对于具有匿名/身份访问的 REST API 来说,最佳的 URI 模式是什么?
我创建了一个 API 来访问用户和这些用户拥有的对象。对象可以由作者或某种主持人/监督者匿名访问。
在所有三种情况下,一组字段可以不同(或者可以相同 - 目前尚不清楚);至少匿名模式与识别授权模式是不同的。
假设我们有一个用户 456,该用户拥有一个对象 123。
主要问题是: 对于这种情况,最好的 URI 模式是什么?每种模式的优缺点是什么:
第二个问题是: 这些资源是相同的还是同一实体的不同资源?
所有对象都有一个 URI,输出根据身份的存在或不存在而变化:
/objects.json?criteria=xyz&user=456 -- 结果取决于身份 & “用户” /objects/123.json -- 结果取决于身份 /用户/456.json
用于匿名和标识访问的不同 URI,就好像它们是不同的资源一样:
/objects.json?criteria=xyz -- 仅限匿名 /objects/123.json——仅限匿名 /用户/456.json /user/456/objects.json——仅识别 /user/456/objects/123.json -- 仅识别
还有其他内容吗?
UPD:刚刚发明:
/objects/123 -- basic info, same for anonymous&identified
/objects/123/extra -- different kinds of extra info,
/objects/123/extended -- ... or extended representations,
/objects/123/meta -- ... only for authorized roles for each.
/objects?criteria=xyz -- common search for objects
/users/456/objects -- objects owned by user only
公共列表和每用户列表中都有额外资源的 URI(列表是入口点),具体取决于使用的列表。
通过这种方法,我们拥有指向资源的 URI,该 URI 不会根据请求用户的身份而变化。但我们仍然可以控制向请求用户提供或不提供信息的哪些部分。并且 URI 不会以任何方式或方式重复。完美的!
I create an API to access users and objects owned by those users. Objects can be accessed anonymously, by the author, or by some kind of moderator/superviser.
In all three cases a set of fields can be different (or can be the same - it is not known yet); at least it is different for anonymous vs identified-authorized modes.
Lets assume we have a user 456 and this user owns an object 123.
The primary question is:
What's the best URI schema for this case and what are the pros and cons of each:
The secondary question is:
Are these resources the same or are they different resources for the same entity?
One single URI for all objects, with output varying depending on absence or presence of identity:
/objects.json?criteria=xyz&user=456 -- result depends on identity & "user" /objects/123.json -- result depends on identity /users/456.json
Different URIs for anonymous and identified access, as if they were different resources:
/objects.json?criteria=xyz -- anonymous only /objects/123.json -- anonymous only /users/456.json /users/456/objects.json -- identified only /users/456/objects/123.json -- identified only
Something else?
UPD: Just invented:
/objects/123 -- basic info, same for anonymous&identified
/objects/123/extra -- different kinds of extra info,
/objects/123/extended -- ... or extended representations,
/objects/123/meta -- ... only for authorized roles for each.
/objects?criteria=xyz -- common search for objects
/users/456/objects -- objects owned by user only
And there are URIs of extra resources in the public and per-user lists (lists are entrypoints), depending on what list is used.
With this approach, we have URIs pointing to the resources, that do not vary depending on identity of the requesting user. But we still have control on what parts of information we give or don't give to the requesting user. And URIs are not duplicated in any mean or way. Perfect!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
假设问题在上面的 UPD 中得到了回答。这个伪答案是为了结束问题。
Assuming the question is answered in the UPD above. This pseudo-answer is to close the question.