First of all, this is probably a question better suited on the SkyFoundry board. Secondly, as far as I know the use of GET request with side-effects was (imo very correctly) disallowed in version 3.0.20 upwards, but can be enabled using the allowGetWithSideEffects setting.
Brian FrankWed 12 Feb 2020
The default behavior of SkySpark is now to disallow GET requests non-idempotent operations. So its still allowed on certain operations such as about, formats, read. However as Chris said it can be toggled back on using Settings|API for backward compatibility.
However as a recommendation I think we should always be using POST as a safer alternative. Using GET for ops with side-effects is against the HTTP spec. Plus it is an attack vector if cookies are involved. And it provides a more precise way to pass the request payload.
Christian TremblayWed 12 Feb 2020
@Brian I understand that you have technical reasons for doing so. But we built pyhaystack using the provided documentation defining Rest API found on this site, and we found no information about this particularity. This is, from our point of view a breaking change that brought some questions/issues from users that don't seem to be aware of this change.
Do you plan modifying the "recommendation" of project-haystack Rest API to use Post for ops ?
@Chris Breederveld In regard to the Skyfoundry board, I'm not a user of Skyspark. But I understand not mixing things is important. The Rest API standard being defined here, I thought it would not be problematic though.
Brian FrankWed 12 Feb 2020
Do you plan modifying the "recommendation" of project-haystack Rest API to use Post for ops ?
Yes, I think as we rework the documentation for HTTP API for Haystack 4 we should make this recommendation. I'd also like to figure out how ops can become defs
Christian TremblayWed 12 Feb 2020
Another question, what are the side effects of a Get request on hisRead ?
The fact that we send the date must be considered as side effect ? I thought that as this didn't change anything on the server, this was not an issue...
(Learning here...)
pyhaystack.client.http.exceptions.HTTPStatusError: [Errno 405 Client Error: GET not allowed for op "hisRead" for url: https://skyspark3.server.org/api/demo/hisRead?id=%40p%3Ademo%3Ar%3A255873a0-2366039f&range=yesterday] 405
Brian FrankWed 12 Feb 2020
The fact that we send the date must be considered as side effect
Its not really from a theoretical perspective. But in SkySpark we allow customers to generate histories using their own custom functions. So from a security perspective we took the safest route and consider it to potentially have side effects.
If your code is all using GET, then just have the customer set Settings|API allowGetWithSideEffects flag to false and it should all work
Christian Tremblay Tue 11 Feb 2020
One user reported that Get Request was not supported anymore
"From version 3.0.22, they stopped support on GET calls"
This is affecting pyhaystack users and I would like to know is this is a real breaking change.
https://github.com/ChristianTremblay/pyhaystack/issues/84
Thanks
Chris Breederveld Wed 12 Feb 2020
Hi Christian,
First of all, this is probably a question better suited on the SkyFoundry board. Secondly, as far as I know the use of GET request with side-effects was (imo very correctly) disallowed in version 3.0.20 upwards, but can be enabled using the allowGetWithSideEffects setting.
Brian Frank Wed 12 Feb 2020
The default behavior of SkySpark is now to disallow GET requests non-idempotent operations. So its still allowed on certain operations such as about, formats, read. However as Chris said it can be toggled back on using Settings|API for backward compatibility.
However as a recommendation I think we should always be using POST as a safer alternative. Using GET for ops with side-effects is against the HTTP spec. Plus it is an attack vector if cookies are involved. And it provides a more precise way to pass the request payload.
Christian Tremblay Wed 12 Feb 2020
@Brian I understand that you have technical reasons for doing so. But we built pyhaystack using the provided documentation defining Rest API found on this site, and we found no information about this particularity. This is, from our point of view a breaking change that brought some questions/issues from users that don't seem to be aware of this change.
Do you plan modifying the "recommendation" of project-haystack Rest API to use Post for ops ?
@Chris Breederveld In regard to the Skyfoundry board, I'm not a user of Skyspark. But I understand not mixing things is important. The Rest API standard being defined here, I thought it would not be problematic though.
Brian Frank Wed 12 Feb 2020
Yes, I think as we rework the documentation for HTTP API for Haystack 4 we should make this recommendation. I'd also like to figure out how ops can become defs
Christian Tremblay Wed 12 Feb 2020
Another question, what are the side effects of a Get request on hisRead ?
The fact that we send the date must be considered as side effect ? I thought that as this didn't change anything on the server, this was not an issue...
(Learning here...)
pyhaystack.client.http.exceptions.HTTPStatusError: [Errno 405 Client Error: GET not allowed for op "hisRead" for url: https://skyspark3.server.org/api/demo/hisRead?id=%40p%3Ademo%3Ar%3A255873a0-2366039f&range=yesterday] 405Brian Frank Wed 12 Feb 2020
Its not really from a theoretical perspective. But in SkySpark we allow customers to generate histories using their own custom functions. So from a security perspective we took the safest route and consider it to potentially have side effects.
If your code is all using GET, then just have the customer set Settings|API allowGetWithSideEffects flag to false and it should all work