API design validation
94 views
Skip to first unread message
Prasad Katti
Jul 21, 2016, 10:51:34 AM7/21/16
to api-...@googlegroups.com
Hi All,
I want to develop restful API related to user authentication. please suggest if my URL designs looks ok.
1. user registration
POST /auth/register
payload : {username: "", password: ""}
2. user login
POST /auth/login
payload : {username: "", password: ""}
3. password change
PUT /auth/password_reset
payload : {username: "", old_password: "", new_password:""}
4. deactivate user
DELETE /auth/de_activate/{user_name}
5. activate a user
PUT /auth/de_activate/{user_name}
RegardsI want to develop restful API related to user authentication. please suggest if my URL designs looks ok.
1. user registration
POST /auth/register
payload : {username: "", password: ""}
2. user login
POST /auth/login
payload : {username: "", password: ""}
3. password change
PUT /auth/password_reset
payload : {username: "", old_password: "", new_password:""}
4. deactivate user
DELETE /auth/de_activate/{user_name}
5. activate a user
PUT /auth/de_activate/{user_name}
Eric Stein
Jul 21, 2016, 11:16:36 AM7/21/16
to API Craft
How are you handling auth? Given just these five actions that you need to perform, I would expect you could get away with using Basic Auth and HTTPS. I'd expect an endpoint for /users and /users/{id}. Creating a user would happen by POSTing to /users. Updating the password and active status would be handled with PUTs, PATCHes, or micro-PUTs (e.g. /users/{id}/password).
Of course, if this is part of a more complex application, using Basic Auth might not be viable. In that case, I'd strongly suggest using an existing library to handle auth rather than rolling your own. Security is hard enough for the people who do it every day. The rest of us have no real chance.
Eric
Of course, if this is part of a more complex application, using Basic Auth might not be viable. In that case, I'd strongly suggest using an existing library to handle auth rather than rolling your own. Security is hard enough for the people who do it every day. The rest of us have no real chance.
Eric
Prasad Katti
Jul 22, 2016, 2:15:20 AM7/22/16
to API Craft
Eric,
thanks for your response. I am building APIs that will enable users to register themselves. the users in our case get created in an enterrpise LDAP such as microsoft Active Directory. so /auth/login api would be validating the user id and password against the LDAP server. So yes. we will not be using basic auth. authentication is done against LDAP. while permission/role based access is done through data maintained in an internal database.
also what is your suggestion for user activation. i know it is some form of PUT.
regards
Prasad
thanks for your response. I am building APIs that will enable users to register themselves. the users in our case get created in an enterrpise LDAP such as microsoft Active Directory. so /auth/login api would be validating the user id and password against the LDAP server. So yes. we will not be using basic auth. authentication is done against LDAP. while permission/role based access is done through data maintained in an internal database.
also what is your suggestion for user activation. i know it is some form of PUT.
regards
Prasad
Srinivas Ivaturi
Jul 22, 2016, 4:40:52 PM7/22/16
to api-...@googlegroups.com
Underscores in the URIs breaks the flow of APIs. Instead of that.
3. password change
PUT /auth/resetPassword
PUT /auth/resetPassword
payload : {username: "", old_password: "", new_password:""}
4. deactivate user
DELETE /auth/deactivate/{user_name}
5. activate a user
PUT /auth/activate/{user_name}
5. activate a user
PUT /auth/activate/{user_name}
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at https://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.
Thanks
Srinivas Ivaturi.
~ A Directionless Driven Life!
Srinivas Ivaturi.
~ A Directionless Driven Life!
Simon Renoult
Jul 25, 2016, 4:02:19 AM7/25/16
to API Craft
Underscores in the URIs breaks the flow of APIs. Instead of that.
Would you mind explaining?
sune jakobsson
Jul 25, 2016, 7:31:28 AM7/25/16
to api-...@googlegroups.com
As pointed out, you should really seriously look into already established authentication methods as Oauth and Basic Authentication with HTTPS.
There are way too many pitfalls that you might fall into.
BR Sune
Srinivas Ivaturi
Jul 25, 2016, 8:51:20 AM7/25/16
to api-...@googlegroups.com
What I mean by that is, using camel case helps in better readability to the URIs. It is a suggestion.
Reply all
Reply to author
Forward
0 new messages