In my software project (Java-Gradle-Vertx backend),
I have defined an endpoint as /a/ea/:eventId/*
In this, /a/* is for authenticating user,
a/ea/:eventId/* is for authorising the user for the given path parameter "eventId"
and then follows the endpoint for whatever POST/GET/DELETE we want to perform.
For example: /a/ea/:eventId/dd
Here, /dd stands for Delete Draw
All good so far.
But now, My manager has asked me to remove :eventId path parameter and include it in the request body instead citing the secutiry reasons of sending eventId through request payload.
So, my concern is
If we have to send request body with /a/ea/* endpoint, it has to be a POST request. So, if the endpoint following /ea/:eventId let say /dd is a DELETE endpoint or in some case it can be GET endpoint where you cannot send request body. How do I tackle this?
In my software project (Java-Gradle-Vertx backend),
I have defined an endpoint as /a/ea/:eventId/*
In this, /a/* is for authenticating user,
a/ea/:eventId/* is for authorising the user for the given path parameter "eventId"
and then follows the endpoint for whatever POST/GET/DELETE we want to perform.
For example: /a/ea/:eventId/dd
Here, /dd stands for Delete Draw
All good so far.
But now, My manager has asked me to remove :eventId path parameter and include it in the request body instead citing the secutiry reasons of sending eventId through request payload.
So, my concern is
If we have to send request body with /a/ea/* endpoint, it has to be a POST request. So, if the endpoint following /ea/:eventId let say /dd is a DELETE endpoint or in some case it can be GET endpoint where you cannot send request body. How do I tackle this?
Not just POST but all other methods can send a body with request. You just need to handle such requests carefully (not ignoring the body)
For more detailed explanation: https://stackoverflow.com/a/983458/7771506
