REST Service - URI formation for unique check

I've got a signup HTM开发者_如何学运维L form with a username field that I want to check against registered usernames to ensure uniqueness. I considered making a GET request to api/users/:username, if it returns 200 consider taken, if 404 consider available.

Is this overkill for what I'm trying to do since I would be returning the actual user at every request (which happens when the input field changes)? If so what alternatives would you guys suggest.

Make a HEAD request and just get the headers.

Exposing api/users/username with 200/404 means that anyone with a patient computer can then enumerate the valid usernames in your system. That may be a security issue, depending on your application. It's often better in these kinds of situations to not look before you leap (which solves the "two users ask for the same name at the same time" problem, too). To do that, POST a new user and deal with conflicts at that point (409 is a good status code if there are problems). Some applications even add an additional step to username acquisition akin to concert ticket reservations, where you obtain a soft lock on the resource and then confirm it in a separate step, with automatic rollback after a period of inactivity.