RESTful principles question

views:

answers:

+4 Q:

RESTful principles question

An intelligent coworker friend of mine brought up a question to me that I was uncertain how to answer and I'd like to pose it to the world.

If a RESTful endpoint uses token-based authentication, aka a time-based token is required to access a resource and that token expires after a certain amount of time, would this violate the RESTful principle? In other words, if the same URL expires after a certain amount of time, so the resource returns a different response depending when it was requested, is that breaking REST?

+1 A:

The user/application access right to the URL may expire but that does not mean the URL expires. In large real world systems the auth part of the API may be handles by a different product, shielding the real API from attacks, unauthorized users, etc. So the RESTful API still follows the restful principles.

Zepplock 2010-05-26 20:28:44

Resources will frequently give a different response depending on when they are requested. That's what happens when the actual resources change over time. Requesting the resource of this page (for instance) in a week will likely give different responses than doing so when you read this the first time.

kyoryu 2010-05-26 20:33:45

Or just something as simple as/rest/profile/emailwould return different content depending who is logged in.

BurningIce 2010-05-26 20:35:57

@BurningIce No, that's not the same example. Using the same URI to contain different things for different people is usually not the best solution. However, endpoints like /TodaysWeather obviously will vary over time.

Darrel Miller 2010-05-26 20:59:14

+3 A:

No, your scenario is not breaking any restful principle that I can think of. You seem to be confusing a request returning a different resource and a request getting a different response.

In your scenario I would expect after the token has expired that the server would return a 401 and the client would initiate some kind of authentication exchange to re-validate the user.
Once revalidated, the server should then return the intended resource.

There are many cases when a request could have completely different responses. 403 Forbidden, 410 Gone are examples.

Darrel Miller 2010-05-26 21:12:58

Ah that makes sense, so long as the HTTP rules are followed, it seems as if it wouldn't break any RESTful process

2010-05-26 23:44:20

@auser I wouldn't quite go that far, but chances are if you are working within the spirit of HTTP you are also probably on a pretty RESTful track. Don't forget Roy Fielding was also the co-author of the HTTP 1.1 spec.

Darrel Miller 2010-05-26 23:59:56

+1 A:

Your design is not violating REST constraints, but you must be careful that you use HTTP correctly. If your resources are only intended to be seen by a certain user, that user should be authenticated using HTTP authentication. This will tell public caches not to cache the representations of the resource (which they otherwise usually would).

So, even if you intend the URL to be only known by a certain user, make sure you also have that user authenticate itself using the correct HTTP headers.

Jan

Jan Algermissen 2010-05-27 14:00:40

ansaurus

tags:

views:

answers:

RESTful principles question

related questions