api design – Is it a bad practice to have one API route that can serve both private and public resources conditionally with an optional authorization?

Let’s say I’m making a platform like Linkedin. The platform let you upload your business detail.

All public visitors can go to your business page and view public information such as name and description.
But, if you are the owner, you can also see additional private information such as your Sales figure, Invitations, etc on that same page

To do that, I make a route which gets the detail of a particular business (GET /businesses/:id)

This API has a authorization middleware that, for example, check whether you have a valid JWT to prove your identity.

If the JWT is incorrect or absent, the API only fetches and returns public information of that business.
However, if the JWT is correct, it fetches additional information including all public and private detail of that business.

So, my question is, how serious are the disadvantages of using the same API route with conditional authorization? (maintainability/testability/security?)

Do I need to separate this into two different routes?

web application – Does API access token that only have access to public information need to be kept secret?

Your question is very specific to the usage of ‘Instagram Basic Display API(Long live access token)’ which is not just limited to display/access public information of a profile.

You can perform Refresh Access Tokens everyday which leads to DOS attack. (User node and Media node can be accessed only with latest access token). Exceeding Rate limit also leads to DOS attack. You can control entire account if you can get Graph API token 🙂

Irrespective of it’s usage, every API access token to be protected and how to protect is depend on your application architecture. There are many articles listing best practices. Reference-01 Reference-02 Reference-03

rest – Should our RESTful API be abstract or client-specific?

I work in the SAP industry where web-based UIs and RESTful APIs are a rather new thing, meaning some teams (like ours) don’t have much experience in designing such systems. Recently there’s been a dicussion that revolved about whether our API should be an abstract representation of the resource or client-specific by pre-filtering a subset of the resource. Let me try to elaborate using the specific use case that was the center of the discussion:

Say we have a business object work-task that has a property called status. That status may have several values, say active and closed. Now, a web-based UI is being designed that allows users to edit work-tasks, but only if they have the status active.

Before I explain the two opinions on how to design the API, let me state some important prerequisites:

  • The validation whether a work-task can be edited (the status check) is always done on the server during UPDATE.
  • There will likely come the requirement to develop different clients that e.g. require work-task regardless of status
  • There are no security concerns regarding the status property being visible to the user

These are the two opinions on how to approach this (I obviously have a clear preference, but I’m going to try to recite both to the best of my abilities):

  1. Design an abstract API and allow the client to filter for status='active' in the query. The goal is to make the API easily reusable. That includes that the client developer needs to know part of the use case (e.g. the kind of status he needs to filter). It also means that if the business logic ever changes (e.g. another editable status is being introduced, say, partly-active), the client would need to be changed (to include that value into his query filter).
  2. Design a client-specific API and filter server-side instead of client-side. To achieve this, three approaches were being suggested: a) Include a technical field into the resource representation that specifies the client, say forClient. The client would then filter that property for e.g. forClient='App1'. b) Include a ‘technical association’, between a parent resource and the actual resource which would lead to the query look something like this: work-package/forApp1/work-tasks. Work-package would be an object that has a 1:n relationship to work-task. c) Develop a new completely new API per client.

Of course I have consulted the API specs (we use OData V2.0, which is specified here), but the specs never talk explicitely about that point. One could argue that 2) is never being talked about and (1) is always being assumed when looking at e.g. the URI or resource conventions.

I myself use JSON:API personally, which seems to be a little more restrictive and could be interpreted to more specifically demand (1).

I’ve also consulted guidelines on how to implement REST, like here and here. I’d also interpret these as to go for (1). But in the end, I might be too biased and trying to read between the lines.

I’d very much welcome any input on this matter. 🙂

Bonus Question: In case (or in cases where) you would go for (1), would that change when there wouldn’t be only one property to filter, but say 3-5 filters would be required to get the subset required by the client?

Problema para aparecer os dados da API com Node no Front

Estou montando um gráfico em Chart.js e preciso pegar os dados com uma API em Node, mas não está dando certo, segue o index.js:

const express = require('express')
const morgan = require('morgan')
const cors = require('cors')
const bodyParser = require('body-parser')
const routes = require('./config/routes')
const axios = require('axios')

const app = express()

app.use(bodyParser.urlencoded({extended: false}))

app.listen(21262, () => {
    console.log(`Express started at http://localhost:21262`)

o routes.js que ele faz citação é o seguinte código:

const { default: axios } = require('axios')
const express = require('express')
const routes = express.Router()

let db = (
    {memory: "(5,4,5,1,6,4,7,2.8,5,4.7,6)"},
    {xMemory: "('1','2','3','4','5','6','7','8','9','10','11')"}

routes.get('/', async(req, res) => {
    return res.json(db)

routes.post('/add', (req, res) => {
    const body = req.body

    if (!body) {
        return res.status(400).end()

    return res.json(body)


routes.delete('/:id', (req, res) => {
    const id = req.params.id

    let newDB = db.filter(item => {
            return item

    db = newDB

    return res.send(newDB)

module.exports = routes

O arquivo dos gráfico é esse, onde na função getContent() no console.log(memory, xMemory) retorna como "undefined":

const api_url = `http://localhost:21262/`

async function getContent() {
    try {
        const response = await fetch(api_url)
        const data = await response.json()
        const {memory, xMemory} = data
        console.log(memory, xMemory)
    } catch (error) {


async function chartIt() {
    await getContent();
    let memoryChart = new Chart(document.getElementById("memory-chart"), {
        type: 'line',
        data: {
            labels: xMemory,
            datasets: (
                    label: 'Memory',
                    borderColor: '#00a389',
                    cubicInterpolationMode: 'default',
                    tension: 0.4,
                    data: memory
        options: {
            maintainAspectRatio: false,
            elements: {
                line: {
                    borderWidth: 4
                point: {
                    radius: 0
            plugins: {
                legend: {
                    display: false
            scales: {
                x: {
                    display: false,
                y: {
                    display: false,

php – How to add API security keys into JS of wordpress securely

I am using wp_localize_script() to add variables from my config.ini file to my inline JS code (inside HTML block element of Elementor) (Please see this for reference)

But this method is unsafe to add Security keys because these variables can be accessed via console. How can I add API security keys to my JS code securely?
Is there any way I can achieve this? Thank you in advance.

http – Is It Possible To Query an API for its Available Versions and/or Endpoints?

So I’ve got an API with some outdated documentation and no swagger. I can ping requests to said API because I have the auth and all required parameters. However, as the documentation is out-dated, I’m not sure which API version is active, present or available.

My requests always get a 200 response, its just that I’m supplying an unsupported version number so the response body says exactly that.

Now I’m curious about undocumented APIs in general, is there a way to ping requests in order to find which version of the api (or endpoint) is available/active? Given that you already have the full endpoint data (url, endpoint, auth, params) is it possible to send requests without specifying a version number in order to find out which ones are available for each endpoint? Sort of like a DIY-swagger.

The type of request in question is very simple, a GET with all parameters supplied as a query string

ie. https://theurl.com/<endpoint>/<**version number**>/?Params&Params&Params

could this type of request be hacked so that it uses the latest possible version number? Or is there a way to ping an API so that it shows all available versions and endpoints?

docker – How should I authorize calls to an API behind an Apache reverse proxy behind CAS authentication?

Apologies if this is incoherent. I’m very new.

I have an Apache server protected by CAS in a Docker container. I’m using mod_auth_cas to do this. I have an API running on a different container which is accessed through a reverse proxy using ProxyPass so that the user must be authorized to make API calls. I now want to know the UID in my API so that I can make sure that the user has permissions.

I’m hoping that there’s a way to add an additional parameter with the verified UID to incoming API calls. I feel like there should be some way to do this with mod_rewrite, but I’m not sure how. I suppose I’d have to get the UID as a string.

c++ – Designing a library API to allow for interactivity

The application I’m currently working on is deeply coupled to the UI framework in use (Qt at the moment). I would like to separate the UI-specific code from the rest as much as possible, with the goal of creating a library for use with other toolkits in the near future.

I have already started this work but I am struggling with the architecture of the application when it comes to interactivity: moving code out of the UI is not that hard, but I would like to keep things such as progress indicators and warning message boxes working. One thing I am doing right now is to pass a “show_progress” functor that takes one argument and updates the progress dialog, but I am not sure if this will work in the long run; I would pretty much either need multiple functors per library call or create one big interface that would have methods for progress bars, message boxes, etc.

What are some solutions or resources to help me sort these problems out?

wp api – WP-API new variable

I’m sorry, I speak a little English.

My website https://examplee.tld/wp-json return JSON:

{"name":"examplee","description":"Just another WordPress site","url":"https://examplee.tld", ...

How to add new variable with my own plugin (not need auth, see all)? Example, what I would like return:

{"mynewvariable":"ok","name":"examplee","description":"Just another WordPress site","url":"https://examplee.tld", ...

My plugin: https://examplee.tld/wp-content/plugins/myplugin/myplugin.php


 * Plugin Name: MYPLUGIN

// I need the code, how to add new variable to API


Please help me. Thanks.

magento2 – magento 2 get folter attributes values in custom api

Hi i created custom API in magento 2 in that i need to implement advance search like store brand,model and year search like this enter image description here

i am able to get brand fileds `

public function getAddtocar($attribute) {

//        echo "sdfkjhsdkjfhsdkjhfkjdshfjkds";

        $objectManager = MagentoFrameworkAppObjectManager::getInstance();
        $filterableAttributes = $objectManager->getInstance()->get(MagentoCatalogModelLayerCategoryFilterableAttributeList::class);
        $layerResolver = $objectManager->getInstance()->get(MagentoCatalogModelLayerResolver::class);
        $filterList = $objectManager->getInstance()->create(
                MagentoCatalogModelLayerFilterList::class, (
            'filterableAttributes' => $filterableAttributes
        $layer = $layerResolver->get();
        $filters = $filterList->getFilters($layer);
//                    $maxPrice = $layer->getProductCollection();

        $i = 0;
        $values = ();
        $filterAttrs = ();
        foreach ($filters as $filter) {
            $attr_code = (string) $filter->getRequestVar();
            if ($attr_code == $attribute) {
                $attr_label = (string) $filter->getName();
                $items = $filter->getItems(); //Gives all available filter options in that particular filter
                foreach ($items as $item) {

                    $values() = array(
                        "id" => $item->getValue(),
                        "count" => $item->getCount(),
                        "label" => strip_tags($item->getLabel()));
//                $logger->info('Array Log count of values' . print_r($values, true)); // Array Log  
                if (!empty($values) && count($values) > 1) {
                    $filterAttrs() = array(
                        "label" => $attr_label,
                        "options" => $values,
                        "code" => $attr_code);
        $response = ('status' => 'true', 'layeredData' => $filterAttrs);
        echo $json = json_encode($response, JSON_UNESCAPED_UNICODE);

`by using abouve code i am able to show brand fileds which assigned to products after selection of brand need to get model filed
forexample:: brand->hyundai,lexus,kia once select kia i need to get kia related model can any one suggest how to get like selection based