当要返回的列表取决于用户的权限时，REST URI 和缓存 GET 请求 [英] REST URI's and caching for GET requests when the list to be returned depends on the rights of the user

问题描述

1. 这是一个多租户无服务器系统.
2. 系统具有具有权限的组.
3. 用户根据他们所在的组获得权限.
4. 如果它有所作为，我们将使用 Cognito 进行身份验证，它是一个无状态应用程序.

例如:

1. 站点的 GET 端点(即登录用户可以根据他们所在的组访问的站点)
2. 设备的 GET 端点(即登录用户可以根据他们所在的组访问的站点)

在 REST API 中.这个想法是端点返回的数据应该完全取决于传递的参数，这意味着两个不同的用户应该收到相同请求的相同结果."

In REST APIs. "The idea is that the data returned by an endpoint should depend solely on the parameters passed meaning two different users should receive the same result for the identical request. "

REST URI 应该是什么样子来确保上述想法?由于此处列表的决定因素是组"因此有效的权限，我想我们可以在 URI 中按排序顺序传递用户所在的组，以利用 GET 端点上的缓存，有没有更好的方法来做到这一点?

What should the REST URI look like to ensure the above-stated idea? Since the deciding factor for the list here is "groups" and thus effective permissions, I was thinking we could pass the groups a user in, in the URI in sorted order to leverage caching on GET endpoints as well, Is there a better way to do it?

推荐答案

这个想法是端点返回的数据应该完全依赖于关于传递的参数

The idea is that the data returned by an endpoint should depend solely on the parameters passed

这被称为无状态约束，但如果你检查参数总是包含auth参数，因为这个.这个想法是将会话数据保存在客户端，因为当您在世界各地拥有数百万用户和多台服务器时，管理会话就会成为一个问题.由于参数包含身份验证数据，因此响应可能依赖于该数据，因此您可以在此处为具有不同权限的用户使用完全相同的端点.

This is called the statelessness constraint, but if you check the parameters always include auth parameters because of this. The idea is keeping the session data on the client side, because managing sessions becomes a problem when you have several million users and multiple servers all around the world. Since the parameters include auth data, the response can depend on this data, so you can use here the exact same endpoints for users with different permissions.

在响应中，您可能想要发回代表可用操作的超链接.这里的概念是相同的，如果用户没有实际操作的权限，那么他们将不会获得该操作的超链接，理论上他们也不应该获得 403 状态，因为您必须遵循您获得的超链接从服务而不是将 URI 模板硬编码到您的客户端.所以你必须处理更少的错误和垃圾请求，另一个原因是你可以在不破坏客户端的情况下更改 URI 模板.这被称为超媒体作为应用程序状态的引擎，它是统一接口约束的一部分.

As of the responses you might want to send back hyperlinks, which represent the available operations. The concept is the same here, if the user does not have permission for the actual operation, then they won't get a hyperlink for that operation and in theory they should never get a 403 status either, because you must follow the hyperlinks you got from the service instead of hardcoding URI templates into your client. So you have to handle less errors and junk requests, and another reason here that you can change your URI templates without breaking the clients. This is called hypermedia as the engine of application state, it is part of the uniform interface constraint.

这篇关于当要返回的列表取决于用户的权限时，REST URI 和缓存 GET 请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！