1

I am writing REST APIs in a MEAN application for user management. Although I normally follow best practices for REST APIs, I do have a security concern about exposing too much detail for user accounts API in the URI.

I would prefer not to include the username or account ID as part of the URI when trying to access a specific user account resource:

/api/accounts/:id  or /api/accounts/:username

The one alternate approach I have come across is the use of "me" instead of the resource id:

/api/accounts/me

Most of the use cases I have seen only use GET, but I would like to use this for PUT/POST operations as well:

PUT /api/accounts/me/password
{"oldPassword":"xxx", "newPassword":"yyy"}

Do you think this is a good way? Any other ideas?

user3137124
  • 515
  • 1
  • 7
  • 13
  • 1
    Tricks like "/me" will work for current user only. What if you need to view other users' data? – Sergio Tulentsev Oct 29 '16 at 16:11
  • 1
    On using something like `.../me` you might lose the ability to cache the response, i.e. if the cache is hosted on a proxy. This might violate REST principals. As you are trying to change passwords for a specific user, you probably want a secure connection anyway. Gladly https/ssl [encrypt the actual URI](http://stackoverflow.com/questions/499591/are-https-urls-encrypted) also, so the actual URI should only be visible in clear text to the client and server anyway. – Roman Vottner Oct 29 '16 at 16:40

0 Answers0