We’re looking to make some changes to the GET operator function to not include the operator name as part of the REST API URL. According to security best practices, sensitive information, like operator name, should not be exposed (in browser history, etc). Two options being considered are:
Change the GET api/operator/{operator name} call to use the masthead operator name, which is a generic identifier. E.g.:
GET api/operator/Steve --> GET api/operator/__op_1
Change to use a POST for individual operator queries and passing the operator name as a parameter. E.g.:
POST api/operator?name=Steve
Option 1 maintains our current standard of having data queries done via a GET operation, but requires an additional relevance query to get the ‘masthead operator name’ ahead of time. Option 2 maintains a single call that can be used to query for an operator by name, but would break our current standard and require everyone to switch this call to a POST with parameter.
Any preferences from current/future API users? Other feedback about the suggested change?
I like the new GET method simply on principle. Because your GETting the information. In my mind, the only time you POST when your actually wanting to GET information is because the parameters you have to provide are too complex or to long for the URL.
Wouldn’t it also be possible to do a GET with a request body? Maybe not as simple, but seems like an option.
I’d say if you can POST in order to get info (not to make changes, or create an operator) then maybe it would be interesting if it was a different API endpoint for that just to keep it separated, which also allow keeping the old functionality in place for now. The new thing could be: POST api/operatorinfo?name=Steve
The older functionality could have a depreciation / security warning in the results.
This also seems viable to me in general, but maybe not ideal: GET api/operator/__op_1
As far as I can see, you can send a body in a GET request, but according to the HTTP specs it should never have any meaning apart from reading it and discarding it. I think I read that Google actually reports an error if you send a body with a GET request.