There are many great SO questions (and answers) about REST and security. Many say that "the purists will not like it, but blah blah" ... and then others say: "You should never do this because blah blah."
But I did not see the solution that the purists offer for the following scenario. So my question is: what are the “clean RESTful solutions” in the following scenario?
A simple scenario ...
Imagine creating a database / website that allows the user to manage their favorite recipes. The website provides a RESTful API so that users can request and manipulate their list from the user program they want to write (which uses this API).
So, user "A" has 3 favorite recipes with identifiers "1", "2" and "3".
User "B" has 2 favorite recipes with identifiers "4" and "5".
We need to make sure that if user A sends a DELETE command to /Recipes/4 , he will receive a Forbidden (403) response Forbidden (403) .
What would I usually do ...
What I would normally do is get them to call the authentication method first and send them some kind of authentication token, which is valid for 30 minutes or so. Usually this token is passed through a cookie.
What is a clean solution?
Is it a pure REST solution to pass it as a variable in the query string? Are cookies a devil? Should I use a token as a segment of a URL (as opposed to a query string parameter)? Is there anything else that clearly answers this question?
source share