0

I'm developing a REST API and when developing the user resource I ended up having a doubt. I want the users in my application to view other user profiles without being authenticated. But, obviously, a user needs to be authenticated to edit or delete his profile.

My doubt comes when I access, for example, to this url without been authenticated: PUT /api/user/1. Imagine that the user doesn't exists. Which error is checked first, the 404 because the resource does not exist or the 401 because the user is not authenticated? Thanks.

Alexandru Marculescu
  • 5,569
  • 6
  • 34
  • 50
Elias Garcia
  • 6,772
  • 11
  • 34
  • 62

1 Answers1

0

There's no point in querying for that particular user, if the request is a PUT and the current user isn't even authenticated. You'd be better off filtering these requests as soon as they hit your endpoint, and return a 401.

Alexandru Marculescu
  • 5,569
  • 6
  • 34
  • 50