I'm building an API, that will be used by different logged-in (and not logged-in) users of different roles/types (e.g. reader
, editor
, admin
etc.).
Is something like /users/{user_id}/path/to/data
a correct RESTful way to define the are the user has access to? Or maybe just /{user_id}/path/to/data
? Or should it be a body/query param like /path/to/data?user_id={user_id}
or /path/to/data?user_token={user_token}
? Or is the header the correct place for that information?
How should the user be provided to the API server REST-conform way?
Note: It's not about subresources of the user
resource, e.g. addresses
(if we define this as a subresource of user
). Since this case is clear /users/{user_id}/addresses/{address_id}
. The question is in general about the whole data the user may access.
I would argue that the user ID has no place in the URL for non-user related things - what you describe would best be represented as simply /path/to/data/ - and the user_token or similar should be carried in a header (e.g. a JSON Web Token in the auth header), not in the URL and not in the query parameters.
The system should then respond with an authorization error HTTP response if the user does not have access to the specified resource.
The structure you describe would only be appropriate when the resources are subresources of the user and, as you have noted, this is not the case for the resources you are asking about.