I'm currently designing a REST Http api. (With HATEOAS stuff, to make clients "simpler", and avoid clients to do complicated things, instead of letting the api tell them what to do ...)
Because of the social characteristic of the app, in order to interact with the application, users need to be authenticated, and each user will have a slighty different "view" of the data. We'll take twitter as an example, it will be easier for everyone.
To authenticate users, we'll use OAuth, easy.
So, in the client (ios app...), a random user would maybe seeing a list of users should see:
Adrien: Following John: Not Following Rambo: Not Following
And another user would maybe see:
Adrien: Following John: Not Following Rambo: Following
To achieve this, the first solution would be for the client (in oauth term, the iphone/web/etc app), to get a list of all the users the authenticated user follow, and each time the client displays a list, compare each user with the list of followed users to know if it should display "Not Following" or "Following".
The requests/responses would be:
GET /users Authorization: OAuth token... [ {"id": 1, "name": "Adrien"}, {"id": 2, "name": "John"}, {"id": 3, "name": "Rambo"} ]
and
GET /users/{myid}/following Authorization: OAuth token... [1, 3, 25, 1210, 9]
This seems to be quite, stateless. Good.
Now what if i want to make client developers life easier, and embed directly in the user list response, the relationship of each user, relative to the authenticated user:
GET /users Authorization: OAuth token... [ {"id": 1, "name": "Adrien", "relationship": "Following"}, {"id": 2, "name": "John", "relationship": "Not Following"}, {"id": 3, "name": "Rambo", "relationship": "Following"} ]
So, questions:
A. REST APIs are stateless because, rather than relying on the server remembering previous requests, REST applications require each request to contain all of the information necessary for the server to understand it. Storing session state on the server violates the REST architecture's stateless requirement.
Stateless Authentication is a way to verify users by having much of the session information such as user properties stored on the client side. It makes identify verification with the backend seamless. Also called token-based authentication, stateless authentication is efficient, scalable, and interoperable.
Statelessness means that every HTTP request happens in complete isolation. When the client makes an HTTP request, it includes all information necessary for the server to fulfill the request. The server never relies on information from previous requests from the client.
Because REST is stateless, the client context is not stored on the server between requests, giving REST services the ability to be retried independently of one another.
You should definitely embed the relationship in the user list response. It would be bad practice to force the clients calculate it.
This does not break the stateless constraint of REST as it's the interactions that are stateless, not the systems. The server will almost always have to store and maintain state. For instance the server will need to maintain state of who is following who.
Finally, I think you are not fully getting the "State" part of Hypermedia As The Engine Of Application State. Basically, the resources are state machines. When you GET
a resource, the valid state transitions are presented has hypermedia controls (links and forms) in the response. It's by following these links and submitting the forms that the client can change the state of these resources.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With