Allow only GET in REST API
I am developing a REST API. I need a way to get all countries so that the user can select multiple and save the app config.
I am thinking of a resource with a GET parameter as INSERT / UPDATE / DELETE are not allowed. It makes sense?.
In general, what is the best way to provide read-only data access ?, eg. link selection with countries or cities or any required data.
Edited:
It is not associated with any particular structure. The API does allow CRUD to work, in some situations I need to provide read-only access, for example. in a form allowing the user to select a country. This form is part of a CRUD operation, but I need countries to bind the selected input so that the user can select them, so a way to force all countries to provide a URL (resource) to get them.
If that helps, in addition to the API, I design the application UI that will use it. Hence, I need a way to extract all countries so that the user can select them and save the form. Form save is a POST to a resource that has a country field (attribute).
source to share
inf3rno's comment, even its short one, is the correct answer:
You don't need to allow every HTTP method aka verbs ( see the list of standard files or a longer list here ) on entities. I'd go even further: I think I've never seen a real life API with all HTTP methods allowed on any object, so it's not a problem to exclude them.
There is even an HTTP method called OPTIONS
(see http method overview or more detailed explanation ) so clients can check which methods are allowed / possible on an object.
Sitenote: Your framework will likely build this method for you on its own.
Thus, only the permit GET
for the object is fully consistent with the standard procedure. "Notable" examples are, for example, PayPal Refunds or Facebook friendlists and there are many more out there if you're just looking for random REST APIs.
There is only one part in your question that worries me:
I am developing a REST API. I need a way to get all countries to allow the user to select multiple and save the app config .
I hope this is just additional information and not related to scheduled requests GET
, because I GET
should never "do any action" (eg, "save", "select" as HTTP specification :
[...] the GET and HEAD methods MUST NOT have the value of taking action other than searching.
source to share
If you are using JAX-RS (RESTeasy, Jersey, ...) you need to use this annotation: @GET
If you are using Spring MVC you need to use this annotation: method = RequestMethod.GET
Example:
@RequestMapping (value = "/ xxxxx / yyyyy / {zzzzz}", method = RequestMethod.GET, creates = MediaType.APPLICATION_JSON_VALUE)
if you need to use UPDATE / DELETE / POST by admin you can use Spring Security
Example:
@RolesAllowed ({AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER})
source to share
REST doesn't say that you need to define all crud operations. If you want to provide read-only access to a specific resource, this in no way violates the REST principle. The important thing is that your GET must be idempotent if it is not, and the GET request somehow changes the state of the resource, which you are definitely ignoring REST. In this case, you need to use a POST request.
One more thing you need to ensure that other requests (POST, PUT, DELETE, etc.) to this resource should call a 405 status code (method not allowed).
Also, there is a reasonable chance that you want to use caching to request country information (both HTTP and internal caching), so your design is accurate in my opinion.
source to share
From my understanding, what you want to do is something like:
Request:
GET api.domain.com/countries
Answer:
{
"US": {
"url": "api.domain.com/countries/us",
"name": "US",
"continent": "America",
"others": "..."
},
"UK": {
"url: "api.domain.com/countries/uk",
"...."
}
...
Keeping it as simple as possible is okay (with the name / id only). You get the entire list through a javascript app and let the user select specific countries.
Then you can post a POST to another resource like:
POST api.domain.com/user/1/countries
{
"user": "api.domain.com/user/1",
"countries": [
"api.domain.com/countries/us",
"api.domain.com/countries/it"
]
}
And with this action you can save your resource. This sounds completely normal to me. Please do not use GET to save resources, edit data, or anything similar.
source to share