Home > Mobile >  Is it better to get ID from URL or JWT in an authenticated API
Is it better to get ID from URL or JWT in an authenticated API

Time:12-27

So I am creating some api's on Laravel using Passport (JWT).

I am having issues deciding what is the preferred method for the following:

PUT: api/users/{user_id}
PUT: api/users/me

I need the api so that the user can change his own information, but I would also like it for the api to be accessible for the Admin to change said information.

At the moment I am only using the first API and checking if the ID is the same as the one in the JWT auth or if the one requesting the api is the Admin.
But I was also thinking that maybe it was better to have them separate. The first api should only be accessible to the Admin, and I should be taking the ID from the JWT auth for the second api.

What would be the correct choice? Or is there a better choice?

CodePudding user response:

I would say using this approach is better:

PUT: api/users/{user_id}

That allows anyone to consistently link to your own profile or to some other user profile in the same way. Then depending on your authentication and authorization, you can be allowed to do different operations on that resource.

CodePudding user response:

There is no correct or better choice. You seem to understand the implications of using any of them so it's really up to you to choose. With the /{user_id} version you have to be extra careful not to remove proper validation rules from your code. If you used /users/me for a GET operation you would have to be careful with setting cache headers. If a browser would cache a response to users/me and then another user would request this endpoint, then you could get some other user's data. For PUT operations, though, this is not a concern.

  • Related