How to properly organize work with the user in the REST API?

E

Evgeny Musonov2020-07-13 13:20:39

RESTful API

Evgeny Musonov, 2020-07-13 13:20:39

There is a self-written API, here is an example of how urls are organized:

GET /api/products
PUT /api/products/1

That is, there are controllers (ProductController.php for the example above) and these controllers have four get, post, put, delete methods.
1. Is this the right approach?
2. And if it is correct, then how to organize authorization / registration of a user, because in fact there is a POST method both there and there?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

V

Vladimir Korotenko, 2020-07-13
@firedragon

The controller should give 401 or 403 statuses, and you on the client should process them.

I

Ivan Shumov, 2020-07-13
@inoise

Use bearer token. It is customary to use OpenID Connect as the authentication type. And with addresses and methods, everything seems to be according to the canon according to REST

S

SirotaKazansky, 2020-07-13
@SirotaKazansky

I think it is not necessary to control access at the access level to HTTP methods. You have a controller that can determine if a user can do a particular action, based on certificates, tokens, whatever.
Whether this approach is correct or not depends on at least two things - whether it adequately reflects the data model, whether it can be used by the end user without harming the psyche. For example, you don't have to first collect a bunch of data to access an entity.