Open pvdbosch opened 1 year ago
Similar subject on resource identifier in http://opensource.zalando.com/restful-api-guidelines/#143 :
Exception: In some situations the resource identifier is not passed as a path segment but via the authorization information, e.g. an authorization token or session cookie. Here, it is reasonable to use self as pseudo-identifier path segment. For instance, you may define /employees/self or /employees/self/personal-details as resource paths — and may additionally define endpoints that support identifier passing in the resource path, like define /employees/{empl-id} or /employees/{empl-id}/personal-details.
Determine guidelines concerning resource URIs that are only unique within the context of a single user.
The guide states:
"Any resource is uniquely identified by a Uniform Resource Identifier or URI (RFC 3986)."
However, we sometimes see APIs where the resource URI depends on the user.
Examples:
GET /messages
retrieves the messages in the e-box of the current userGET /cases/{tenantCaseId}/documents/{tenantDocumentId}
where the identifiers are only unique to the user, because they're created in different systemsUsing "Vary: Authorization" in the response could make this explicit:
l'utilisation de https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Vary Vary: Authorization "The Vary HTTP response header describes the parts of the request message aside from the method and URL that influenced the content of the response it occurs in. Most often, this is used to create a cache key when content negotiation is in use."
However:
Similar discussion: https://stackoverflow.com/questions/28836657/http-caching-with-authorization
I propose to just recommend API designers to:
Extract RFC7234 caching: https://www.rfc-editor.org/rfc/rfc7234