You should return a `401 Unauthorized` Status Code. You might additionally provide hypermedia to establish the token again

Think about what happens in a web app. You go to say a banking site. If not auth&#39;d it will send you to the log in page. Then you log in and you are good to go for a time. Then it expires and the cycle repeats.

Just a thought.

according to the spec rfc6750 - &quot;The OAuth 2.0 Authorization Framework: Bearer Token Usage&quot;, https://www.rfc-editor.org/rfc/rfc6750, p.8, section 3.1, resource server should return 401:
&gt;
&gt;  invalid_token
&gt;         The access token provided is expired, revoked, malformed, or
&gt;         invalid for other reasons.  The resource SHOULD respond with
&gt;         the HTTP 401 (Unauthorized) status code.  The client MAY
&gt;         request a new access token and retry the protected resource
&gt;         request.
 

FWIW Facebook uses 400 with a custom JSON response.  I personally would prefer 401 with custom JSON response.

Here is FB&#39;s response body:

&lt;!-- language: lang-js --&gt;

    {
      &quot;error&quot;: {
        &quot;message&quot;: &quot;Error validating access token: Session has expired on Jul 17, 2014 9:00am. The current time is Jul 17, 2014 9:07am.&quot;,
        &quot;type&quot;: &quot;OAuthException&quot;,
        &quot;code&quot;: 190,
        &quot;error_subcode&quot;: 463
      }
    }


The python wiki says: &quot;Membership testing with sets and dictionaries is much faster, O(1), than searching sequences, O(n). When testing &quot;a in b&quot;, b should be a set or dictionary instead of a list or tuple.&quot;

I&#39;ve been using sets in place of lists whenever speed is important in my code, but lately I&#39;ve been wondering why sets are so much faster than lists. Could anyone explain, or point me to a source that would explain, what exactly is going on behind the scenes in python to make sets faster?

What makes sets faster than lists?

What is the difference between `getenv()` and `$_ENV`?

Any trade-offs between using either?

I noticed sometimes `getenv()` gives me what I need, while `$_ENV` does not (such as `HOME`).

getenv() vs. $_ENV in PHP

I&#39;ve got a JSON REST API. There is a handshake that will give you a token that is valid for 15 minutes. All calls you do within those 15 minutes should work ok. After the 15 minutes I am returning an error object (includes code, message, success = false) but I was also wondering what HTTP Error Code I should return? And will using a HTTP error code mess up certain clients? (HTML5, iPhone, Android). What is considered best practice in this scenario?

Token Expired - JSON REST API - Error Code

<p>I've got a JSON REST API. There is a handshake that will give you a token that is valid for 15 minutes. All calls you do within those 15 minutes should work ok. After the 15 minutes I am returning an error object (includes code, message, success = false) but I was also wondering what HTTP Error Code I should return? And will using a HTTP error code mess up certain clients? (HTML5, iPhone, Android). What is considered best practice in this scenario?</p>


How does one check whether a task is running in celery (specifically, I&#39;m using celery-django)?

I&#39;ve read the documentation, and I&#39;ve googled, but I can&#39;t see a call like:

    my_example_task.state() == RUNNING

My use-case is that I have an external (java) service for transcoding. When I send a document to be transcoded, I want to check if the task that runs that service is running, and if not, to (re)start it.

I&#39;m using the current stable versions - 2.4, I believe.

How to check task status in Celery?

Can somebody explain to me the differences between Document and RPC style webservices? Apart from JAX-RPC, the next version is JAX-WS, which supports both Document and RPC styles.  I also understand document style webservices are meant for Asynchronous communication where a client would not block until the response is received.

Either way, using JAX-WS I currently annotate the service with *@Webservice*, generate the WSDL and from that WSDL I generate the client side artifacts.

Once the artifacts are received, in both styles, I invoke the method on the port. Now, this does not differ in RPC style and Document style. So what is the difference and where is that difference visible?

Similarly, in what way does SOAP over HTTP differ from XML over HTTP? After all SOAP is also XML document with SOAP namespace.


What is the difference between Document style and RPC style communication?

I have a web service I am trying to unit test.  In the service it pulls several values from the `HttpContext` like so:

     m_password = (string)HttpContext.Current.Session[&quot;CustomerId&quot;];
     m_userID = (string)HttpContext.Current.Session[&quot;CustomerUrl&quot;];

in the unit test I am creating the context using a simple worker request, like so:

    SimpleWorkerRequest request = new SimpleWorkerRequest(&quot;&quot;, &quot;&quot;, &quot;&quot;, null, new StringWriter());
    HttpContext context = new HttpContext(request);
    HttpContext.Current = context;

However, whenever I try to set the values of `HttpContext.Current.Session`

    HttpContext.Current.Session[&quot;CustomerId&quot;] = &quot;customer1&quot;;
    HttpContext.Current.Session[&quot;CustomerUrl&quot;] = &quot;customer1Url&quot;;

I get null reference exception that says `HttpContext.Current.Session` is null. 

Is there any way to initialize the current session within the unit test?

Setting HttpContext.Current.Session in a unit test

I am developing a JSON/REST web API, for which I specifically want third party websites to be able to call my service through AJAX. Hence, my service is sending the famous CORS header:

    Access-Control-Allow-Origin: *

Which allows third party sites to call my service through AJAX. All fine so far.

However, a subsection of my web api is non-public and requires authentication (pretty standard stuff with OAuth and an access_token cookie). Is it safe to enable CORS on this part of my site as well?

On the one hand, it would be cool if third party websites could have ajax clients that also interact with this part of my service. However, the reason that there is a same origin policy in the first place, is that this might be risky. You don&#39;t want any website that you visit afterwards to be able to access your private content. 

The scenario that I am afraid of is that a user logs in on my web api, either on the website or through a website that he trusts, and he forgets to logout. Will this allow every other website that he vists afterwards to access his private content using the existing session?

So my questions:

 * Is it ever safe to enable CORS on non-public content?
 * If a CORS enabled server sets a session_token through a cookie, will this cookie be saved under the domain of the CORS server or main web-page server? 


When is it safe to enable CORS?

I&#39;m using a c# controller as web-service.

In it I want to redirect the user to an external url.

How do I do it?

Tried:

    System.Web.HttpContext.Current.Response.Redirect

but it didn&#39;t work.

how to redirect to external url from c# controller

I submit as POST to a php page the following: 

    {a:1}
This is the body of the request (a POST request).  
In php, what do I have to do to extract that value?  

    var_dump($_POST); 

is not the solution, not working.

  

How to get body of a POST in php?

I need to receive an HTTP Post Multipart which contains only 2 parameters:

- A JSON string
- A binary file

Which is the correct way to set the body? 
I&#39;m going to test the HTTP call using Chrome REST console, so I&#39;m wondering if the correct solution is to set a &quot;label&quot; key for the JSON parameter and the binary file.

On the server side I&#39;m using Resteasy 2.x, and I&#39;m going to read the Multipart body like this:

    @POST
    @Consumes(&quot;multipart/form-data&quot;)
    public String postWithPhoto(MultipartFormDataInput  multiPart) {
      Map &lt;String, List&lt;InputPart&gt;&gt; params = multiPart.getFormDataMap();
      String myJson = params.get(&quot;myJsonName&quot;).get(0).getBodyAsString();
      InputPart imagePart = params.get(&quot;photo&quot;).get(0);
      //do whatever I need to do with my json and my photo
    }

Is this the way to go? 
Is it correct to retrieve my JSON string using the key &quot;myJsonName&quot; that identify that particular content-disposition? 
Are there any other way to receive these 2 content in one HTTP multipart request?

Thanks in advance

REST - HTTP Post Multipart with JSON

I could do with some help on my REST API. I&#39;m writing a Node.js app which is using Express, MongoDB and has Backbone.js on the client side. I&#39;ve spent the last two days trying to work out all of this and not having much luck. I&#39;ve already checked out:

 - https://stackoverflow.com/questions/2676241/securing-a-rest-api
 - https://stackoverflow.com/questions/4574868/securing-my-rest-api-with-oauth-while-still-allowing-authentication-via-third-pa
 - http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
 - http://tesoriere.com/2011/10/10/node.js-getting-oauth-up-and-working-using-express.js-and-railway.js/

I want to keep my backend and frontend as separate as possible so I thought about using a carefully designed REST API would be good. My thinking is that if I ever get round to developing an iPhone app (or something else like that), it could use the API to access data.

BUT, I want this to be secure. A user has logged into my web app and I want to ensure my API is secure. I read about OAuth, OAuth 2.0, OpenID, Hmac, hashes etc... I want to avoid using external logging in (Facebook/Twitter/etc) I want the registering and logging in to be on my app/server.

...but I&#39;m still confused here. Maybe it&#39;s late at night or my brain is just fried, but I could really do with some steps on what to do here. What are the steps for me to create a secure API?

Any help, any information, any examples, steps or anything would be great. Please help!


Securing my Node.js app&#39;s REST API?

When do you use custom HTTP headers in the request part of a REST API ?

Example: 

Would you ever use 
    
    GET /orders/view 
    (custom HTTP header) CLIENT_ID: 23

instead of

    GET /orders/view/client_id/23 or 
    GET /orders/view/?client_id=23

REST APIs: custom HTTP headers vs URL parameters

I am trying to get a clear and concise understanding of HATEOAS, and I am by no means an expert WRT REST. (I think I get it though, thanks to this http://www.looah.com/source/view/2284 ).

Can anyone suggest an equally enlighenting blog/article WRT HATEOAS?


HATEOAS: concise description

For example you run a GET request for `users/9` but there is no user with id #9.
Which is the best response code?

 - 200 OK
 - 202 Accepted
 - 204 No Content
 - 400 Bad Request
 - 404 Not Found

What is the proper REST response code for a valid request but an empty data?

I&#39;m designing an API with SQLAlchemy (querying MySQL) and I would like to force all my queries to have page_size (LIMIT) and page_number (OFFSET) parameters.

Is there a clean way of doing this with SQLAlchemy?  Perhaps building a factory of some sort to create a custom Query object?  Or maybe there is a good way to do this with a mixin class?

I tried the obvious thing and it didn&#39;t work because .limit() and .offset() must be called after all filter conditions have been applied:

    def q(page=0, page_size=None):
        q = session.query(...)
        if page_size: q = q.limit(page_size)
        if page: q = q.offset(page*page_size)
        return q

When I try using this, I get the exception:

    sqlalchemy.exc.InvalidRequestError: Query.filter() being called on a Query which already has LIMIT or OFFSET applied. To modify the row-limited results of a  Query, call from_self() first.  Otherwise, call filter() before limit() or offset() are applied.


Applying LIMIT and OFFSET to all queries in SQLAlchemy

When designing resource hierarchies, when should one use sub-resources?

I used to believe that when a resource could not exist without another, it should be represented as its sub-resource. I recently ran across this counter-example:

* An employee is uniquely identifiable across all companies.
* An employee&#39;s access control and life-cycle depend on the company.

I modeled this as: `/companies/{companyName}/employee/{employeeId}`

Notice, I don&#39;t need to look up the company in order to locate the employee, so should I? If I do, I&#39;m paying a price to look up information I don&#39;t need. If I don&#39;t, this URL mistakenly returns HTTP 200:

`/companies/{nonExistingName}/employee/{existingId}`

1. How should I represent the fact that a resource to *belongs* to another?
2. How should I represent the fact that a resource *cannot be identified* without another?
3. What relationships are sub-resources meant and not meant to model?

RESTful design: when to use sub-resources?

I&#39;d love some some help handling a strange edge case with a paginated API I&#39;m building.

Like many APIs, this one paginates large results. If you query /foos, you&#39;ll get 100 results (i.e. foo #1-100), and a link to /foos?page=2 which should return foo #101-200.

Unfortunately, if foo #10 is deleted from the data set before the API consumer makes the next query, /foos?page=2 will offset by 100 and return foos #102-201.

This is a problem for API consumers who are trying to pull all foos - they will not receive foo #101.

What&#39;s the best practice to handle this? We&#39;d like to make it as lightweight as possible (i.e. avoiding handling sessions for API requests). Examples from other APIs would be greatly appreciated!

API pagination best practices

Keep in mind I have a rudimentary understanding of REST. Let&#39;s say I have this URL:

    http://api.animals.com/v1/dogs/1/

And now, I want to make the server make the dog bark. Only the server knows how to do this. Let&#39;s say I want to have it run on a CRON job that makes the dog bark every 10 minutes for the rest of eternity. What does that call look like? I kind of want to do this:

URL request:
    
    ACTION http://api.animals.com/v1/dogs/1/

In the request body:

    {&quot;action&quot;:&quot;bark&quot;}

Before you get mad at me for making up my own HTTP method, help me out and give me a better idea on how I should invoke a server-side method in a RESTful way. :)

**EDIT FOR CLARIFICATION**

Some more clarification around what the &quot;bark&quot; method does. Here are some options that may result in differently structured API calls:

1. bark just sends an email to dog.email and records nothing.
2. bark sends an email to dog.email and the increments dog.barkCount by 1.
3. bark creates a new &quot;bark&quot; record with bark.timestamp recording when the bark occured. It also increments dog.barkCount by 1.
4. bark runs a system command to pull the latest version of the dog code down from Github. It then sends a text message to dog.owner telling them that the new dog code is in production.

Content Type	Original Author	Original Content on Stackoverflow
Question	BuddyJoe	View Question on Stackoverflow
Solution 1 - Web Services	suing	View Answer on Stackoverflow
Solution 2 - Web Services	Louis	View Answer on Stackoverflow
Solution 3 - Web Services	rynop	View Answer on Stackoverflow

Token Expired - JSON REST API - Error Code

Web Services Problem Overview

Web Services Solutions

Solution 1 - Web Services

Solution 2 - Web Services

Solution 3 - Web Services

getenv() vs. $_ENV in PHP

What makes sets faster than lists?

Attributions