Geek Answers Handbook

How to create a URL to return data from the current user in the REST API?

I have a REST based service where a user can return a list of their books (this is a private list).

Currently URL ../api/users/{userId}/books

On each call, they will also deliver the previously set authentication token.

My question (s):

  • userId provide URL redundancy? When we receive a token with each call, we can find out which user is making the call and returning his list of books. userId is not strictly required.

  • Would remove the userId break REST tags because /users/books/ looks like it should return all books for all users?

  • Should I just bite the bullet and check it for a token, and then check that the token belongs to the same userId ?

+6
source share
3 answers

Short answer

You can use me in the url to refer to the current user. With this approach, you will have a URL like this: /users/me/books .

Answer to every question

userId provide URL redundancy? When we receive a token with each call, we can find out which user is making the call and returning his list of books. userId is not strictly required.

You can do the following: /users/me/books . Where me refers to the current user. This is easier to understand than /users/books , which can be used to return all books from users.

For some flexibility, besides /users/me/books , you can support /users/{userId}/books .

The URL /users/me can be used to return data from the current user. Many APIs such as StackExchange , Facebook , Spotify, and Google+ take this approach.

Would remove the userId break REST tags because /users/books/ looks like it should return all books for all users?

I do not think that this violates any REST principles, but I think that your resources will not be properly allocated. As I said above, I would use /users/me/books , as well as support for /users/{userId}/books .

Should I just bite the bullet and check it for a token, and then check that the token belongs to the same userId ?

When using the userId in the URL to request personal information from the user, there is no harm in checking whether the token belongs to the user with the userId included in the URL.

+6
source

I don’t think that deleting userId will break any REST principles, because in the end / users and their / books open it a little for interpretation, and REST basically says nothing about it, on the other hand, if you are going to stay with the id inside the request, you SHOULD check that the user id matches the connected user, anyway, for me 1 is redundant because you already have this information, plus every time you are going to do useless checks, because in l In any case, an authenticated userId is one that you will trust in all cases.

Best wishes

0
source

REST are resources oriented in this way, at your point, what a user or resource book is. My point is a book. And I think you can request these resources / APIs / books? User = {} user ID But this URL cannot solve your permission problem, so you need to do this in your code with token information that you can get with OAuth2 protocol or any other.

-1
source

More articles:


All Articles