RESTful principles question

An intelligent co开发者_StackOverflow中文版worker friend of mine brought up a question to me that I was uncertain how to answer and I'd like to pose it to the world.

If a RESTful endpoint uses token-based authentication, aka a time-based token is required to access a resource and that token expires after a certain amount of time, would this violate the RESTful principle? In other words, if the same URL expires after a certain amount of time, so the resource returns a different response depending when it was requested, is that breaking REST?

No, your scenario is not breaking any restful principle that I can think of. You seem to be confusing a request returning a different resource and a request getting a different response.

In your scenario I would expect after the token has expired that the server would return a 401 and the client would initiate some kind of authentication exchange to re-validate the user.
Once revalidated, the server should then return the intended resource.

There are many cases when a request could have completely different responses. 403 Forbidden, 410 Gone are examples.

The user/application access right to the URL may expire but that does not mean the URL expires. In large real world systems the auth part of the API may be handles by a different product, shielding the real API from attacks, unauthorized users, etc. So the RESTful API still follows the restful principles.

Your design is not violating REST constraints, but you must be careful that you use HTTP correctly. If your resources are only intended to be seen by a certain user, that user should be authenticated using HTTP authentication. This will tell public caches not to cache the representations of the resource (which they otherwise usually would).

So, even if you intend the URL to be only known by a certain user, make sure you also have that user authenticate itself using the correct HTTP headers.

Jan

Resources will frequently give a different response depending on when they are requested. That's what happens when the actual resources change over time. Requesting the resource of this page (for instance) in a week will likely give different responses than doing so when you read this the first time.