Authorization
(How should I build proper authorization semantics for a complex dataset?)
- Take inspiration from GraphQL (especially Mutations) and micro-services and ask: what is the smallest usable operation?
- Design operations around security/authorization boundaries (instead of designing authorization around the operations).
- Differentiate in semantic terms:
book.add.existing
isn'tbook.add.toBePublished
. - REST is dead: e.g.
POST /book
needs to be split into smaller pieces (if (params.published) then {book.add.existing()} else {book.add.toBePublished()}
) ... it is too wild to try to secure large, multi-semantics operations as one piece. - Hierarchy of operations (for bundling in terms of permissions management) must be explicit from the start.