API design

Hello. Im doing a API REST and i have doutb about the api design. I have 3 roles (admin, professionals, patients). They have diferents things what they can see or do, but also things that are very similar.

For example, and admin can see all the users and information and a patients only can see a list of professionals with limit information.

I think about two endpoints, with a Plug to ensure the role. :

GET /api/patient/users, PatientController, :index

GET /api/admin/users, AdminController, :index

The other way i see, is one endpoint:

GET /api/users

and in the controller make and if, to load the right information to the role, or make a plug to redirect to the right controller o path.

What is the proper way?

Hi, if I think of this from a graphql perspective then the entity is always the same (‘user’) but then each resolver that would resolve sensitive fields would check to see if it should attempt to resolve the field based on credentials.

Assuming that the view of users a patient sees is a strict subset of what an admin can see for example, I’d go for the 2nd option with code that would perhaps look like this

|> add_extras(role) # eg role resolves to :admin
|> put_resp()

essentially ‘decorating’ the base object with extra detail if appropriate. Do note that this may increase sql query count however depending on how the data is fetched, so keep that in mind as well

1 Like