We currently have a hacky API sitting on top of the Services 2 module. We're debating a rewrite of the API because the code is crufty and I'm evaluating whether Services is still the right tool for the job and if so, which version. Below are the features we need in our API. I'm not clear on what Services handles and what we would have to custom code ourselves. Given
that we don't care about things like XML-RPC and true REST, is it worth using this module? Can anyone give me some additional thoughts on this?
Must have:
- Pseudo-REST : calls shouldn't require a different HTTP method for CRUD operations. GET or POST, as appropriate for packet size is what we want to use.
- Our URL structure is already defined and can't change (e.g. /api/v2/users/register)
- Support output in ATOM, JSON, and RSS
- Versioning with distinct calls for different versions. Example: method A only available in v1, B available in v1 and v2 (with different implementations for each), method C available only in v2.
- Ability to handle data that is already prepared in the final output format. We have cached XML files generated by cron for some queries that are read heavy but don't need to be realtime. I want to be able to have a method look for the existence of a file and return its contents as-is, rather than generating it on the fly and formatting the data to whatever output format the user requested.
- Ability to control whether the data needs to be formatted on the fly or not per method (from previous point). Some calls will be cached and are already in the destination format, but some aren't and will need to be formatted on the fly.
- Ability to limit node/user fields per role/method
- Ability to set which fields are to be returned (from the allowed set)
- Authentication via API key as a parameter and potentially some calls with oAuth in the future
- Ability to assign roles to an API key and calls to a role, so I don't have to manually go into each key and allow a method if we allow it for all keys belonging to a certain role
- Rate limiting (e.g. X calls per Y time) per role via admin panel
- Ability to turn off a key temporarily via admin panel
- Ability to validate required parameters and formatted ones (e.g. valid email)
- Scalability is important. We can't do node_loads() in many cases due to the high number of returned nodes (~14k is our largest count, but it will only get larger).
Thanks in advance for any thoughts or advice!