Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to design URL to return data from the current user in a REST API?

Tags:

rest

restful-authentication

I have a REST based service where a user can return a list of their own books (this is a private list).

The URL is currently ../api/users/{userId}/books

With each call they will also be supplying an authentication token supplied earlier.

My question(s) is:

  1. Is supplying the userId in the URL redundant? As we get a token with each call we can find out which user is performing the call and return their list of books. The userId is not strictly required.

  2. Would removing the userId break REST principles as /users/books/ looks like it should return all books for all users?

  3. Should I just bite the bullet and authenticate them against the token and then check that the token belongs to the same userId?

like image 961
ADringer Avatar asked Jan 12 '16 11:01

ADringer

People also ask

What is the recommended method and URL pattern for retrieving a specific user?

The GET /api/v2/users/{id} endpoint allows you to retrieve a specific user using their Auth0 user ID. This endpoint is immediately consistent, and as such, we recommend that you use this endpoint for: User searches run during the authentication process.

Which REST URI is used to retrieve all the users?

Last Updated October 27, 2022. This REST API is used to retrieve all the users of CA NIM SM.

1 Answers

Short answer

You could use me in the URL to refer to the current user. With this approach, you would have a URL as following: /users/me/books.

An answer for each question

Is supplying the userId in the URL redundant? As we get a token with each call we can find out which user is performing the call and return their list of books. The userId is not strictly required.

You could consider doing something like this: /users/me/books. Where me refers to the current user. It's easier to understand than /users/books, which can be used to return all books from the users.

For some flexibility, besides /users/me/books, you could support /users/{userId}/books.

The URL /users/me can be used to return data from the current user. Many APIs, such as StackExchange, Facebook, Spotify and Google+ adopt this approach.

Would removing the userId break REST principles as /users/books/ looks like it should return all books for all users?

I don't think it will break any REST principles, but I think your resources will not be properly indetified. As I answered above, I would use /users/me/books and also support /users/{userId}/books.

Should I just bite the bullet and authenticate them against the token and then check that the token belongs to the same userId?

When using the userId in the URL to request private information from a user, there's no harm in checking if the token belongs to the user with the userId included in the URL.

like image 171
cassiomolin Avatar answered Sep 22 '22 23:09

cassiomolin
Sign in to Comment

Related questions

REST HTTP response code for missing parent resource
Angular Material - mat-table not rendering data from rest api
REST returning an object graph
Rest Web Service with App Engine and Webapp
Writing unit tests for a REST-ful API [closed]
How to output the generated request and response from Groovy RestClient?
Does Netsuite have a RESTful API? [closed]
Looking for inverse of url_for in Flask
Is that RESTful to limit resource's field visibility per authenticated user Role?
Return complex object in REST Web API call
Does Tomcat support JAX-RS out of the box (is it JAX-RS aware)?
Swagger ui - Query param
How to delete artifacts with classifier from Nexus using REST API?
Which python framework will be suitable to rest api only
how to do friendly base url for swagger 2.8.0
Get all organizations in Azure DevOps using REST API
Drupal as backend for RESTful API?
RESTful produces binary file
How to integrate JAX-RS with CDI in a Servlet 3.0 container
NodeJS/express - security for public API endpoint

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!