I’m designing a RESTful web service utilizing ROA(Resource oriented architecture).
I’m trying to work out an efficient way to guarantee idempotence for PUT requests that create new resources in cases that the server designates the resource key.
From my understanding, the traditional approach is to create a type of transaction resource such as /CREATE_PERSON. The the client-server interaction for creating a new person resource would be in two parts:
Step 1: Get unique transaction id for creating the new PERSON resource:::
**Client request:**
POST /CREATE_PERSON
**Server response:**
200 OK
transaction-id:"as8yfasiob"
Step 2: Create the new person resource in a request guaranteed to be unique by using the transaction id:::
**Client request**
PUT /CREATE_PERSON/{transaction_id}
first_name="Big bubba"
**Server response**
201 Created // (If the request is a duplicate, it would send this
PersonKey="398u4nsdf" // same response without creating a new resource. It
// would perhaps send an error response if the was used
// on a transaction id non-duplicate request, but I have
// control over the client, so I can guarantee that this
// won't happen)
The problem that I see with this approach is that it requires sending two requests to the server in order to do to single operation of creating a new PERSON resource. This creates a performance issues increasing the chance that the user will be waiting around for the client to complete their request.
I’ve been trying to hash out ideas for eliminating the first step such as pre-sending transaction-id’s with each request, but most of my ideas have other issues or involve sacrificing the statelessness of the application.
Is there a way to do this?
Edit::::::
The solution that we ended up going with was for the client to acquire a UUID and send it along with the request. A UUID is a very large number occupying the space of 16 bytes (2^128). Contrary to what someone with a programming mind might intuitively think, it is accepted practice to randomly generate a UUID and assume that it is a unique value. This is because the number of possible values is so large that the odds of generating two of the same number randomly are low enough to be virtually impossible.
One caveat is that we are having our clients request a UUID from the server (GET uuid/). This is because we cannot guarantee the environment that our client is running in. If there was a problem such as with seeding the random number generator on the client, then there very well could be a UUID collision.
You are using the wrong HTTP verb for your create operation. RFC 2616 specifies the semantic of the operations for
POSTandPUT.Paragraph 9.5:
Paragraph 9.6
There are subtle details of that behavior, for example
PUTcan be used to create new resource at the specified URL, if one does not already exist. However,POSTshould never put the new entity at the request URL andPUTshould always put any new entity at the request URL. This relationship to the request URL definesPOSTasCREATEandPUTasUPDATE.As per that semantic, if you want to use
PUTto create a new person, it should be created in/CREATE_PERSON/{transaction_id}. In other words, the transaction ID returned by your first request should be the person key used to fetch that record later. You shouldn’t makePUTrequest to a URL that is not going to be the final location of that record.Better yet, though, you can do this as an atomic operation by using a
POSTto/CREATE_PERSON. This allows you with a single request to create the new person record and in the response to get the new ID (which should also be referred in the HTTPLocationheader as well).Meanwhile, the REST guidelines specify that verbs should not be part of the resource URL. Thus, the URL to create new person should be the same as the location to get the list of all persons –
/PERSONS(I prefer the plural form :-)).Thus, your REST API becomes:
GET /PERSONSGET /PERSONS/{id}POST /PERSONSwith the body containing the data for the new recordPUT /PERSONS/{id}with the body containing the data for the updated record.DELETE /PERSONS/{id}Note: I personally prefer not using PUT for creating records for two reasons, unless I need to create a sub record that has the same id as an already existing record from a different data set (also known as ‘the poor man’s foreign key’ :-)).
Update: You are right that
POSTis not idempotent and that is as per HTTP spec.POSTwill always return a new resource. In your example above that new resource will be the transaction context.However, my point is that you want the
PUTto be used to create a new resource (a person record) and according to the HTTP spec, that new resource itself should be located at the URL. In particular, where your approach breaks is that the URL you use with thePUTis a representation of the transactional context that was created by the POST, not a representation of the new resource itself. In other words, the person record is a side effect of updating the transaction record, not the immediate result of it (the updated transaction record).Of course, with this approach the
PUTrequest will be idempotent, since once the person record is created and the transaction is ‘finalized’, subsequentPUTrequests will do nothing. But now you have a different problem – to actually update that person record, you will need to make aPUTrequest to a different URL – one that represents the person record, not the transaction in which it was created. So now you have two separate URLs your API clients have to know and make requests against to manipulate the same resource.Or you could have a complete representation of the last resource state copied in the transaction record as well and have person record updates go through the transaction URL for updates as well. But at this point, the transaction URL is for intends and purposes the person record, which means it was created by the
POSTrequest in first place.