1

I'm working on a RESTful web application. I would like to have user registration occur via a POST request (username and password in the request body), and user login via a GET request (username and password in the query).

The PassportJS documentation seems to show that Passport expects credentials to be in the request body (which it parses). I don't quite understand how it would work with GET requests, since they don't have bodies (typically, if I understand correctly).

How would I make this work? Is this a bad idea? If it is, is there a RESTful alternative?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
tborenst
  • 972
  • 2
  • 9
  • 18

1 Answers1

2

Yes, this is a bad idea. GET requests go into browser history and server log files, are visible in the address bar, can be cached by proxies, etc. This violates both HTTP semantics and security. Just do login as per industry best practices and save your energy for building your actual application. If it gives you warm fuzzies, you can think of a login being a CREATE operation for a session resource, which is done via a POST request according to REST.

Peter Lyons
  • 142,938
  • 30
  • 279
  • 274
  • Is there a RESTful way to handle login, then? For example, [this question](http://stackoverflow.com/questions/4608225/how-do-i-implement-login-in-a-restful-web-service) proposes to have an "access token" as the **resource**. However, that seems a little contrived, and it seems more appropriate to me to have the user be the resource (since that's what actually goes on in the code). – tborenst Oct 28 '13 at 10:27
  • @Xaan - Why not just a POST to `/login`? – WiredPrairie Oct 28 '13 at 11:16
  • @WiredPrairie - I mean, that works, but doesn't really follow CRUD. – tborenst Oct 28 '13 at 13:10
  • If it gives you warm fuzzies, you can think of a login being a CREATE operation for a session resource, which is done via a POST request according to REST. – Peter Lyons Oct 28 '13 at 13:33