Skip to main content
Software Engineering

Return to Answer

Post Timeline

added 1137 characters in body
Source Link
Greg Burghardt
Greg Burghardt
  • 47.7k
  • 8
  • 92
  • 157

REST does not define behavior for such fine-grained details. Keep the same endpoint, but return different data depending on the client. If the client has authorization to view the customer, return a 200 OK response. This satisfies REST and the HTTP protocol. The specific data being returned is up to application logic.

Consider for a moment that you create a second endpoint called /customers-basic and the existing /customers endpoint returns unmasked information. What is stopping a malicious actor from calling /customers when they should be calling /customers-basic? Forget that the client should call one over the other. Forget that you might give the client the endpoint they should call. Assume that some client will attempt to access information they are not authorized to see. Authorize every request. The data returned in the request depends on the use case and permissions. REST doesn't even figure into that decision or design. Consider another example where you and I are coworkers.

Let's say I work in level 1 tech support and you work in level 2 support. I take calls first and then escalate to you if I cannot handle the problem. You reply to me saying:

Hi Greg,

I was able to resolve this customer's issue:

https://example.com/customers/123

Alex

You can see that URL because you have elevated access to the system. With two different endpoints, I should visit /customers-basic/123 due to me having lower access. The data returned by both endpoints represents the same "customer" but you force clients to understand their access to the system in order to access that resource. You also force clients to understand each others access.

If I visit the URL in your email, I would get 401 Unauthorized response, which is a frustrating thing for clients to remember. It would drive clients crazy because it is the same customer.

Remember that a resource in RESTful programming is an abstract concept. Two different clients do not necessarily need the same data bit-for-bit. Conceptually a URL should return the same object, but the exact representation of that object will depend on application logic out of the scope of REST.

REST does not define behavior for such fine-grained details. Keep the same endpoint, but return different data depending on the client. If the client has authorization to view the customer, return a 200 OK response. This satisfies REST and the HTTP protocol. The specific data being returned is up to application logic.

Consider for a moment that you create a second endpoint called /customers-basic and the existing /customers endpoint returns unmasked information. What is stopping a malicious actor from calling /customers when they should be calling /customers-basic? Forget that the client should call one over the other. Forget that you might give the client the endpoint they should call. Assume that some client will attempt to access information they are not authorized to see. Authorize every request. The data returned in the request depends on the use case and permissions. REST doesn't even figure into that decision or design.

REST does not define behavior for such fine-grained details. Keep the same endpoint, but return different data depending on the client. If the client has authorization to view the customer, return a 200 OK response. This satisfies REST and the HTTP protocol. The specific data being returned is up to application logic.

Consider for a moment that you create a second endpoint called /customers-basic and the existing /customers endpoint returns unmasked information. What is stopping a malicious actor from calling /customers when they should be calling /customers-basic? Forget that the client should call one over the other. Forget that you might give the client the endpoint they should call. Assume that some client will attempt to access information they are not authorized to see. Authorize every request. The data returned in the request depends on the use case and permissions. REST doesn't even figure into that decision or design. Consider another example where you and I are coworkers.

Let's say I work in level 1 tech support and you work in level 2 support. I take calls first and then escalate to you if I cannot handle the problem. You reply to me saying:

Hi Greg,

I was able to resolve this customer's issue:

https://example.com/customers/123

Alex

You can see that URL because you have elevated access to the system. With two different endpoints, I should visit /customers-basic/123 due to me having lower access. The data returned by both endpoints represents the same "customer" but you force clients to understand their access to the system in order to access that resource. You also force clients to understand each others access.

If I visit the URL in your email, I would get 401 Unauthorized response, which is a frustrating thing for clients to remember. It would drive clients crazy because it is the same customer.

Remember that a resource in RESTful programming is an abstract concept. Two different clients do not necessarily need the same data bit-for-bit. Conceptually a URL should return the same object, but the exact representation of that object will depend on application logic out of the scope of REST.

Source Link
Greg Burghardt
Greg Burghardt
  • 47.7k
  • 8
  • 92
  • 157

REST does not define behavior for such fine-grained details. Keep the same endpoint, but return different data depending on the client. If the client has authorization to view the customer, return a 200 OK response. This satisfies REST and the HTTP protocol. The specific data being returned is up to application logic.

Consider for a moment that you create a second endpoint called /customers-basic and the existing /customers endpoint returns unmasked information. What is stopping a malicious actor from calling /customers when they should be calling /customers-basic? Forget that the client should call one over the other. Forget that you might give the client the endpoint they should call. Assume that some client will attempt to access information they are not authorized to see. Authorize every request. The data returned in the request depends on the use case and permissions. REST doesn't even figure into that decision or design.