Should I allow user-provided values to be passed through a query string?

Question

I'm adding a search endpoint to a RESTful API. After reading this SO answer, I'd like the endpoint to be designed like:

GET /users?firstName=Otis&hobby=golf,rugby,hunting

That seems like a good idea so far. But the values that I'll be using to perform the search will be provided by the user via a standard HTML input field. I'll guard against malicious injections on the server-side, so that's not my concern. I'm more concerned about the user providing a value that causes the URL to exceed the max URL length of ~2000 characters.

I can do some max-length validation and add some user prompts, etc, but I'm wondering if there's a more standard way to handle this case.

I thought about providing the values in the request body using POST /users, but that endpoint is reserved for new user creation, so that's out.

Any thoughts? Thanks.

Answer 1

I see these possible solutions:

1. not actually a solution. Go with the query parameter and accept the length constraints

2. go with the POST solution that shouldn't be designed as you mention. As you point out, if you POST a user to .../users you will create a new user entity. But this is not what you want to do. You want to submit a search ticket to the server that will return a list of results matching your criteria. I'll design something as such

   POST .../search/users passing in the body a representation of your search item

3. distribute the query both server side and client side. Say you have complex criteria to match. Set up a taxonomy of them so that the most strict ones are handled server side. Thus, the server is able to return a manageable list of items you can subsequently filter on the client side. In this approach you can save space in the query string by sending to the server only a subset of the criteria you want to meet in your search.