Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it legal to have REST resource such as /currentUser in terms of RESTful and stateless?

Tags:

rest

restful-url

In terms of RESTful and stateless it's pretty legal to have resource like

/users/123

But, the question is: is it legal to have resource that omits user id and assumes that it's implicitly resolved on the server from the user session? For example:

/loggedUser

That resource would point to /users/123 when user with identifier 123 is authorized.

like image 844
Wojciech Wirzbicki Avatar asked Feb 22 '17 09:02

Wojciech Wirzbicki

1 Answers

Picking a resource locator

Using /me, /users/me, /users/myself, /users/current or similar URIs to identify a resource that corresponds to the authenticated user is perfectly fine from a REST perspective. According to Roy Thomas Fielding's dissertation, any information that can be named can be a resource:

5.2.1.1 Resources and Resource Identifiers

The key abstraction of information in REST is a resource. Any information that can be named can be a resource: a document or image, a temporal service (e.g. "today's weather in Los Angeles"), a collection of other resources, a non-virtual object (e.g. a person), and so on. In other words, any concept that might be the target of an author's hypertext reference must fit within the definition of a resource. A resource is a conceptual mapping to a set of entities, not the entity that corresponds to the mapping at any particular point in time. [...]

When using the URIs mentioned above, you have an identifier for the authenticated user and it will always identify the concept of an authenticated user, regardless of which user is authenticated.

The stateless constraint

The stateless constraint is not related to how your resources are identified. The stateless constraint is about not storing any session state on server side. In this approach, each request from client to server must contain all the necessary information to be understood by the server.

See que following quote from Fielding's dissertation:

5.1.3 Stateless

[...] each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client. [...]

When targeting protected resources that require authentication, for example, every request must contain all necessary data to be properly authenticated/authorized.

A similar question has been answered here and here.

like image 194
cassiomolin Avatar answered Nov 12 '22 11:11

cassiomolin
Sign in to Comment

Related questions

API to list top level domains
asp.net Web Api - Default Error Messages
Should a HTTP Allow header contain "OPTIONS"?
AngularJS Restful Routing
Jersey with Struts2 [duplicate]
Getting Item ID after REST Upload to SharePoint 2013 Online Document Library
Open Source Job Scheduler with REST API
How to set up WCF Self-Hosted REST service?
How to handle date fields from a REST Api in AngularJS?
In Spring Boot, adding a custom converter by extending MappingJackson2HttpMessageConverter seems to overwrite the existing converter
JAX-RS Resource not found in GlassFish Server
Is it good practice to throw exception from DAO layer to controller?
Web API 2 requires trailing slash for custom attribute routing to work
Spring REST returning PDF - Response status 406 (not acceptable)
Laravel resource controller difference between edit and update
How to access Failed Hangfire Jobs
What http return code should be if no data available
How to form protobuf resource part of http request body and test it through dhc client or postman for restful services
How to wrap JSON response from Spring REST repository?
Go Gin-Gonic, get text from POST request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!