Reputation: 37
How to handle django backend request for logged in user in a RESTfull manner?
I am developing a web platform that provides licence handling (e.g. creation, invoicing, downloading) for a specific software. Backend is django 2.1.7 and frontend angular.
I have the following use case and I want to make sure it respects REST architecture and that it is future proof (avoid pitfalls).
So I have 2 apis:
- ip/userprofiles
- ip/licences
These 2 apis are protected and can be accessed only after log in.
In my current implementation the GET requests for these 2 api's return only data specific to the logged in user by extracting the user id and name from the request.user (so for the authenticated user) information.
User with user1 name logged in (NOT admin).
GET ip/userprofiles will return user1 profile.
GET ip/licences will return user1 licences.
Another use case would be that the admin should have access to all licences and all users and for this I do a check to see if the request.user is admin.
User with user10 name logged in (user10 IS admin):
GET ip/userprofiles will return ALL users profiles.
GET ip/licences will return ALL licences (for all user).
For admin users the apis allows also filtering by users using a query string parameter.
Is this approach ok from REST point of view and also from security point of view? Any pitfalls I should watch out for?
Should I be using also for non admin users the same approach as for admin users as in to specify the current user id as a query string parameter in the frontend and not extract the user in the backend from request.user (authenticated user information)? This solution does not seem secure to me but might be a limitation for the future (although currently I don't see any use case in which a user should have access to other users licences and profiles)
Upvotes: 0
Views: 52
Answers (1)
Reputation: 13731
Personally I don't agree with what you're pitching. Each API endpoint should have one responsibility per request action. A GET request at ip/userprofiles should either always return a single object or a list of objects. This simplifies the client's logic so that it can translate the result consistently.
Here's what I'd suggestion:
# Detail / Single Object Endpoints:
ip/userprofile
ip/license
These two always return the current users profile and license respectively regardless of admin status.
# List Endpoints
ip/userprofiles
ip/licenses
These two always return a list of users and licenses respectively, but would have some validation (in DRF a permission class) that would only return data if request.user is an admin. If a user isn't an admin, it'd return a 403 error.
Upvotes: 1
Related Questions
- django rest-auth login token use approach
- token/session authentication in django
- Django Rest Framework: obtain user details and permissions with token login
- Django rest framework keep user logged in
- Logging in user through Django rest framework
- How to authenticate request in Django-rest-auth?
- Normal user/token user authentication
- accessing user in django rest framework
- How do I authenticate API requests (by anonymous user) in Django rest framework?
- Authenticate a user on a GET API end point