了解REST：动词，错误代码和身份验证

问题：

I am looking for a way to wrap APIs around default functions in my PHP-based web applications, databases and CMSs. 我正在寻找一种在基于PHP的Web应用程序，数据库和CMS中将API围绕默认功能包装的方法。

I have looked around and found several "skeleton" frameworks. 我环顾四周，发现了几个“骨架”框架。 In addition to the answers in my question, there is Tonic , a REST framework I like because it is very lightweight. 除了我的问题的答案外，还有Tonic ，我喜欢它是REST框架，因为它非常轻巧。

I like REST the best for its simplicity, and would like to create an API architecture based on it. 我最喜欢REST的原因在于它的简单性，并希望基于它创建一个API架构。 I'm trying to get my head around the basic principles and have not fully understood it yet. 我正在努力了解基本原理，但尚未完全了解它。 Therefore, a number of questions. 因此，有很多问题。

1. Am I understanding it right? 1.我理解正确吗？

Say I have a resource "users". 说我有一个资源“用户”。 I could set up a number of URIs like so: 我可以像这样设置许多URI：

/api/users     when called with GET, lists users
/api/users     when called with POST, creates user record
/api/users/1   when called with GET, shows user record
               when called with PUT, updates user record
               when called with DELETE, deletes user record

is this a correct representation of a RESTful architecture so far? 到目前为止，这是RESTful架构的正确表示吗？

2. I need more verbs 2.我需要更多动词

Create, Update and Delete may be enough in theory, but in practice I will have the need for a lot more verbs. 从理论上讲，创建，更新和删除可能就足够了，但实际上，我将需要更多的动词。 I realize these are things that could be embedded in an update request, but they are specific actions that can have specific return codes and I wouldn't want to throw them all into one action. 我意识到这些东西可以嵌入到更新请求中，但是它们是可以具有特定返回码的特定动作，因此我不想将它们全部放入一个动作中。

Some that come to mind in the user example are: 在用户示例中想到的一些是：

activate_login
deactivate_login
change_password
add_credit

how would I express actions such as those in a RESTful URL architecture? 如何表达诸如RESTful URL体系结构中的动作？

My instinct would be to do a GET call to a URL like 我的直觉是对URL之类的GET调用

/api/users/1/activate_login

and expect a status code back. 并期待返回状态码。

That deviates from the idea of using HTTP verbs, though. 但是，这与使用HTTP动词的想法不同。 What do you think? 你怎么看？

3. How to return error messages and codes 3.如何返回错误消息和代码

A great part of REST's beauty stems from its use of standard HTTP methods. REST之美的很大一部分源于其对标准HTTP方法的使用。 On an error, I emit a header with a 3xx,4xx or 5xx error status code. 出现错误时，我发出带有3xx，4xx或5xx错误状态代码的标头。 For a detailed error description, I can use the body (right?). 有关错误的详细说明，我可以使用主体（对吗？）。 So far so good. 到现在为止还挺好。 But what would be the way to transmit a proprietary error code that is more detailed in describing what went wrong (eg "failed to connect to database", or "database login wrong")? 但是，传输专有错误代码的方式将是什么呢？该错误代码会在描述错误原因（例如“连接数据库失败”或“数据库登录错误”）中进行更详细的说明？ If I put it into the body along with the message, I have to parse it out afterwards. 如果将其与消息一起放入正文中，则必须在以后对其进行解析。 Is there a standard header for this kind of thing? 是否有用于此类事物的标准标头？

4. How to do authentication 4.如何进行身份验证

What would a API key based authentication following REST principles look like? 遵循REST原理的基于API密钥的身份验证会是什么样？
Are there strong points against using sessions when authenticating a REST client, other than that it's a blatant violation of the REST principle? 除了对REST原则的公然违反之外，在验证REST客户端时是否有使用会话的强项？ :) (only half kidding here, session based authentication would play well with my existing infrastructure.) ：）（在这里只是开个玩笑，基于会话的身份验证可以在我现有的基础架构中很好地发挥作用。）