-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update schema to accept string HTTP methods like "GET", as well as keywords. #685
base: master
Are you sure you want to change the base?
Conversation
@danielcompton Thanks for pointing this out. At first, I was surprised that string methods even worked, but I took a look at the code, and the transformation from keyword to Netty input is such that strings will usually work, too. (Though string TRACE methods will break some code.) FWIW, the Ring SPEC is clear, and it's been keywords-only for its entire life. Regardless, I guess the question is, should we:
I'd rather not break any other wild code, so I prefer 2 or 3. I think 2 will leave the validation effectively unused by 99.99% of users, which defeats its purpose. I still hope to tighten the schema for areas like the query-string and the uri, so I vote for 3. This is not a strongly-held opinion, though. Thoughts? From #679:
Well, that comment exchange proved prophetic 😂 |
Yeah, 3 seems like a safe middle ground without breaking existing code when people upgrade Aleph versions. A possible extension to 3 could be to log a warning when callers pass a string instead of a keyword. That way, you could still tighten the spec one day if you ever decided to. Although I don't really know what you'd be gaining at that point, so maybe allowing string + keyword is ok. |
I would definitely loosen the schema. And as a follow-up, confirm we didn't break any other parameters along the way. |
Option 3 it is. Daniel, do you want to tackle it, since you have the PR open? It's fine if not, I'm just saying you're welcome to if you like. |
Sorry, I dropped this. Happy for you to take it if you'd like. |
@danielcompton We can do it, but I have plenty on my plate at the moment, and you're welcome to if you like. Just let us know. |
a393378
to
0487992
Compare
@KingMob I've updated the PR to expand the validation. LMK what you think. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good to me, thank you Daniel!
@@ -183,6 +183,12 @@ | |||
(doseq [req (mg/sample schema/ring-request)] | |||
(is (middleware/wrap-validation req))) | |||
|
|||
(testing "Request methods can be strings" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
modulo the testing
import that is missing. :)
* Bump deps and example deps | ||
* Upgrade CircleCI instance size | ||
* Switch to pedantic deps for CircleCI | ||
|
||
### Breaking changes | ||
|
||
* Add `wrap-validation` middleware to validate Ring maps [#679](https://github.com/clj-commons/aleph/pull/679). This adds a stricter interpretation of the ring spec, which may fail on previously valid input. For example, strings (e.g. `"GET"`) and keywords (e.g. `:get`) were both accepted values for `:request-method`, but now only keywords are accepted. This will be fixed in the release after 0.7.1. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's remove the bit about "a stricter interpretation of the Ring spec". The ring spec never allowed strings, we just accepted them by accident.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just got back from vacation. Looks cool to me. (Tho testing
needs to be required)
My only note is that the Ring spec never accepted strings, and the changelog shouldn't say otherwise. It's just an Aleph bug that users might have come to rely on.
The changes in release 0.6.2 broke some production code which was using
:request-method "GET"
instead of:request-method :get
. I thought it might be good to warn others about this.