Comment by Vishwa Bhat on "Doubts while following REST API standards"

CommentDoubts while following REST API standards

Vishwa Bhat

Technology Enthusiast

Dec 11, 2018

For your first problem, route handling always goes by regex sequence so place /challenges/current first and then keep /challenges/:id, so that the control comes to :id route only if it fails for current regex match.

For second problem, JWT and REST are not related conceptually so expecting userId in JWT is for your logic and expecting :id in the route is the REST standard so expect both and before you proceed with the actual logic with JWT inside middleware, first you verify if user-id passed inside JWT and route are same otherwise you respond with 403-forbidden access.

Abhishek Pathak

Javascript Developer

Dec 11, 2018

But in my case, a user can view profile of other user as well, so I can't forbid that. I was taking it to create another endpoint, but that's not practical for likewise cases. So, I will probably, create a self boolean variable and create a middleware for it.

Thanks for your answer. I hope it works well.

Vishwa Bhat

Technology Enthusiast

Always separate out Public(user accessing other's profile) and Private APIs(user accessing their own) of a particular Resource(User entity), so that there wouldn't be any chances of crucial information leaking out

Search Hashnode