What is the HTTP verb I use for logout?

Asked

Viewed 322 times

8

I have a logout endpoint to make the Current user token invalid.

With this came a question: Which HTTP verb should I use to log out?

  • You mean semantically?

  • @LINQ.

  • Curren user would be some mixture of Portuguese and English? Could be translated by current user?

  • how do you invalidate the user token? if you’re looking to make a Restful server this endpoint makes no sense

  • @J.William I am using JWT and in that lib has a function to leave the token invalid. Of course it makes sense dude, imagine the following situation the guy logs on to the application and you just remove the SESSION from the application. So if somehow (never trust the user) the guy picks up the token from the last logged in user, he will be able to make any request. If you research a little you will understand the real need.

Show 2 more comments

2 answers

10


The recommendations set out in RFC 2616, section 9, Method Definitions.

DELETE

The DELETE method requests that the origin server delete the Resource identified by the Request-URI. This method MAY be overridden by Human Intervention (or other Means) on the origin server. The client cannot be Guaranteed that the Operation has been carried out, Even if the status code returned from the origin server indicates that the action has been completed successfully. However, the server SHOULD NOT indicate Success unless, at the time the Response is Given, it intends to delete the Resource or move it to an Inaccessible Location.

A Successful Response SHOULD be 200 (OK) if the Response includes an Entity describing the status, 202 (Accepted) if the action has not yet been enacted, or 204 (No Content) if the action has been enacted but the Response does not include an Entity.

If the request passes through a cache and the Request-URI identifies one or more Currently cached entities, those Entries SHOULD be treated as Stale. Responses to this method are not cacheable.

whereas access to the application is a resource identified by token and that you wish to delete this token, discontinuing access, so the DELETE method is appropriate.

Free translation:

The DELETE method prompts the source server to delete the resource identified by Request-URI. This method can be replaced by human intervention (or other means) on the source server. The client cannot guarantee that the operation has been performed, even if the status code returned from the source server indicates that the action was successfully completed. However, the server MUST NOT indicate success unless, at the time the response is given, it intends to delete the resource or move it to an inaccessible location.

A successful response MUST be 200 (OK) if the response includes an entity that describes the status, 202 (OK) if the action has not yet been enacted or 204 (No Content) if the action has been enacted, but the answer does not include an entity.

If the request passes through a cache and the request URI identifies one or more entities currently cached, these entries MUST be treated as obsolete. Responses to this method are not cachable.


Personal note:

If you have a full domain over API development, that is, you have developed both the API and the client, you can rely on the 200 response, slightly evading the above recommendation, because in the API you can return the 200 response only where the appeal is duly excluded. The recommendation states that the response should not be trusted especially when you are using a third-party API.


Recommended readings

What are the advantages of using the right HTTP methods?

What is the difference between PUT and POST?

  • Thanks for clearing my doubt.

6

I would say that an interesting method for use would be the DELETE (based on an API I know from IBM), because when you do the authentication you create an Access Token and when you will disconnect this Token can no longer be used, so I believe that DELETE describes well:

DELETE /api/1.0/token HTTP/1.1

The response of status may vary a little depending on whether the Token exists or not, depending on the https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.7 the response status should be:

  • 200 (Ok) if you return a description in the body
  • 201 (Accepted) if the action has not yet been completed (probably if it will be checked later)
  • 204 (No Content) if the action does not have an answer in the body

Note: If the request passes through a cache and the request URL identifies one or more cached entities, these entries MUST be treated as obsolete. Responses to this method should not be cached.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.