Best practice for structing a REST API to enable caching of public content but not private content

[Glen Tregoning]

Hi all,

I'm currently considering options to cache an API which serves different content via the same endpoint depending on whether the user is an admin or not. 

Details of the current (uncached) endpoint are:

Endpoint: '/comments'

Content served:

 - for authenticated 'admin' -> returns approved, unapproved, and spam comments

 - for 'unauthenticated' users -> returns approved comments only

Although my cache supports cache key customization, I'm thinking the better option might be to modify my api to server the admin authentication level via another URL, which always returns a 'Cache-Control: private' header.

i.e.

Endpoint: '/comments/admin'

Content served:

 - for authenticated 'admin' -> returns approved, unapproved, and spam comments with 'Cache-Control: private' header

 - for 'unauthenticated' users -> returns 401

Endpoint: '/comments'

Content served:

 - for 'unauthenticated' users -> returns approved comments only with 'Cache-Control: max-age: 1234' header

I'm curious if this is the best approach / if there is another approach which would be consider better practice here?

Thanks,

Glen 

[mca]

Glen:

check out the Vary Header[1]

[1] https://tools.ietf.org/html/rfc7231#section-7.1.4

mca

Mike Amundsen

+1.859.757.1449
skype:mca.amundsen
http://amundsen.com/blog/
http://twitter.com/mamund
https://github.com/mamund
http://linkedin.com/in/mamund

--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.