Login/Register
RESTful authentication API design
Asked Answered
Solved restrestful-authenticationrestful-urlrestful-architecture
A

3

4

I have a question regarding RESTful API design. Following the guidelines of REST, all endpoints should be nouns and in plural, and should never be verbs. However, it is customary to have authentication routes be:

/login
/logout

which are both verbs. If you should be true to the guidelines these routes should look more like this instead:

/users?action=login
/users?action=logout

but I've never used any API that has this particular authentication implementation, everyone uses the first one, me included. But I wonder if this is because many people don't follow the guidelines fully and it has just become a habit or is there another reason?

Ashanti answered 20/9, 2014 at 20:6 Comment(0)
B
7

If you want to be compliant with the rest guidelines, your api should expose a security token resource as follows for instance :

/security/token

And that's it... You can then GET security tokens (login), use them, then DELETE them (logout)

Brentwood answered 20/9, 2014 at 20:36 Comment(0)
S
1

According to the stateless constraint of REST maintaining client sessions on server side is not allowed. So your question does not make any sense. These are the simplest auth solutions by REST:

  • By trusted clients you have to send the username and password with every request for example in a HTTP (basic) auth header. You have to use encrypted connection.

  • By 3rd party (non trusted) clients, you have to add a unique API key to the client by registration. After that when a customer first tries to use the client you show her a dialog in where she can register a unique access token for the client. So this way she allows access to her account. After that the 3rd party client sends the API key and the access token with every request related to the customers account.

To answer your question related to the URIs. According the uniform interface constraint:

  • You map the URIs to resources and not to operations. That's why they should not contain verbs. You use the verbs to choose the proper HTTP method. You can reduce almost every operation name to a few HTTP methods and nice URIs.

  • URIs does not have a meaning to the clients, because clients follow hyperlinks annotated with semantics (e.g. link relation, or a term from an RDF vocab).

  • Nice URIs are good for checking if you really mapped them to resources (if not, then they contain verbs).

  • Nice URIs are good when you write the routing logic on the server side manually, or when you debug requests.

Sergiosergipe answered 20/9, 2014 at 20:18 Comment(0)
H
-4

Use JWT(Json Web Token). It's very lightweight.

Hollerman answered 28/6, 2017 at 7:27 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.