In order to effectively use ACL in the system I am currently working on, I would need to send the same 2 URI parameters which are ids of the resources I want to check the users access against.
In order to avoid unused parameters in a number of functions, would it be considered okay practice to send these ids in the headers of his request?
I have attempted this and it works, however, I just need to know whether or not this is practice is considered okay
2
Answers
Custom headers in http requests are explicitly allowed, so in theory this practice should be considered "okay".
The rest ist somewhat subjective and I wouldn’t consider it best practice to move information from the message body to the headers. In practice you could run into issues because of proxies / servers messing with the headers or control caching based on the body of requests (but not on the custom headers).
The user id should be retrieved from the jwt token or from the session. Then you would not need the user id in the request.