How Sugar REST API versioning works

Sugar v11 REST API

In order to support some cool new dashboard features, we made some enhancements to our Dashboard APIs in the Fall ’17 release. So we added a new REST API version, v11, in that release in order to ensure clients and integrations that were using the existing v10 Dashboard APIs would continue to work properly. For more details on the v11 API, we recommend you check out a recording of our recent Fall ’17 release developer webinar and the related migration guide.

Today we won’t focus on version 11 specifically but instead on how the Sugar platform will be handling REST API versioning in the future. So read on!

Passing API version using HTTP Header

For REST v10 and our older web services frameworks, the API version was specified exclusively via the URL.

Example 1)

GET <sugar>/rest/v10/me

In the Fall ’17 (7.10) release, we introduced an additional way to specify the API version: using an HTTP header. This change allows resource URLs to be treated as unique identifiers to resources regardless of the API version in use.

The REST API version can now be specified via HTTP Accept header. The REST API version should be specified in either the URL or in the HTTP Accept header but not in both locations at once. This new method of specifying the API version in the HTTP Accept header better adheres to RESTful architectural principles. By essentially encapsulating the API version as part of media type, a single resource at a given URL could offer multiple representations using different data formats and API versions.

Example 2)

GET <sugar>/rest/me
...
Accept: application/vnd.sugarcrm.core+json; version=42

We recommend that client start specifying the API version in the Accept header instead of as a component of the URL. Sugar clients will adopt use of the Accept header in the future.

Future use of semantic versioning in REST API

As you probably have noticed, the REST API version is a property of the Sugar REST API as a whole and not individual endpoints.

We plan to implement a semantic versioning policy with MAJOR.MINOR format for the REST API next year.

The version will be specified in the request Accept header as MAJOR.MINOR (ex. 11.1) whereas the version in the endpoint url will be specified as MAJOR_MINOR (ex. 11_1).

The Sugar REST API MAJOR version will be incremented for each Sugar release where compatibility is being broken on any endpoint. The Sugar REST API MINOR version will be incremented for each Sugar release where an API endpoint is changed or additional API endpoints are being added without breaking compatibility.

Not every new Sugar release will result in new REST API versions. Our intent is to only add new features or make breaking changes to our REST API only when it is not possible or prudent (ex. for performance reasons) to do so with the current API.

When there is a breaking change, older API versions should continue to work as-is. For example, if a parameter was removed in newer version, the old version should still support that parameter.

What are breaking and non-breaking changes?

We want to be clear about what we consider to be an API breaking change and what is not.

Breaking Changes

• Removing or renaming an endpoint, a request parameter, or a fixed response field
  • For example, removing the GET /rest/v10/<module> endpoint or renaming the _acl field to _access_control.
• Removing support for a HTTP request method on an endpoint
  • For example, changing from PUT to PATCH method for updating records.
• Change in type for a request parameter
  • For example, a change from an Integer to Decimal value.
• Change in response field format
  • For example, a change in encoding for a response field from plaintext to base64.
• Semantic changes to request parameters
  • For example, a change from treating the % symbol as a literal instead of as a wildcard or a change in default value.
• Semantic changes to an API endpoint
  • For example, an endpoint that was documented to return all records by default and now returns no records by default.

Non-breaking Changes

• Metadata related changes in behavior
  • For example, when Sugar metadata (Vardefs, Viewdefs, etc.) changes are introduced during a Sugar release or as a result of a customization then REST API responses can vary as a result.
• Adding a new endpoint
  • For example, adding a GET rest/Accounts/:id/map endpoint.
• Adding a parameter to a request
  • For example, adding a boolean parameter called shorten_text that decides if long text fields are shortened to 200 characters.
• Adding a field to a response
  • For example, adding a _self field with link to resource URI in GET responses.
• Adding support for another HTTP request method
  • For example, adding support for PATCH method to an endpoint.

If you ever encounter a situation where there is a breaking change on a particular API version between future Sugar releases, then please report those issues via the Sugar Support portal.

Deprecation process for old API versions

Old REST API versions will continue to be supported until at least one year after they have been deprecated. We want to exercise good judgement on how quickly we remove old API versions but please understand that SugarCRM cannot indefinitely support an unlimited number of REST API versions.

What should you do?

1. When building new Sugar clients or integrations or updating existing ones, adopt the latest available REST API version possible in order to take advantage of all the latest features.
2. Use the HTTP Accept header to specify REST API version when using Sugar Fall ’17 release or later.
3. Monitor the release notes and documentation on each new Sugar release for deprecation notices on old API versions. Keep our customers safe by planning ahead!

A new Sugar UX coming in Winter ’18

Please visit this post at the Developer Blog’s new home if you want to leave comments.

https://community.sugarcrm.com/community/developer/blog/2017/11/29/a-new-sugar-ux-coming-in-winter-18

 

SugarCRM is on a mission to empower our users to delight their customers. To that end, we are pleased to introduce the first phase of visual restyling, and give some tips on how to work with the new UX.

Our process in developing the new UX

Sugar 7 introduced the Sidecar framework with massive user interface improvements (called SugarUX) and a modernized architecture. Since then, we have been working hard on the next iteration of SugarUX built on the Sidecar framework. Our guiding principles came from our customers and their feedback on Sidecar. A competitive analysis and feedback from customers revealed three concerns; cluttered complicated UX, inefficient unguided layout, and a drab outdated user interface.

The SugarCRM User Experience team (led by Brian Ng) launched a rigorous heuristic evaluation of the web and mobile Sugar products. Issues were identified as we evaluated key use cases and new solutions were documented. This thorough understanding of the product, customers, and the industry has helped us identify which issues to address first.

Dark gray text on light gray background led to poor legibility. Heavy blacks and gray linen added to the dated look and feel.

Sugar Mobile had a dark and drab visual design. Buttons for key actions were positioned differently on key screens.

Continue Reading…

Unknown platforms to be restricted in Winter ’18 release

Sugar uses platforms to support the needs of multiple Sugar clients.  The Sugar REST API uses the platform parameter to indicate which platform is being used.  If you’d like a refresher on what the platform parameter is and how to use it, check out this blog post.  

In Sugar 7.9, we added a new Platform extension that we advised developers to start using in the Sugar 7.9 Migration Guide.  The Platform extension allows you to indicate a particular custom platform should be allowed when the disable_unknown_platforms configuration setting is on.

Changes coming in Winter ’18 release

In the Winter ’18 release, we will be preventing REST API access to Sugar from unknown platform types.

Sugar has a configuration setting disable_unknown_platforms that controls whether or not unregistered platforms are allowed to be used when logging in using the REST API. The current default value for disable_unknown_platforms is false. In the Winter ’18 release, we will be changing the default to true, which is how it is already reflected in the documentation.

If your integration uses a custom platform, this custom platform will need to be registered in each Sugar instance or your integration will break!

Continue Reading…

Developing for Sugar On-Demand Only Releases

Sugar Fall ’17 (7.10) is now available!

You’ve heard all about this, but I’ll recap. SugarCRM’s fall 2017 release is a Sugar On-Demand only release. This is the first release that follows our new Sugar release process. Our on-premise customers will get a roll up spring release that includes features from this fall and subsequent winter release. So all of our customers will enjoy all of the same advanced features–just not all at once.

Here are some of the great developer resources available for the Sugar Fall ’17 release (also known as Sugar 7.10).

• Sugar 7.10 Developer Release Notes
• Sugar 7.10 Unit Tests (Requires Dev Tools sign-up for access)
• Sugar 7.10 Developer Guide that includes an updated Migration Guide
• Sugar 7.10 Developer Webinar Recording

Last, but not least, we will be providing developer downloads of On-Demand releases such as 7.10 that can be used by Sugar developers for code development and test purposes.

Continue Reading…

Upcoming security changes to Sugar

In our most recent set of security releases, we made some changes in Sugar that address input sanitization issues reported by a 3rd party security researcher. Conveniently, these issues can be addressed with the input validation and CSRF form authentication frameworks added in Sugar 7.7.0.0 and 7.7.1.0. Both of these frameworks offer “soft” failure modes that will log warnings into the sugarcrm.log instead of fatal exceptions.

Input Sanitization Soft Failures

CSRF form authentication is strictly enforced by default. But, up until now, the default for the input validation framework has been to use soft failure mode. Choosing to make soft failure mode the default was a pragmatic decision to maximize compatibility for Sugar customizations while developers updated customizations and integrations. However, these recent reported vulnerabilities make it clear that it is time to take the next step to more strictly enforce input sanitization.

SugarCRM plans to strictly enforce input validation in upcoming releases. We will also remove the soft failure mode options at that time which will break customizations or integrations that have not adopted CSRF form authentication or pass that do not pass input validation.

Strict enforcement of Input Validation and CSRF Form Authentication

You should enable strict enforcement of the Input Validation and CSRF Form Authentication checks now for two reasons: (1) to ensure that your Sugar customizations and integrations work properly after upgrading to our winter releases and (2) to create the most secure environment for your current users. The configuration settings in question are the Input Validation ‘validation.soft_fail’ flag as well as the CSRF ‘csrf.soft_fail_form‘ flag.

Sugar Cloud has disabled soft failure modes by default but for Sugar On-Site you can adjust these settings for yourself. Add the following lines to your config_override.php file.

$sugar_config['validation']['soft_fail'] = false;
$sugar_config['csrf']['soft_fail_form'] = false;

Strictly enforced checks

In response to security issues, there are now strictly enforced input validation checks that ignore the validation.soft_fail configuration setting. In particular, we added strict validation to the platform authentication parameter used in our REST API. This can have an impact on platform identifiers using characters that are not part of the POSIX portable filename character set.

Also recall the disable_unknown_platforms configuration setting affects the use of platforms. Custom platforms should be registered using the Platforms extension. This check is planned to be enforced in Sugar On-Demand in the future as well.

What you need to do to prepare customizations

In development instances,

Set validation.soft_fail setting to false.

Set disable_unknown_platforms setting to true.

Then run regression tests on your integrations and customizations to very they still work.

In production instances,

Enable warn log level to collect and analyze any input validation or platform name violation warnings.

Other Resources

Slides from the UnCon 2016 session on Sugar’s input validation framework are also available in the Sugar Community.

More information about best practices for using the Platform parameter can also be found on a previous post on this blog.

 

Get your hot hands on the Sugar Mobile SDK!

Greg Khanlarov, Director of Mobile Development, is so excited about the launch of the new Sugar Mobile SDK that he is speechless!

If you are coming to SugarCon, make sure you get your hot hands on the new Sugar Mobile SDK first! On Tuesday, you can join Greg for his presentation Sugar Mobile SDK deep dive. Next Wednesday, at the UnCon Tutorials by the Experts, you can meet Greg and other folks from our Mobile development team and learn how to build your first custom Sugar Mobile app.

Read on for more details on the Sugar Mobile SDK!

Continue Reading…

Professor Marum’s School for Gifted Coders

You have may have seen a recent video where a menacing figure was growling about Quotes customizations and a “Professor M.”

Villains hate Professor M.

 

Who is Professor M? Well me technically. But let me share with you the story.

Continue Reading…

UnCon is for CRM Heroes (and Villains)

The SugarCRM team has embraced our theme for SugarCon this year (CRM Heroes) like never before! Check out these great videos from some of SugarCRM’s best and brightest. You will meet all these heroes (and villains) at UnCon!  Register for SugarCon today!

Want to know who is this mysterious Quotes module engineer? You will have to come to find out!

More videos are below!

Continue Reading…

Meet our remarkable technical teams!

Here are a couple more UnCon promo videos from SugarCRM’s remarkable technical teams.

First off, we have a video Nick Rose, an experienced solutions architect, and also the Director of Solutions Consulting in the Americas. Come to UnCon and check out Nick’s session on the Understanding the Sugar Platform.

Next, we have the brilliant and humble Robert Gonzalez, Software Engineering Manager on the Product team. You can bet that his tutorial at UnCon will be truly remarkable!

Stay tuned for more videos from the UnCon team!

Register for SugarCon today!

The perfect way for beginners to learn about Sugar

Are you learning about Sugar for the first time?  Or maybe, it has been a while, and you want to see how the Sugar platform has evolved since the Community Edition days?

Watch the video below to learn why SugarCon and UnCon is the perfect way to get started with building on and integrating with Sugar.