Timeline for answer to How to deal with public vs private version of same resource in a RESTFul API? by Hans-Martin Mosner
Current License: CC BY-SA 4.0
Post Revisions
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| 12 hours ago | comment | added | JimmyJames | @Hans-MartinMosner I was mainly pointing it out from a security context. I'm not able to think of any really problematic scenarios but that kind of reasoning is a bad measure to use for securing systems. More pragmatically, if this is a high-volume system, distributed caching might be useful. Using the same URI for different responses complicates that, at the very least. | |
| 2 days ago | comment | added | Hans-Martin Mosner | @JimmyJames good point, caches are a pain in the butt when they do things that naive users or developers don't expect... | |
| 2 days ago | comment | added | Bergi |
@JimmyJames Rather than Cache-Control: no-store you may want to use Vary: Cookie or Vary: Authorization
|
|
| 2 days ago | comment | added | Steve | I think the reason why treating securables as first-class addressables is useful, is because it's very much easier to talk about someone "having permission to use both /admin/inventory and /customer/inventory" than it is to talk about "having permission to call /inventory with the ?adminView parameter both being true and being false/missing". (2/2) | |
| 2 days ago | comment | added | Steve | @Caleth, yes that's technically feasible (and solves the issue of the response varying purely according to the ambient credentials of the user), but then you've got the issue of different parameters requiring different authorisations to use even at the same callpoint. I think my rule of thumb is that if something is securable, then it is usually worthy of being treated as first-class in the addressing scheme. Certainly in the OP's case, the distinction between the "customer" and "admin" roles is so fundamental that I don't see why they would be served through the same interface. (1/2) | |
| 2 days ago | comment | added | JimmyJames | It should probably be noted that "Cache-Control: no-store" is necessary with this approach. That should be used with JWT secured resources in general and any intermediate caching layers must not cache the 'private' responses in a way that would also serve 'public' requests. | |
| 2 days ago | comment | added | Caleth | @Steve the admin page that wants to display active items can call the endpoint with a query parameter (or whatever) | |
| 2 days ago | comment | added | Steve | I personally think that 403 is the better response rather than silent filtering/404 (unless the situation is such that unauthorised users should not even have the existence of hidden data acknowledged). But like Ewan says above, it's much better to provide distinctly addressable endpoints for customers and administrators - that way, the administrator can be authorised to see both, and can explicitly distinguish between what they see in one place and what they see in another. | |
| 2 days ago | comment | added | Caleth | 404 is not a lie. The server looked in the places the customer is permitted, and did not find the item there | |
| 2 days ago | comment | added | Bart van Ingen Schenau | @user1620696, yes, exactly that. | |
| 2 days ago | comment | added | user1620696 | Thank you for the reply. Great, so from what you say I guess one way to implement it would be via claims on a JWT access token, so that the resource can detect what kind of user (admin, customer or simply not logged in, etc) and react appropriately returning the desired representation? | |
| 2 days ago | history | answered | Hans-Martin Mosner | CC BY-SA 4.0 |