27

I've seen URIs that support magic ids for the authenticated user like below:

GET /user/me - list my profile
GET /user/me/photos - list my photos

where the ones below use the actual user id

GET /user/742924
GET /user/742924/photos

The problem I see is that the same resource id points to a different resource depending on the authenticated user.

Is this going against any REST principles?

Emanuel George Hategan
  • 1,123
  • 1
  • 13
  • 22

3 Answers3

31

Using /me to name a resource that corresponds to the authenticated user is perfectly fine from a REST perspective. According to Roy Thomas Fielding's dissertation, any information that can be named can be a resource:

5.2.1.1 Resources and Resource Identifiers

The key abstraction of information in REST is a resource. Any information that can be named can be a resource: a document or image, a temporal service (e.g. "today's weather in Los Angeles"), a collection of other resources, a non-virtual object (e.g. a person), and so on. In other words, any concept that might be the target of an author's hypertext reference must fit within the definition of a resource. A resource is a conceptual mapping to a set of entities, not the entity that corresponds to the mapping at any particular point in time. [...]

When using /me, you have a locator for the authenticated user and it will always identify the concept of an authenticated user, regardless of which user is authenticated.

cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • Just to be clear, are you suggesting `/me/photos`, or `/users/me/photos`? Asking because `/me` implies user anyway, so `users` in `users/me` might be excessive? Afaiu you suggest another resource for auth user. And OP didn't mention `/me` variation in the first place. – Traxo Apr 16 '18 at 19:40
  • 2
    @Traxo Sorry for the lack of clarification. I would use `/users/me/photos` :) – cassiomolin Apr 16 '18 at 20:00
  • I may just be splitting hairs here but the fact that `/users/me` is different for every user bothers me a bit. As stated in the pager: `a resource R is a temporally varying membership function MR(t)`. Shouldn't this imply that any other parameter other than time have no effect on the output? – Mariano LEANCE Jan 31 '22 at 02:54
12

While I agree with Cassio, I think he didn't select the best quote from the dissertation, since this is a part that's a lot more identifier specific:

The definition of resource in REST is based on a simple premise: identifiers should change as infrequently as possible. Because the Web uses embedded identifiers rather than link servers, authors need an identifier that closely matches the semantics they intend by a hypermedia reference, allowing the reference to remain static even though the result of accessing that reference may change over time. REST accomplishes this by defining a resource to be the semantics of what the author intends to identify, rather than the value corresponding to those semantics at the time the reference is created. It is then left to the author to ensure that the identifier chosen for a reference does indeed identify the intended semantics.

And if you connect the dots, a logged in user is the case in point - same reference to a different resulting content.

yuranos
  • 8,799
  • 9
  • 56
  • 65
1

That is perfectly fine.

Whether it is the same entity in the database is irrelevant, the more correct description would be that every concept needs to have a URI. The concept of "current user" is different from "user 742924", so it is ok.

It can be even worse than that, "current user", "last logged in user", "user with name starting with A", "oldest user", etc. All of those can be different resources, even though they may point to the same "user".

Robert Bräutigam
  • 7,514
  • 1
  • 20
  • 38