REST API – Different Responses from Same Resource Based on Requester

rest

Let's say I have a single resource of employee that belongs to user:

{
  "id": 1,
  "name": "John Doe",
  "userId: 1
}

When making a GET request to /employees/1, I'm using a JWT which contains the userId.

Any user can fetch this record regardless of their userId (as long as they're authenticated), however, I want to indicate that the requester actually owns that employee.

I was thinking that on the server I could do an "if (employee.userId === jwt.userId)" and add the result as a property in the result like so:

{
  "id": 1,
  "name": "John Doe",
  "userId: 1,
  "isOwner": true
}

Does this break REST principles as the same resource will return different results depending on the user making the request?

Best Answer

No, it doesn't.

As long as the concept behind the URI is the same (some gray area of course) the server is free to return different representations of the same thing best suited for the client or the user making the request.

The same way the resource at amazon.com will return a slightly different page for me than for you.

Related Solutions

Spring Boot REST API – How to Update Collection of Resources

You could model the redirect URLs as a sub resource, e.g.

/clients
/clients/4711
/clients/4711/redirect-urls

To add a new redirect URL to the collection you would simply use POST /clients/4711/redirect-urls.

REST API Design – Handling Resource Properties Based on User Authorization

REST does not define behavior for such fine-grained details. Keep the same endpoint, but return different data depending on the client. If the client has authorization to view the customer, return a 200 OK response. This satisfies REST and the HTTP protocol. The specific data being returned is up to application logic.

Consider for a moment that you create a second endpoint called /customers-basic and the existing /customers endpoint returns unmasked information. What is stopping a malicious actor from calling /customers when they should be calling /customers-basic? Forget that the client should call one over the other. Forget that you might give the client the endpoint they should call. Assume that some client will attempt to access information they are not authorized to see. Authorize every request. The data returned in the request depends on the use case and permissions. REST doesn't even figure into that decision or design. Consider another example where you and I are coworkers.

Let's say I work in level 1 tech support and you work in level 2 support. I take calls first and then escalate to you if I cannot handle the problem. You reply to me saying:

Hi Greg,

I was able to resolve this customer's issue:

https://example.com/customers/123

Alex

You can see that URL because you have elevated access to the system. With two different endpoints, I should visit /customers-basic/123 due to me having lower access. The data returned by both endpoints represents the same "customer" but you force clients to understand their access to the system in order to access that resource. You also force clients to understand each others access.

If I visit the URL in your email, I would get 401 Unauthorized response, which is a frustrating thing for clients to remember. It would drive clients crazy because it is the same customer.

Remember that a resource in RESTful programming is an abstract concept. Two different clients do not necessarily need the same data bit-for-bit. Conceptually a URL should return the same object, but the exact representation of that object will depend on application logic out of the scope of REST.

Best Answer

Related Solutions

Spring Boot REST API – How to Update Collection of Resources

REST API Design – Handling Resource Properties Based on User Authorization

Related Topic