CODEWITHSUNDEEP
web-servicesresthttp
Mios
Mios

Reputation: 247

RESTful API for users' data

I would like to develop a website, with reusable API - and REST-sty;e one should suite quite well. Lets say that each user can store information about books they like. So I have many users, and each of them can have many books.

As I suppose, I would get list of books by some kind of request as below:

GET /book

But.

User should list only his books, not all of them, that are stored on the server. So how to do this properly?

As I read through many SO Q&A, it seems to be not RESTful to leverage standard authentication with cookies and session id (like it is common with PHP or others), because it preserves state on the server. Then, first request (GET /book) would not return any results (user not logged in), and after logging, it would return list of this user's books.

Another solution I came across, is to append credentials to every request, like:

GET /book?user=john&pass=1234

Despite of TLS (HTTPS) requirement of that (because of plaintext data), it just seems wrong. Seems like redundancy, bandwith waste, each-request validation etc.

My question is:

If I am not wrong, how to do this good way? Both from the good programming point of view, and performance/network usage prespective?

And maybe REST is not suitable for user owned data?

EDIT: And OAuth and similar solutions seem way too complicated (and they add overhead too, I think?).

Upvotes: 0

Views: 90

Answers (2)

Jonathan W
Jonathan W

Reputation: 3799

Use the Authorization header to pass credential information. If OAuth is too complex, use Basic auth over SSL... like so:

GET /user HTTP/1.1

Authorization: Basic ZmlkZGxlcnBpYW5pc3Q6aGVsbG93b3JsZA==
Accept: application/json
(other headers here)

Though I'd definitely recommend a URL that's unique to your user, such as this one:

GET /users/fiddlerpianist/books HTTP/1.1

Note that, in a stateless RESTful service, there is no concept of login or logout. The Authorization header would be passed from the client with every request.

Upvotes: 0

Leo
Leo

Reputation: 6570

You can add a first mandatory REST method to get an authentication token, so you can require this token in all other REST requests and use it to filter the results.

Upvotes: 1

Related Questions