)
present :total_page, 10
present :per_page, 20
present :statuses, statuses, with: API::Entities::Status
end
The response will be
{
total_page: 10,
per_page: 20,
statuses: []
}
In addition to separately organizing entities, it may be useful to put them as namespaced classes underneath the model they represent.
class Status
def entity
Entity.new(self)
end
class Entity < Grape::Entity
expose :text, :user_id
end
end
If you organize your entities this way, Grape will automatically detect the Entity
class and
use it to present your models. In this example, if you added present Status.new
to your endpoint,
Grape will automatically detect that there is a Status::Entity
class and use that as the
representative entity. This can still be overridden by using the :with
option or an explicit
represents
call.
You can use any Hypermedia representer, including Roar.
Roar renders JSON and works with the built-in Grape JSON formatter. Add Roar::Representer::JSON
into your models or call to_json
explicitly in your API implementation.
You can use Rabl templates with the help of the grape-rabl gem, which defines a custom Grape Rabl formatter.
You can use Active Model Serializers serializers with the help of the grape-active_model_serializers gem, which defines a custom Grape AMS formatter.
Grape has built-in Basic and Digest authentication.
http_basic do |username, password|
# verify user's password here
{ 'test' => 'password1' }[username] == password
end
http_digest({ realm: 'Test Api', opaque: 'app secret' }) do |username|
# lookup the user's password here
{ 'user1' => 'password1' }[username]
end
Use warden-oauth2 or rack-oauth2 for OAuth2 support.
Grape routes can be reflected at runtime. This can notably be useful for generating documentation.
Grape exposes arrays of API versions and compiled routes. Each route
contains a route_prefix
, route_version
, route_namespace
, route_method
,
route_path
and route_params
. The description and the optional hash that
follows the API path may contain any number of keys and its values are also
accessible via dynamically-generated route_[name]
functions.
TwitterAPI::versions # yields [ 'v1', 'v2' ]
TwitterAPI::routes # yields an array of Grape::Route objects
TwitterAPI::routes[0].route_version # yields 'v1'
TwitterAPI::routes[0].route_description # etc.
It's possible to retrieve the information about the current route from within an API
call with route
.
class MyAPI < Grape::API
desc "Returns a description of a parameter."
params do
requires :id, type: Integer, desc: "Identity."
end
get "params/:id" do
route.route_params[params[:id]] # yields the parameter description
end
end
The current endpoint responding to the request is self
within the API block
or env['api.endpoint']
elsewhere. The endpoint has some interesting properties,
such as source
which gives you access to the original code block of the API
implementation. This can be particularly useful for building a logger middleware.
class ApiLogger < Grape::Middleware::Base
def before
file = env['api.endpoint'].source.source_location[0]
line = env['api.endpoint'].source.source_location[1]
logger.debug "[api] #{file}:#{line}"
end
end
Blocks can be executed before or after every API call, using before
, after
,
before_validation
and after_validation
.
Before and after callbacks execute in the following order:
before
before_validation
after_validation
after
Steps 4, 5 and 6 only happen if validation succeeds.
E.g. using before
:
before do
header "X-Robots-Tag", "noindex"
end
The block applies to every API call within and below the current namespace:
class MyAPI < Grape::API
get '/' do
"root - #{@blah}"
end
namespace :foo do
before do
@blah = 'blah'
end
get '/' do
"root - foo - #{@blah}"
end
namespace :bar do
get '/' do
"root - foo - bar - #{@blah}"
end
end
end
end
The behaviour is then:
GET / # 'root - '
GET /foo # 'root - foo - blah'
GET /foo/bar # 'root - foo - bar - blah'
Params on a namespace
(or whatever alias you are using) also work when using
before_validation
or after_validation
:
class MyAPI < Grape::API
params do
requires :blah, type: Integer
end
resource ':blah' do
after_validation do
# if we reach this point validations will have passed
@blah = declared(params, include_missing: false)[:blah]
end
get '/' do
@blah.class
end
end
end
The behaviour is then:
GET /123 # 'Fixnum'
GET /foo # 400 error - 'blah is invalid'
Grape by default anchors all request paths, which means that the request URL
should match from start to end to match, otherwise a 404 Not Found
is
returned. However, this is sometimes not what you want, because it is not always
known upfront what can be expected from the call. This is because Rack-mount by
default anchors requests to match from the start to the end, or not at all.
Rails solves this problem by using a anchor: false
option in your routes.
In Grape this option can be used as well when a method is defined.
For instance when your API needs to get part of an URL, for instance:
class TwitterAPI < Grape::API
namespace :statuses do
get '/(*:status)', anchor: false do
end
end
end
This will match all paths starting with '/statuses/'. There is one caveat though:
the params[:status]
parameter only holds the first part of the request url.
Luckily this can be circumvented by using the described above syntax for path
specification and using the PATH_INFO
Rack environment variable, using
env["PATH_INFO"]
. This will hold everything that comes after the '/statuses/'
part.
You can test a Grape API with RSpec by making HTTP requests and examining the response.
Use rack-test
and define your API as app
.
require 'spec_helper'
describe Twitter::API do
include Rack::Test::Methods
def app
Twitter::API
end
describe Twitter::API do
describe "GET /api/v1/statuses" do
it "returns an empty array of statuses" do
get "/api/v1/statuses"
last_response.status.should == 200
JSON.parse(last_response.body).should == []
end
end
describe "GET /api/v1/statuses/:id" do
it "returns a status by id" do
status = Status.create!
get "/api/v1/statuses/#{status.id}"
last_response.body.should == status.to_json
end
end
end
end
require 'spec_helper'
describe Twitter::API do
describe "GET /api/v1/statuses" do
it "returns an empty array of statuses" do
get "/api/v1/statuses"
response.status.should == 200
JSON.parse(response.body).should == []
end
end
describe "GET /api/v1/statuses/:id" do
it "returns a status by id" do
status = Status.create!
get "/api/v1/statuses/#{status.id}"
response.body.should == status.to_json
end
end
end
In Rails, HTTP request tests would go into the spec/requests
group. You may want your API code to go into
app/api
- you can match that layout under spec
by adding the following in spec/spec_helper.rb
.
RSpec.configure do |config|
config.include RSpec::Rails::RequestExampleGroup, type: :request, example_group: {
file_path: /spec\/api/
}
end
Because helpers are mixed in based on the context when an endpoint is defined, it can
be difficult to stub or mock them for testing. The Grape::Endpoint.before_each
method
can help by allowing you to define behavior on the endpoint that will run before every
request.
describe 'an endpoint that needs helpers stubbed' do
before do
Grape::Endpoint.before_each do |endpoint|
endpoint.stub(:helper_name).and_return('desired_value')
end
end
after do
Grape::Endpoint.before_each nil
end
it 'should properly stub the helper' do
# ...
end
end
Add API paths to config/application.rb
.
# Auto-load API and its subdirectories
config.paths.add File.join("app", "api"), glob: File.join("**", "*.rb")
config.autoload_paths += Dir[Rails.root.join("app", "api", "*")]
Create config/initializers/reload_api.rb
.
if Rails.env.development?
ActiveSupport::Dependencies.explicitly_unloadable_constants << "Twitter::API"
api_files = Dir[Rails.root.join('app', 'api', '**', '*.rb')]
api_reloader = ActiveSupport::FileUpdateChecker.new(api_files) do
Rails.application.reload_routes!
end
ActionDispatch::Callbacks.to_prepare do
api_reloader.execute_if_updated
end
end
See StackOverflow #3282655 for more information.
Grape integrates with NewRelic via the newrelic-grape gem, and with Librato Metrics with the grape-librato gem.
Grape is work of hundreds of contributors. You're encouraged to submit pull requests, propose features and discuss issues.
See CONTRIBUTING.
You can start hacking on Grape on Nitrous.IO in a matter of seconds:
MIT License. See LICENSE for details.
Copyright (c) 2010-2013 Michael Bleigh, and Intridea, Inc.
FAQs
Unknown package
We found that grape-security demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.