Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update schema to accept string HTTP methods like "GET", as well as keywords. #685

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

danielcompton
Copy link
Member

The changes in release 0.6.2 broke some production code which was using :request-method "GET" instead of :request-method :get. I thought it might be good to warn others about this.

@KingMob
Copy link
Collaborator

KingMob commented Jul 5, 2023

@danielcompton Thanks for pointing this out. At first, I was surprised that string methods even worked, but I took a look at the code, and the transformation from keyword to Netty input is such that strings will usually work, too. (Though string TRACE methods will break some code.) FWIW, the Ring SPEC is clear, and it's been keywords-only for its entire life.

Regardless, I guess the question is, should we:

  1. Add a breaking change note, like this PR?
  2. Remove wrap-validation from the default middleware, and silently continue to accept strings?
  3. Loosen the schema to accept strings, too?

I'd rather not break any other wild code, so I prefer 2 or 3. I think 2 will leave the validation effectively unused by 99.99% of users, which defeats its purpose. I still hope to tighten the schema for areas like the query-string and the uri, so I vote for 3. This is not a strongly-held opinion, though. Thoughts?


From #679:

We should probably tighten the schemas soon. I've had bad experiences in the past using spec, when people let specs be loose for too long, they became concerned that locking them down would break something (E.g., one team only accepts ports as numbers, but another team also accepts them as strings which it parses...)

Isn't it too late already?

Well, that comment exchange proved prophetic 😂

@danielcompton
Copy link
Member Author

I'd rather not break any other wild code, so I prefer 2 or 3. I think 2 will leave the validation effectively unused by 99.99% of users, which defeats its purpose. I still hope to tighten the schema for areas like the query-string and the uri, so I vote for 3. This is not a strongly-held opinion, though. Thoughts?

Yeah, 3 seems like a safe middle ground without breaking existing code when people upgrade Aleph versions.

A possible extension to 3 could be to log a warning when callers pass a string instead of a keyword. That way, you could still tighten the spec one day if you ever decided to. Although I don't really know what you'd be gaining at that point, so maybe allowing string + keyword is ok.

@arnaudgeiser
Copy link
Collaborator

Loosen the schema to accept strings, too?

I would definitely loosen the schema. And as a follow-up, confirm we didn't break any other parameters along the way.

@KingMob
Copy link
Collaborator

KingMob commented Jul 11, 2023

Option 3 it is.

Daniel, do you want to tackle it, since you have the PR open? It's fine if not, I'm just saying you're welcome to if you like.

@danielcompton
Copy link
Member Author

Sorry, I dropped this. Happy for you to take it if you'd like.

@KingMob
Copy link
Collaborator

KingMob commented Sep 5, 2023

@danielcompton We can do it, but I have plenty on my plate at the moment, and you're welcome to if you like. Just let us know.

@KingMob KingMob changed the title Add a note about breaking changes in #679 Update schema to accept string HTTP methods like "GET", as well as keywords ~~Add a note about breaking changes in #679~~ Oct 23, 2023
@KingMob KingMob changed the title Update schema to accept string HTTP methods like "GET", as well as keywords ~~Add a note about breaking changes in #679~~ Update schema to accept string HTTP methods like "GET", as well as keywords ~Add a note about breaking changes in #679~ Oct 23, 2023
@KingMob KingMob changed the title Update schema to accept string HTTP methods like "GET", as well as keywords ~Add a note about breaking changes in #679~ Update schema to accept string HTTP methods like "GET", as well as keywords. Oct 23, 2023
@danielcompton danielcompton force-pushed the danielcompton-patch-1 branch from a393378 to 0487992 Compare March 27, 2024 20:08
@danielcompton
Copy link
Member Author

@KingMob I've updated the PR to expand the validation. LMK what you think.

Copy link
Collaborator

@arnaudgeiser arnaudgeiser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good to me, thank you Daniel!

@@ -183,6 +183,12 @@
(doseq [req (mg/sample schema/ring-request)]
(is (middleware/wrap-validation req)))

(testing "Request methods can be strings"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

modulo the testing import that is missing. :)

* Bump deps and example deps
* Upgrade CircleCI instance size
* Switch to pedantic deps for CircleCI

### Breaking changes

* Add `wrap-validation` middleware to validate Ring maps [#679](https://github.com/clj-commons/aleph/pull/679). This adds a stricter interpretation of the ring spec, which may fail on previously valid input. For example, strings (e.g. `"GET"`) and keywords (e.g. `:get`) were both accepted values for `:request-method`, but now only keywords are accepted. This will be fixed in the release after 0.7.1.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's remove the bit about "a stricter interpretation of the Ring spec". The ring spec never allowed strings, we just accepted them by accident.

Copy link
Collaborator

@KingMob KingMob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just got back from vacation. Looks cool to me. (Tho testing needs to be required)

My only note is that the Ring spec never accepted strings, and the changelog shouldn't say otherwise. It's just an Aleph bug that users might have come to rely on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants