2

I read the following posts; however, I still haven't found a conclusive answer to my question.

When do you use POST and when do you use GET?

How should I choose between GET and POST methods in HTML forms?

So why should we use POST instead of GET for posting data? [duplicate]

I want to make a HTTP request to my server to retrieve some data based on an array of ids that I will pass to the server. Since each id will have a length of 23 characters, sending 100 of these ids as query parameters of a GET request will exceed the character length limit of some browsers. Since a standard GET request is not feasible due to URL limits, I have been considering my other options.

Option 1: Use request body of HTTP GET request (not advisable according to following SO thread)

HTTP GET with request body

Option 2: Use body of HTTP POST request to send the array of Ids. This is the method that Dropbox appear to have used for their public-facing API.

I know that POST requests should be reserved for requests that are not idempotent and in my case, I should be using a GET request because the query is idempotent. I also know that REST is purely a guideline and since this API will only be consumed by me, I can do whatever I like; however, I thought I'd get a second opinion on the matter before I commit to any decision.

So, what should I do in my situation? Are there better alternatives that I have yet to discover and is there anything I should consider if I do use a POST request?

ptk
  • 6,835
  • 14
  • 45
  • 91
  • 2
    You can refer this link https://stackoverflow.com/questions/30341420/rest-post-vs-get-if-payload-is-huge – A. Todkar Aug 28 '18 at 06:37

1 Answers1

1

So, what should I do in my situation?

First step is to review the HTTP Method Registry, which is defined within RFC 7231

Additional methods, outside the scope of this specification, have been standardized for use in HTTP. All such methods ought to be registered within the "Hypertext Transfer Protocol (HTTP) Method Registry" maintained by IANA

The registry is currently here: https://www.iana.org/assignments/http-methods/http-methods.xhtml

So you can review methods that have already been standardized, to see if any of them have matching semantics.

In your case, you are trying to communicate a query with a message-body. As a rule, queries are not merely idempotent but also safe.

A quick skim of the registry might lead you to consider SEARCH

SEARCH is a safe method; it does not have any significance other than executing a query and returning a query result

That looks like a good option, until you read through the specification carefully, and notice the constraints relating the message body. In short, WebDAV probably isn't what you want.

But maybe something else is a fit.

A second option is to consider your search idiom to be a protocol. You POST (or PUT, or PATCH) the ids to the server to create a resource, and then GET a representation of that resource when you want the results.

By itself, that's not quite the single call and response that you want. What it does do is set you up to be thinking about how to be returning a representation of query result resource. In particular, you can use Content-Location to communicate to intermediaries that the response body is in fact the representation of a resource.

I know that POST requests should be reserved for requests that are not idempotent

That's not quite right. When making requests that align with the semantics of another method, we prefer using that other method so that intermediate components can take advantage of the semantics: an idempotent request can be tried, a safe request can be pre-fetched, and so on. Because POST doesn't offer those guarantees, clients cannot take advantage of them even if they happen to apply.

Depending on how you need to manage the origin servers URI namespace, you could use PUT -- conceptually, the query and the results are dual to one another, so can be thought of as two different representations of the same thing. You might manage this with media types - one for the request, a different one for the response.

That gets you back idempotent, but it doesn't get you safe.

I suspect safe requests with payloads are always going to be a problem; the Vary header in HTTP doesn't have an affordance to allow the server to announce that the returned representation depends on the request body (in part because GET isn't supposed to have a request body), so it's going to be difficult for an intermediate component to understand the caching implications of the request body.

I did come across another alternative method from another SO thread, which was to tunnel a GET request using POST/PUT method by adding the X-HTTP-Method-Override request header. Do you think its a legitimate solution to my question?

No, I don't think it solves your problem at all. X-HTTP-Method-Override (and its variant spellings) are for method tunneling, not method-override-the-specification-ing. X-HTTP-Method-Override: GET tells the server that the payload has no defined semantics, which puts you back into the same boat as just using a GET request.

Community
  • 1
  • 1
VoiceOfUnreason
  • 52,766
  • 5
  • 49
  • 91
  • It's answers like these that help everyone on the SO community learn so much so thank you. I did come across another alternative method from another SO thread, which was to tunnel a GET request using POST/PUT method by adding the X-HTTP-Method-Override request header. Do you think its a legitimate solution to my question? On the surface it seems a little hack-ey but I don't really know enough to judge so keen to get your thoughts. – ptk Aug 29 '18 at 09:25