0

I have a REST API, and I want to create a method that accepts a username and password, makes sure they're valid, and returns a user resource.

This is NOT to validate users of the REST APIs. The users are part of a separate system, and the API manages them.

What method and URL are appropriate for this?

GET doesn't seem like a good idea, since it would put the password in the query string. Plus this method might update the last-login-date on the user, so it's not idempotent.

I could use PUT, but I use that to update the user. So I could PUT to a different URL, but what would be an appropriate URL for this? Something like /user/credentials might imply that you're updating the credentials, not validating them.

JW.
  • 47,690
  • 30
  • 108
  • 133

2 Answers2

2

The way I usually handle this is by performing a POST request to e.g. /user/login or simply /login.

You are basically creating a login attempt, therefore POST sounds reasonable, the same way as you can POST a search request.

By doing this you allow yourself to put the login credentials in the POST body, so they're not exposed in the url. And you are not updating the user resource, so you don't have to use PUT.

Example

POST http://example.com/login HTTP/1.1
{
  "username": "Jon Skeet",
  "password": "SOiscool"
}
Community
  • 1
  • 1
Tim
  • 38,263
  • 17
  • 115
  • 131
1

You are POSTing the fact that the user needs a "user resource" to use "the separate system". POST is the only verb that is appropriate when a method isn't idempotent.

If "the separate system" is the only imaginable system the user will ever log on to, I'd choose a simple url like /user/login. Otherwise I'd add a path segment for "the user's relation to 'the seperate system'" like /user/theSeperateSystem/login.

Cirdec
  • 23,492
  • 2
  • 45
  • 94