{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 做个烂人 的问题《How to design URL to return data from the current》','https://www.manongdao.com/q-531109.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a REST based service where a user can return a list of their own books (this is a private list).
The URL is currently ../api/users/{userId}/books
With each call they will also be supplying an authentication token supplied earlier.
My question(s) is:
Is supplying the
userIdin the URL redundant? As we get a token with each call we can find out which user is performing the call and return their list of books. TheuserIdis not strictly required.Would removing the
userIdbreak REST principles as/users/books/looks like it should return all books for all users?Should I just bite the bullet and authenticate them against the token and then check that the token belongs to the same
userId?
I dont think that removing userId would break any REST principles, because after all, /users and them /books, its a little bit openend to interpretation and REST says basically nothing about it, on the other way if you are going to stay with the id inside the request, you MUST check that the user id is the same as the connected user, anyways, for me the 1 is redundant because you already have that information, plus, every time you are going to make useless checks because anyways the authentified userId is the one that you are going to trust in all cases.
Best Regards
Short answer
You could use
mein the URL to refer to the current user. With this approach, you would have a URL as following:/users/me/books.An answer for each question
You could consider doing something like this:
/users/me/books. Wheremerefers to the current user. It's easier to understand than/users/books, which can be used to return all books from the users.For some flexibility, besides
/users/me/books, you could support/users/{userId}/books.The URL
/users/mecan be used to return data from the current user. Many APIs, such as StackExchange, Facebook, Spotify and Google+ adopt this approach.I don't think it will break any REST principles, but I think your resources will not be properly indetified. As I answered above, I would use
/users/me/booksand also support/users/{userId}/books.When using the
userIdin the URL to request private information from a user, there's no harm in checking if the token belongs to the user with theuserIdincluded in the URL.REST is resources oriented so in your point what is the resource user or book. My point of view it's book. And I think you can request this resources /api/books?user={userid} But this URL can not solve your permission issue so you have to do it in your code with token information you can get with a OAuth2 protocol or whatever.