I have a problem with proper API design.
So there's an app where users can track their sport Activities. User can later access and view them. It can be done by making GET /api/activities/{id}
request, where id
is an id of the activity. Internally I am searching db by user id and activity id, so that another user cannot view another user's Activity.
But then I need to access and process that Activity in another app service. So I need to have access but with that endpoint I won't get it because of not matching user id.
So I can see these solutions:
- Check permissions of the requester in the controller and if it's service then query db by just activity id (I don't like it because of possible code complication – need to pass roles to services or provide separate functions for each one and call the right one from controller).
- Create separate endpoint(s) for inter-service communication (of course properly secured).
- Fetch activity by id always and decide later wheter to return it or not depending on requester (simpler than 1. but there's unnecessary deserialization of objects from db).
What is the best approach and best practises?