When authenticating an API using JWTs that contain the user's ID, is it better to verify the token, extract the id and compare it to the route parameter or use the id directly for creating a resource.Example 1:POST example.com/api/users/:userId/itemsComparing that the route param userId matches token.id before creating the resource- OR -Example 2:POST example.com/api/itemsUsing token.id directly for identifying the owner and then creating the resourceI'm thinking option 1 is the way to go, but I wanted to know what others would do and why.Sorry if this was poorly worded.Thanks in advance!
Submitted December 22, 2019 at 09:17PM by dumbdevquestions
No comments:
Post a Comment