I'm working on an Express API which serves users with various different roles. I'm now faced with a pretty fundamental API design decision that I'd like to get some ideas on. I'm making an event organizer app with at least the following roles for different types of users:- User: can sign up to events- Organiser: can create and manage events- Super admin: can do everythingI'll just list a few questions I've been thinking about:1) Should I have the same endpoint do different things depending on user role?So for example, I have an endpoint for getting the details of a single event, GET /api/events/:id. Is it bad practice to have it behave differently for different users? E.g. if a user with role Organiser calls this endpoint, it would include some extra fields that it won't show to a regular User.If this is the right way to design my API, any tips on making my code as simple and clean as possible? I wouldn't really want to have to write all of my routes like:app.get('/api/events/:id', function(req, res) {if (req.user.role === 'SuperAdmin') {// do something} else if (req.user.role === 'Organiser') {// do another thing}});2) If not, should I have different endpoints for different user roles?The other option I've been considering would be to have separate endpoints for the various user roles, so for example:- /api/organiser/events/:id for Organisers- /api/events/:id for regular Users- /api/admin/events/:id for AdminsThis sort of goes against REST design principles, but would seem intuitive to me at the same time. I could easily access-control say everything under /api/admin with a single middleware so that all routes under that path require the Admin role. With the other version of my API design I imagine it would be much harder to stay in control of managing permissions and secret data would inevitably leak to users without the right to see it.Then again this would essentially require me to write the same logic for getting an event by id three times (or more, if the amount of roles increases). That doesn't sound ideal either.Any general guidance or good articles related to API design when dealing with user roles is very much appreciated! :)
Submitted May 14, 2019 at 09:05PM by sourtargets
No comments:
Post a Comment