The edge version of Spree has just been updated with a newly refactored implementation of the REST API. Most of these changes involve behind the scenes implementation details as well as improved test coverage. There are, however, a few non trivial changes that you should be aware of if you rely on older versions of the REST API.
New Authentication Mechanism
The most significant change to the REST API is related to authentication. The recent adoption of Devise for authentication in general has resulted in new opportunities to improve authentication for the API specifically.
Prior to Spree 0.40.x the old method of authentication was to pass an authentication token in the header. This involved using the specially designated
X-SpreeAPIKey header and passing a corresponding token value. The new approach is to use standard
HTTP_AUTHORIZATION which is already nicely implemented by Devise.
If you were using curl you could achieve this authentication as follows:
<p>curl -u V8WPYgRdSZN1mSQG17sK:x /<br /> http://example.com/api/orders.json</p>
Note that we are using the token as the "user name" and passing "x" as a password here. There is nothing special about "x", its just a placeholder since many HTTP Basic Authentication implementations require a password to be submitted. In our case the token is sufficient so we use a placeholder for the password.
Support for .json Suffix
It is now recommended that you consider using a
.json suffic in your URL when communicating via the REST API. This is technically not a new feature – it was always possible in older versions of the REST API. We’ve updated the documentation to suggest this simpler apporach (which avoids the necessity of passing
Accept:application/json in the header.)
<p>curl -u V8WPYgRdSZN1mSQG17sK:x http://example.com/api/orders.json</p>