Clarify the description of REST vs OCS in accordance to sugestions discussed #12264
Conversation
Signed-off-by: Christian Wolf <github@christianwolf.email>
Signed-off-by: Christian Wolf <github@christianwolf.email>
|
@provokateurin I started to rephrase the "do not use OCS" in this PR. Does this sound reasonable or am I going completely the wrong direction? I know I need to eventually write a few more words and I for sure have to check the table entries (and wanted to explain them a bit more). What do you think, makes this sense? Is this to be discussed with some guys from the core team before merging (as it reverts some basic strategic statement)? |
| @@ -183,7 +183,7 @@ | |||
| #'pointsize': '10pt', | |||
|
|
|||
| # Additional stuff for the LaTeX preamble. | |||
| 'preamble': '\extrafloats{100}\maxdeadcycles=500\DeclareUnicodeCharacter{274C}{\sffamily X}', | |||
| 'preamble': '\\extrafloats{100}\\maxdeadcycles=500\\DeclareUnicodeCharacter{274C}{\\sffamily X}', | |||
| Offering a RESTful API is not different from creating a :doc:`route <../basics/routing>` and :doc:`controllers <../basics/controllers>` for the web interface. It is recommended though to inherit from ApiController and add **@CORS** annotations to the methods so that `web applications will also be able to access the API <https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS>`_. | ||
| Offering a RESTful API is not different from creating a :doc:`route <../basics/routing>` and :doc:`controllers <../basics/controllers>` for the web interface. | ||
| It is recommended though to inherit from ApiController and add **@CORS** annotations to the methods so that `web applications will also be able to access the API <https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS>`_. |
There was a problem hiding this comment.
This is just styling to put every sentence on it's own line. I can drop that as well.
| Keep in mind that multiple apps will likely depend on the API interface once it is published and they will move at different speeds to react to changes implemented in the API. Therefore it is recommended to version the API in the URL to not break existing apps when backwards incompatible changes are introduced:: | ||
| Keep in mind that multiple apps will likely depend on the API interface once it is published and they will move at different speeds to react to changes implemented in the API. | ||
| Therefore it is recommended to version the API in the URL to not break existing apps when backwards incompatible changes are introduced:: |
| The following combinations of attributes might be useful for various scenarios: | ||
|
|
||
| #. Plain frontend route: No special attribute related to CSRF or CORS | ||
| #. Plain Frontend with CRSF checks disabled: Add the ``#[NoCSRFRequired]`` attribute |
There was a problem hiding this comment.
CSRF checks should only be disabled when absolutely necessary, this line should have a big warning
There was a problem hiding this comment.
These are some of the few words I wanted to add...
| The following combinations of attributes might be useful for various scenarios: | ||
|
|
||
| #. Plain frontend route: No special attribute related to CSRF or CORS | ||
| #. Plain Frontend with CRSF checks disabled: Add the ``#[NoCSRFRequired]`` attribute |
There was a problem hiding this comment.
| #. Plain Frontend with CRSF checks disabled: Add the ``#[NoCSRFRequired]`` attribute | |
| #. Plain Frontend with CRSF checks disabled: ``Controller`` class and ``#[NoCSRFRequired]`` attribute on the method |
| #. Plain frontend route: No special attribute related to CSRF or CORS | ||
| #. Plain Frontend with CRSF checks disabled: Add the ``#[NoCSRFRequired]`` attribute | ||
| #. REST route with CORS enabled: Add the ``#[CORS]`` attribute | ||
| #. OCS-based route |
There was a problem hiding this comment.
There is another case with OCS+CSRF
Co-authored-by: Kate <26026535+provokateurin@users.noreply.github.com> Signed-off-by: Christian Wolf <github@christianwolf.email>
Signed-off-by: Christian Wolf <github@christianwolf.email>
|
I tried to address the points discussed here. I decided that the CORS should be better put in a separate section as it seems orthogonal to the original question (what should I use Controller or OCSController?). For simpler reading, I put screenshots of the current state here:
|
| @@ -759,7 +764,7 @@ In order to ease migration from OCS API routes to the App Framework, an addition | |||
|
|
|||
| The format parameter works out of the box, no intervention is required. | |||
There was a problem hiding this comment.
I know you didn't change this, but this sentence is a bit unclear. It talks about the ?format=json parameter, but doesn't really explain it. IMO using the format parameter is not good, the Accept: application/json header should be used instead as it is standardized.
There was a problem hiding this comment.
I tried to address this in the latest commit.
| #. Plain frontend route: ``Controller`` class | ||
| #. Plain Frontend with CRSF checks disabled: ``Controller`` class and ``#[NoCSRFRequired]`` attribute on the method | ||
| #. OCS-based route: ``OCSController`` class | ||
| #. OCS-based route with CSRF disabled: ``OCSController`` class and ``#[NoCSRFRequired]`` attribute on the method |
There was a problem hiding this comment.
I think this case doesn't exist, NoCSRFRequired should not have an effect on OCSController, but I will have to check that in the code to be sure.
There was a problem hiding this comment.
I was thinking back and forth on this as well. In the end, I decided to keep the case as there is a certain difference (at least from the implementation):
For methods with NoCSRFRequired, this section is doing nothing.
For the case where the attribute is not given, the strict cookie check boils down to a check on the OCS-APIREQUEST header or no valid session token.
With the header in place (as the OCS controller generally expects), the second part is also skipped: The CSRF check is hardcoded to true, thus isInvalidCSRFRequired returns false.
When the header is not set, you enter the second if block and will check the inner if. The check isinstance OCSController is obviously true. The isValidOCSRequest is somewhat redundant as it can only be reached with the header unset. Alternatively, a bearer authorization header is sufficient to make the CSRF checker happy (even without OCS header and without NoCSRFRequired attribute).
I was adding this case as a reaction on your statement
There is another case with OCS+CSRF
In my opinion the last case could be dropped (and was never planned in the first round) but I do not see clearly the motivation of it, to be honest. Did I misunderstand your statement above?
Signed-off-by: Christian Wolf <github@christianwolf.email>
christianlupus
force-pushed
the
fix/clarification-rest-ocs
branch
from
08e4aab
to
ca6794c
Compare
☑️ Resolves
🖼️ Screenshots
T.B.D.