Design pattern - update join table through REST API

Question

I'm struggling with a REST API design concept. I have these classes:

user:
  - first_name
  - last_name

metadata_fields:
  - field_name

user_metadata:
  - user_id
  - field_id
  - value
  - unique index on [user_id, field_id]

Ok, so users have many metadata and the type of metadata is defined in metadata_fields. Typical HABTM with extra data in the join table.

If I were to update user_metadata through a Rails form, the data would look like this:

user_metadata: {
  id: 1,
  user_id: 2,
  field_id: 3,
  value: 'foo'
}

If I posted to the user#update controller, the data would look like this:

user: {
  user_metadata: {
    id: 1,
    field_id: 3,
    value: 'foo'
  }
}

The trouble with this approach is that we're ignoring the uniqueness of the user_id/field_id relationship. If I change the field_id in either update, I'm not just changing data, I'm changing the meaning of that data. This tends to work fine in Rails because it's somewhat of a walled garden, but it breaks down when you open up an API endpoint.

If I allow this:

PATCH /api/user_metadata

Then I'm opening myself up to someone modifying the user_id or field_id or both. Similarly with this:

PATCH /api/user/:user_id/metadata

Now user_id is set but field_id can still change. So really the only way to solve this is to limit the update to a single field:

PATCH /api/user/:user_id/metadata/:field_id

Or a bulk update:

PATCH /api/user/:user_id/metadata

But with that call, we have to modify the data structure so that the uniqueness of the user_id/field_id relationship is intact:

user_metadata: {
  field_id1: 'value1',
  field_id2: 'value2',
  ...
}

I'd love to hear thoughts here. I've scoured Google and found absolutely nothing. Any recommendations?

Answer 1

As metadata belongs to a certain user /api/user/{userId}/metadata/{metadataId} is probably the clean URI for a single metadata resource of a user. The URI of your resource is already the unique-key you are looking for. There can't be 2 resources with the same URI! Furthermore, the URI already contains the user and field IDs.

A request like GET /api/user/1 HTTP/1.1 could return a HAL-like representation like the one below:

{
    "user" : {
        "id": "1",
        "firstName": "Max",
        "lastName": "Sample",
        ... 
        "_links": {
            "self" : {
                "href": "/api/user/1"
            }
        },
        "_embedded": {
            "metadata" : {
                "fields" : [{
                    "id": "1",
                    "type": "string",
                    "value": "foo",
                    "_links": {
                        "self": {
                            "href": "/api/user/1/metadata/1"
                        }
                    }
                }, {
                    "id": "2",
                    "type": "string",
                    "value": "bar",
                    "_links": {
                        "self": {
                            "href": "/api/user/1/metadata/2"
                        }
                    }
                }],
                "_links": {
                    "self": {
                        "href": "/api/user/1/metadata"
                    }
                }
            }
        }
    }
}

Of course you could send a PUT or a PATCH request to modify an existing metadata field. Though, the URI of the resource will still be the same (unless you move or delete a resource within a PATCH request).

You also have the possibility to ignore certain fields on incomming PUT requests which prevents modification of certain fields like id or _link. I'll assume this should also be valid for PATCH requests, though will have to re-read the spec again therefore.

Therefore, I'd suggest to ignore any id or _link fields contained in requests and update the remaining fields. But you also have the option to return a 403 Forbidden or 409 Conflict response if someone tries to update an ID-field.

---

UPDATE

If you want to update multiple fields within a single request, you have two options:

• Using PUT and replace the current set of fields with the new version
• Using PATCH and send the server the necessary steps to transform the current field-set to the new field-set

Example PUT:

PUT /api/user/1/metadata HTTP/1.1

{
    "metadata": {
        "fields": [{
            "type": "string", 
            "value": "newFoo"
        }, {
            "type": "string",
            "value": "newBar"
        }]
    }
}

This request would first delete every stored metadata field of the user the metadata belong to and afterwards create a new resoure for each contained field in the request. While this still guarantees unique URIs, there are a couple of drawbacks to this approach however:

• all the data which should be available after the update, even fields that do not change, need to be transmitted
• clients which have a URI pointing to a certain resource may point to a false representation. F.e. a client has retrieved /user/1/metadata/2right before a further client updated all the metadata, the IDs are dispatched via auto-increment, the update however introduced a new second item and therefore moved the former 2 to position 3, client1 has now a reference to /user/1/metadata/2 while the actual data is /user/1/metadata/3 however. To prevent this, unique UUIDs could be used instead of autoincrement IDs. If client 1 later on tries to retrieve or update former resource 2, his can be notified that the resource is not available anymore, even a redirect to the new location could be created.

Example PATCH:

A PATCH request contains the necessary steps to transform the state of a resource to the new state. The request itself can affect multiple resources at the same time and even create or delete other resources as needed.

The following example is in json-patch+json format:

PATCH /api/user/1/metadata HTTP/1.1

[
    { 
        "op": "add", 
        "path": "/0/value", 
        "value": "newFoo" 
    },
    { 
        "op": "add", 
        "path": "/2", 
        "value": { "type": "string", "value": "totally new entry" } 
    },
    { 
        "op": "remove", 
        "path": "/1" 
    },
]

The path is defined as a JSON Pointer for the invoked resource.

The add operation of the JSON-Patch type is defined as:

• If the target location specifies an array index, a new value is inserted into the array at the specified index.
• If the target location specifies an object member that does not already exist, a new member is added to the object.
• If the target location specifies an object member that does exist, that member's value is replaced.

For the removal case however, the spec states:

If removing an element from an array, any elements above the specified index are shifted one position to the left.

Therefore the newly added entry would end up in position 2 in the array. If not an auto-increment value is used for the ID, this should not be a big problem though.

Besindes add, and remove the spec also contains definitions for replace, move, copy and test.

The PATCH should be transactional - either all operations succeed or none. The spec states:

If a normative requirement is violated by a JSON Patch document, or if an operation is not successful, evaluation of the JSON Patch document SHOULD terminate and application of the entire patch document SHALL NOT be deemed successful.

I'll interpret this lines as, if it tries to update a field which it is not supposed to update, you should return an error for the whole PATCH request and therefore do not alter any resources.

Drawback to the PATCH approach is clearly the transactional requirement as well as the JSON Pointer notation, which might not be that popular (at least I haven't used it often and had to look it up again). Same as with PUT, PATCH allows to add new resources inbetween existing resources and shifting further ones to the right which may lead to an issue if you rely on autoincrement values.

Therefore, I strongly recommend to use randomly generated UUIDs as identifier rather than auto-increment values.