是否可以在 HTTP 请求上使授权标头可选?
[英]Is it possible to make the authorization header optional on an HTTP request?
问题描述
So I am creating a forum website (like reddit).
所以我正在创建一个论坛网站(如 reddit)。 On a thread, I want to have two different ways of requesting the thread's comments from the backend.在一个线程上,我想有两种不同的方式从后端请求线程的评论。
- One for if a user is not logged in.一个用于如果用户未登录。
- One for if a user is logged in.一个用于用户是否登录。
With the request for when a user is not logged in用户未登录时的请求
I want to just return the comments with an:我只想用以下内容返回评论:
-
upvoteCountvalue (for how many users upvoted the comment)upvoteCount值(有多少用户支持评论) - no
userUpvotedvalue (oruserUpvoted = null)没有userUpvoted值(或userUpvoted = null)
With the request for when a user is logged in请求用户何时登录
I want to return:我想返回:
-
upvoteCountvalueupvoteCount值 userUpvotedvalue (so the frontend can display if the user upvoted the comment)userUpvoted值(如果用户对评论进行了投票,前端可以显示)
The endpoint will be something like this:端点将是这样的:
GET /thread/{threadID}/comments?startIndex={start index}&count={number of comments to return}
For the user that is logged in, I will send the authorization token in the header.对于已登录的用户,我将在标头中发送授权令牌。
For the user that is not logged in, I will not send the authorization token in the header.对于未登录的用户,我不会在 header 中发送授权令牌。
Is it possible to make sending the authorization header optional to an HTTP request like this?是否可以将授权标头发送到这样的 HTTP 请求可选?
Or should I just make two separate endpoints?或者我应该只做两个单独的端点?
1 个解决方案
解决方案1
1 已采纳 2022-05-23 11:32:58
Is it possible to make sending the authorization header optional to an HTTP request like this?
Yes, you can vary the representation (content) of a resource based on whether or not the authorization field is present in the request.是的,您可以根据请求中是否存在授权字段来改变资源的表示(内容)。
Is it a good idea?这是个好主意吗? That's a harder question.这是一个更难的问题。
You already know how two separate resources works;您已经知道两个独立的资源是如何工作的; there aren't going to be any significant surprises there.那里不会有任何重大的惊喜。
We also have a standardized mechanism for indicating that multiple representations of a single resource are available.我们还有一个标准化的机制来指示单个资源的多个表示是可用的。
But the Authorization field, specifically, is sort of a special case because of the role that field plays in access control;但是 Authorization 字段,具体来说,是一种特殊情况,因为该字段在访问控制中所起的作用; that has implications on how general purpose caches work, and therefore the Vary field that we use for indicating multiple representations has an exemption for the authorization field, etc....这对通用缓存的工作方式有影响,因此我们用于指示多个表示的 Vary 字段对授权字段等具有豁免权,等等。
If you submitted a single resource implementation like this for code review, I'd insist on a decision record as well, so that we have a permanent record of which trade offs we were considering (including, for instance, what's supposed to happen when Alice the Super Admin needs to verify the "anonymous" variation of the representation).如果您提交了这样的单一资源实现进行代码审查,我也会坚持提供决策记录,以便我们永久记录我们正在考虑哪些权衡(包括,例如,当 Alice超级管理员需要验证表示的“匿名”变体)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.