Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x-correlator_support_guidelines_in_notifications #170

Merged
merged 2 commits into from
Apr 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 52 additions & 2 deletions artifacts/notification-as-cloud-event.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,14 +57,14 @@ servers:
default: https://localhost:8080
description: Can be any notification server address sent by the client application
tags:
- name: Cloud Event
- name: CAMARA Cloud Event
description: |
Events received on subscription listener side.
paths:
/your_webhook_notification_url:
post:
tags:
- CAMARA Cloud Event notification endpoint
- CAMARA Cloud Event
summary: "Cloud Event notification endpoint to notify consumer that statement of fact had occurred"
description: |
INFORMATIVE ENDPOINT: The value of this endpoint is freely declared by each client app by means of resource-based
Expand All @@ -73,6 +73,8 @@ paths:
in the triggering of the procedure (resource-based or instance-based). In this way, it represents an absolute
URL, i.e.: notifications won't be sent to /event-notification/vX/your_webhook_notification_url.
operationId: sendEvent
parameters:
- $ref: "#/components/parameters/X-Correlator"
requestBody:
required: true
content:
Expand All @@ -86,12 +88,24 @@ paths:
responses:
201:
description: Created
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
202:
description: Accepted
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
204:
description: No Content
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
200:
description: Ok
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
content:
application/json:
schema:
Expand Down Expand Up @@ -192,10 +206,25 @@ components:
description: Event details payload described in each CAMARA API and referenced by its type
time:
$ref: "#/components/schemas/DateTime"
headers:
X-Correlator:
description: Correlation id for the different services
schema:
type: string
parameters:
X-Correlator:
name: X-Correlator
in: header
description: Correlation id for the different services
schema:
type: string

responses:
Generic400:
description: Problem with the client request
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
content:
application/json:
schema:
Expand All @@ -206,6 +235,9 @@ components:
message: "Client specified an invalid argument, request body or query param"
Generic401:
description: Authentication problem with the client request
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
content:
application/json:
schema:
Expand All @@ -216,6 +248,9 @@ components:
message: "Request not authenticated due to missing, invalid, or expired credentials"
Generic403:
description: Client does not have sufficient permission
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
content:
application/json:
schema:
Expand All @@ -226,6 +261,9 @@ components:
message: "Client does not have sufficient permissions to perform this action"
Generic410:
description: Gone
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
content:
application/json:
schema:
Expand All @@ -235,6 +273,9 @@ components:
message: "Access to the target resource is no longer available."
Generic415:
description: Unsupported Media Type
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
content:
application/json:
schema:
Expand All @@ -244,6 +285,9 @@ components:
message: "The specified media type is not supported"
Generic429:
description: Too Many Requests
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
content:
application/json:
schema:
Expand All @@ -253,6 +297,9 @@ components:
message: "Endpoint does not support as many requests per time slot"
Generic500:
description: Server error
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
content:
application/json:
schema:
Expand All @@ -263,6 +310,9 @@ components:
message: "Server error"
Generic503:
description: Service unavailable. Typically the server is down.
headers:
X-Correlator:
$ref: "#/components/headers/X-Correlator"
content:
application/json:
schema:
Expand Down
2 changes: 2 additions & 0 deletions documentation/API-design-guidelines.md
Original file line number Diff line number Diff line change
Expand Up @@ -850,6 +850,8 @@ With the aim of standardizing the request observability and traceability process

When the API Consumer includes the "X-Correlator" header in the request, the API provider must include it in the response with the same UUID as was used in the request. Otherwise, it is optional to include the "X-Correlator" header in the response with any valid (preferably randomly chosen) UUID.

In notification scenarios (i.e. POST request sent towards the listener to the `webhook.notificationUrl` indicated), the use of the "X-Correlator" is supported for the same aim as well. When the API request includes the "X-Correlator" header, it is recommended for the listener to include it in the response with the same value as was used in the request. Otherwise, it is optional to include the "X-Correlator" header in the response with any valid value.

## 10. Security

One of the key points in the API definition process is to specify and validate the security needs that will be maintained to guarantee data integrity and access control. There are multiple ways to secure a RESTful API, e.g. basic authentication, OAuth, etc., but one thing is for sure: RESTful APIs should be stateless, so authentication/authorization requests should not rely on cookies or sessions. Instead, each API request must come with some form of authentication credentials that must be validated on the server for each request.
Expand Down