I am building a Restful API for my users.
I have these:
1. GET -> Users/{id} This is to get by Id
2. POST -> Users/{DTO} This is to add
3. PATCH/PUT -> Users/{DTO} This is for updating the info
4. DELETE -> Users/{id} Removing
5. DELETE -> Users/{username}/reset_pass Reset Password
6. POST -> Users/?username={userName}&password={password}
So I am a little unsure about number 5 and 6 (specially 6).
I would like to know what you think about this ? sending my user's password in a query string in the Body.
I think Uber uses the pattern that I used for resetting password. What do you think about that ?
Thanks
4. DELETE -> Users/{id} Removing
5. DELETE -> Users/{username}/reset_pass Reset Password
reset_pass is verb like. Consider using DELETE Users/{id}/password. Depending on what happens to the password, DELETE may or may not suit the use case.6. POST -> Users/?username={userName}&password={password}
Again, this is not consistent with your URL format. If you'd like to create a new password for a user, use POST Users/{id}/password.
I would like to know what you think about this ? sending my user's password in a query string in the Body.
It is neater to model it into a request body, however it makes no difference in terms of security. Unless you use HTTPS anyone will be able to sniff a HTTP POST regardless of where in the request you decide to pass your data.