Application program interface API (Application Programming Interface), to provide a specific service output capabilities, different systems connected to a convention. This includes points of interaction between the system and the external system (back office system) or background services to provide different systems. Including external interfaces, internal interfaces, internal interfaces and includes: the upper and lower service service interface, similar interface.
This text stands Product Manager angle Deep knowledge about the interface. If you do not want to be seen as technology heavyweights eyes do not understand anything needs porters, clear knowledge of the interface is necessary.
Common web interface is an interface http / https protocol, used to call external systems or front-end system, such as an address to the interface exposed to the outside, it is necessary to do a higher degree of safety verification interface. But also cross-system interfaces based on open source program rpc call interface built, mainly for such calls between various systems within a large corporate network with each other, stronger governance services such interface, the interface corresponding faster speed. Http interface as an example to the following discussion unfolded.
First, the way the interface request type
common ways include http request: get (check), post (increase), in addition to put (change), delete (delete) and so on. Interface belongs to is determined by the type of business. For example, when you open Taobao, show home contents need to use get interface to obtain information about the page, you fancy baby To place an order, add your harvest addresses, make do with a post interface. Both of which it is also the most common two types of interfaces
1) get type of interface
formats: the number of requests to write to the URL parameter, connection, use multiple parameters "&" connection "?."
Scene: get type interface is used to obtain information, and more for query data, such as a menu list shows the search display, order inquiries, Discount Coupons, etc. Other systems require the use of data is returned. The amount of data requested generally small, fast return, but the interface is exposed to the outside, so there will be some risk.
2) post type Interface
Description: Submit data (such as submitting a form, upload a file) to request, post a request could lead to the creation of new resources to the specified resource location.
Scene: such as registration, uploading, posting and other functions, such requests data capacity, high security requirements.
Other interface types such as the put (change), Delete (delete), and the like using Patch Comments slightly lower rate, it is not repeated here.
Second, the type of the interface mechanism in response
returned from the distinction between synchronous interfaces, asynchronous interfaces
1) synchronous interaction
means sends a request to return to wait before the next request can be transmitted, there is a waiting process;
For example, after login interface when performing login operation, will check through the interface, need to return to verify the results after the user name, password, token fields such as encryption, in order to log in successfully.
2) asynchronous interaction
means transmits a request without waiting for the return, ready for a next retransmission request, i.e., no waiting.
If users leadership coupons, coupons behavior just to receive a user request is successful, ticket issuing asynchronous operation after the asset system receives a user request, the Executive coupons issued by the asynchronous method, the caller without waiting for the result of calling each request.
Difference: a need to wait a need to wait, without compromising the user experience, our project development generally preferred asynchronous mode does not need to wait.
In which case it is recommended to use synchronous interaction? For example, a user logs on, the bank transfer system, the database save operation, etc., will use synchronous interaction, the remaining cases will have priority use of asynchronous interaction.
Third, the type of interface in the form of trigger
1) Distribution Interface
when generating a new data system can be distributed to other system (which may be a plurality).
The core idea of the system in Taiwan is high cohesion, low coupling, so usage scenarios distribution interfaces, or more. For example, there is a main channel system to manage all data channels, and channel data to other systems such as commodity systems, promotion systems often use to the information. So once the emergence of new channels or channel change occurs, need to be distributed to all the other various docking systems, functional support of the latest channels.
2) interface to subscribe to
a system call interfaces to other systems when needed for data subscription.
For example, the order system generate orders, because many external systems may require timely access to order status information. The order system does not know which system to be distributed, this time the order will generally be pushed to a specific message queue, such as KFK, after KFK messages to other subscribers by the system require follow-up order status, you can even get information to complete the order, trigger the next action.
Fourth, other API interface consisting essentially of
the re-established business, the type is determined, the interface mechanism in response to the request, and then to the micro-channel Payment API, for example, other components of the content interface understanding.
1) scenarios
as the name implies, this interface is suitable for the scene, a clear business purpose interface.
2) into the reference and the reference
Into the reference variable parameters of the interface request is required, including the required parameters and optional parameters, optional not negligible, such as the above parameters, the signature type is non-mandatory, if this parameter is not passed the default for this type of signature MD5, and if such is not the signature type to use, then this is required. If an ordinary order inquiries, into optional time parameter, the result returned is the user all the orders, or the difference between user-specific time order.
3) error code
interface request does not always work, so in the case of interface development would be likely to fail to distinguish between error code, when the interface according to the FBI error code returned by courier positioning problem. If the error code is not comprehensive enough, that when interface calls fail, requires repeated targeting and reduce development efficiency. 
V. Interface safety check
after the completion of the business logic interface to develop, the next thing to consider is the safety issue, security issues mainly from the interface of several considerations:
1) the source of the request is legitimate?
This request if it is a legitimate request, but also need to know; namely camouflage *** interfaces, because the interface is external, public network environment, the interface address is exposed, the request may have received the malicious illegal request sources, while the source of the request can not be denied. Here we introduce the concept of "signature" and the signature of the security equipment and anti-repudiation properties.
In recent years, major companies forced to use https http interface to replace the original, precisely because of the higher security certificates used by https.
2)请求是否会被篡改,返回数据可能会被截取
因为接口是对外的,所以接收请求和返回数据的时候,是不可能使用明文方式传输的,否则一旦被恶意截取,会造成极大风险。所以请求数据及返回数据都是需要加密的,这样即使数据被截取,也不用泄露数据的内容。这里介绍几种现在常见的加密方法。
DES(Data Encryption Standard):数据加密标准,速度较快,适用于加密大量数据的场合;
3DES(Triple DES):是基于DES,对一块数据用三个不同的密钥进行三次加密,强度更高;
RSA:非对称加密,由 RSA公司发明,是一个支持变长密钥的公共密钥算法,需要加密的文件块的长度也是可变的;既可以实现加密,又可以实现签名。
如果是用户账号相关,现在会使用token加密用户信息,用户请求身份信息时,服务端会分配token存在缓存中,后续请求会将token与时间戳一起打包加密,这样即使请求数据被截获,因为不知道token的值,数据也不会被解析出来。
3)如何防范接口的重放,防重放是什么呢?
就是把你的请求原封不动地多次发放,请求都会通过验证进入到正常逻辑中,会造成服务端接口拥堵并且会造成实际损失。
防重放一般需在请求参数加上 时间戳 + 随机数,通过时间戳确保接口是最新的请求,而随机数相同则可以认定为是重放***。
六、接口性能相关
如果是访问量比较大的接口,再上线前肯定需要进行压力测试。因为普通的开发自测和生产模拟是不能推算出高并发时候接口是否可正常运行。
1)TPS
Transaction Per Second 每秒系统处理的交易或事物的数量,衡量系统处理能力的重要指标。
2) RT
response time request was sent, the client receives a response to the result returned from the server end of the elapsed time, comprising a request transmission time, transmission time and the network server processing time of three parts from the client.
3) Throughput
refers to the sum of a volume of data transferred during performance testing of the network.
User response time Needless to say, too long hurt the user experience, in a timely manner of high concurrent user response time is still required to a minimum, usually less than 5s;
tps is highly concurrent indicators, interfaces generally provide services, to take into account the number of concurrent under the most extreme circumstances, these numbers are generally from event planning and operations data to forecast trends in the period, as a basis, to ensure their own the interface supports the highest number of concurrent, and verify that these stress tests are generally used. Under normal circumstances such as when the pressure measured normal tps can reach the interface 2000, 2000 can be ensured in actual concurrently.
Seven, what needs to be done to test the interface
interface test is actually white-box testing, home to clear the system the ability to output clear whether service coverage to meet the demand. To push the business logic interface parameters.
1) into the reference does not meet the need for clear error code, the error message and logs, reproducible and easy to locate the problem.
2) If another parameter processing logic link, also need to verify together, such as the purchase Netease cloud music members, the order is going to generate interest in the weighted system, users will be weighted SMS notification successfully, but weighted interfaces and order information no mobile phone number, so although there is no reference into the user's mobile phone number, mobile phone number but need to query the user's username, and perform actions messages issued.
Other verification objectives such as: code coverage whether the requirements of performance meets the requirements, meets the requirements of safety index is a more specialized test the index.