0

I'm developing a REST API and when developing the user resource I ended up having a doubt. I want the users in my application to view other user profiles without being authenticated. But, obviously, a user needs to be authenticated to edit or delete his profile.

My doubt comes when I access, for example, to this url without been authenticated: PUT /api/user/1. Imagine that the user doesn't exists. Which error is checked first, the 404 because the resource does not exist or the 401 because the user is not authenticated? Thanks.

Improve this question

1 Answer 1

Reset to default
0

There's no point in querying for that particular user, if the request is a PUT and the current user isn't even authenticated. You'd be better off filtering these requests as soon as they hit your endpoint, and return a 401.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.