Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow, but discourage, requestBody for GET, HEAD, DELETE #1937

Merged
merged 2 commits into from
Dec 19, 2019

Conversation

n2ygk
Copy link
Contributor

@n2ygk n2ygk commented May 30, 2019

Fixes #1801 per TSC discussion of 2019-05-30 which requested a PR for review.

@philsturgeon
Copy link
Contributor

This is a good change.

@n2ygk
Copy link
Contributor Author

n2ygk commented May 31, 2019

@philsturgeon Thanks. I suppose I need to forward-port this against 3.1.0-dev as well?

@philsturgeon
Copy link
Contributor

@n2ygk I expect there are periodic merges from master to 3.1.0-dev.

@n2ygk
Copy link
Contributor Author

n2ygk commented May 31, 2019

@n2ygk I expect there are periodic merges from master to 3.1.0-dev.

@philsturgeon Yeah I was thinking that, except the filename is 3.1.0.md vs. 3.0.3.md so a merge won't "just do it" as it's a different file. I'll wait for direction if and when this is approved and merged. Thanks.

@MikeRalphson
Copy link
Member

  1. We have a script which will forward port changes from patch releases (e.g. 3.0.3) to minor releases (e.g. 3.1.0) across files, obviating the need for any merges from master.
  2. As this change calls for different behaviour for tools written to this spec as opposed to versions 3.0.0, 3.0.0 and 3.0.2 I would personally prefer to see this targetted against v3.1.0.
  3. Typo: "symantics" for "semantics".

@ioggstream
Copy link
Contributor

I'd remember the following from RFC7230 too, as HTTP intermediaries could rejejct the request.

sending a payload body on a GET request might cause some existing
implementations to reject the request.

@n2ygk
Copy link
Contributor Author

n2ygk commented Jun 21, 2019

@MikeRalphson:

  1. We have a script which will forward port changes from patch releases (e.g. 3.0.3) to minor releases (e.g. 3.1.0) across files, obviating the need for any merges from master.
  2. As this change calls for different behaviour for tools written to this spec as opposed to versions 3.0.0, 3.0.0 and 3.0.2 I would personally prefer to see this targetted against v3.1.0.

OK, so I'll await for direction from the TSC on whether I should submit this against 3.1.0 instead.

  1. Typo: "symantics" for "semantics".

D'oh! Thanks. commit coming.

@n2ygk
Copy link
Contributor Author

n2ygk commented Jun 21, 2019

I'd remember the following from RFC7230 too, as HTTP intermediaries could rejejct the request.

sending a payload body on a GET request might cause some existing
implementations to reject the request.

@ioggstream: I believe that's in RFC 7231 4.3.1, not 7230. I prefer not to quote too much from other references rather than just citing them as is already done in the prior sentence.

@ioggstream
Copy link
Contributor

ioggstream commented Jun 23, 2019

@n2ygk

I believe that's in RFC 7231 4.3.1, not 7230.

True ;)

I prefer not to quote too much from other references.

Agree. I think the caveat I cited is easier to understand respect
to the current proposal.

I generally agree on the content.

Copy link

@bcoste bcoste left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've checked the RFC7231 and the new text respects it.

@philsturgeon
Copy link
Contributor

👍 latest wording looks good. Again we don't want to ban this, but we can suggest folks avoid it because spooky confusion my occur. SHOULD is the way to go.

GCSBOSS added a commit to GCSBOSS/nodecaf that referenced this pull request Jul 4, 2019
GCSBOSS added a commit to GCSBOSS/nodecaf that referenced this pull request Jul 4, 2019
Input type doc

- Ignore mime-types accept for GET, HEAD and DELETE operation docs
  - We'll probably revert this eventually
  - Check this out: OAI/OpenAPI-Specification#1937
- Add accepted mime-types to operation doc
- Add request type filtering to readme
- Add default permissive request body description to doc generation
- Fix unknown type "as-is" on cli options
- Move accepts type parsing to own file
- Update test suite to listen based on a constant instead of explicit 'localhost'


See merge request GCSBOSS/nodecaf!20
@n2ygk
Copy link
Contributor Author

n2ygk commented Jul 18, 2019

@darrelmiller is there a plan to merge this at some point? Just trying to clean up my various open PRs....

Copy link
Member

@darrelmiller darrelmiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @MikeRalphson that as this is actually changing allowed behaviour we should defer this change to 3.1

@rcgroup-areuin
Copy link

Hello,
When this change will be release (if not already done)?
The version 3.0.3 is the one?
We are looking up to upgrade from Swagger 2 to OpenAPI 3 but this issue had us blocked.
Is this finally approved? (if so, we can begin in parallel and wait for release)
Thanks.

@n2ygk
Copy link
Contributor Author

n2ygk commented Sep 3, 2019

I agree with @MikeRalphson that as this is actually changing allowed behaviour we should defer this change to 3.1

@darrelmiller Do you want me to rebase this PR against 3.1?

BTW, I would make the counter-argument that it fixes a mistake in 3.0 vs. adding new functionality, as 3.0 breaks functionality from Swagger 2. So it could go in 3.0.3, thereby unblocking @rcgroup-areuin and others who are documenting pre-existing APIs -- not inventing new ones. Anyone "doing it right" would never run across this bug/feature in the spec anyway.

Is there a need for another TSC meeting agenda item to move this forward to a conclusion? I see a note in the June TSC #1941 needing to follow up on this. I imagine the September TSC is coming up shortly. Also, are there meeting minutes posted somewhere?

@handrews
Copy link
Member

handrews commented Nov 8, 2019

@darrelmiller @MikeRalphson should this (or the corresponding issue) be added to #2025 for 3.1 tracking?

@earth2marsh
Copy link
Member

As discussed in today's TSC call, this relaxes our stance on an issue that, as Ron observed, is something v2 was more relaxed about. General consensus was to accept this PR, thank you.

@earth2marsh earth2marsh merged commit b7b8238 into OAI:v3.0.3-dev Dec 19, 2019
@MikeRalphson
Copy link
Member

Bah! If I had remembered which branch this was targeted against, I would have rattled my semver stick.

@webron
Copy link
Member

webron commented Dec 20, 2019

@MikeRalphson - you're right. This should be reverted and reapplied to 3.1 - it can't be changed in 3.0.

@webron
Copy link
Member

webron commented Jan 23, 2020

@n2ygk - unfortunately we had to revert it (see #2114) but we'd still like to see the change in 3.1.0. Would you like to submit a similar PR against that version? I'd rather you get the credit as you put in the work.

@n2ygk
Copy link
Contributor Author

n2ygk commented Jan 23, 2020

@n2ygk - unfortunately we had to revert it (see #2114) but we'd still like to see the change in 3.1.0. Would you like to submit a similar PR against that version? I'd rather you get the credit as you put in the work.

will do

@n2ygk
Copy link
Contributor Author

n2ygk commented Jan 23, 2020

@webron see #2117

FrankHassanabad added a commit to elastic/kibana that referenced this pull request Jan 15, 2021
#87914)

## Summary

Changes `DELETE` to `POST` for _bulk_delete on the client only for a variety of reasons.

According to the RFC, not all servers and proxies need to honor DELETE having a body. From: https://tools.ietf.org/html/rfc7231

```
A payload within a DELETE request message has no defined semantics;
sending a payload body on a DELETE request might cause some existing
implementations to reject the request.
```

Within at least one proxy, h2o2, we have found that it does indeed change request headers which will cause NodeJS to not attach the body of a `DELETE`:
hapijs/h2o2#124

Also from other communities such as OpenAPI where they debated this, they allow it but discourage it for reasons outlined there that I will not repeat here:
OAI/OpenAPI-Specification#1937

Elastic Search API's and other Kibana API's use `POST` rather than `DELETE` for their bodies that are attached to `DELETE`:
https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-delete-by-query.html

We still support bodies in `DELETE` and `POST` but are just changing the web client to utilize `POST` moving forward.


### Checklist

Reviewed and we already have unit tests and end to end tests for these use cases so we are good with just updating them. 

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad added a commit to FrankHassanabad/kibana that referenced this pull request Jan 15, 2021
elastic#87914)

## Summary

Changes `DELETE` to `POST` for _bulk_delete on the client only for a variety of reasons.

According to the RFC, not all servers and proxies need to honor DELETE having a body. From: https://tools.ietf.org/html/rfc7231

```
A payload within a DELETE request message has no defined semantics;
sending a payload body on a DELETE request might cause some existing
implementations to reject the request.
```

Within at least one proxy, h2o2, we have found that it does indeed change request headers which will cause NodeJS to not attach the body of a `DELETE`:
hapijs/h2o2#124

Also from other communities such as OpenAPI where they debated this, they allow it but discourage it for reasons outlined there that I will not repeat here:
OAI/OpenAPI-Specification#1937

Elastic Search API's and other Kibana API's use `POST` rather than `DELETE` for their bodies that are attached to `DELETE`:
https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-delete-by-query.html

We still support bodies in `DELETE` and `POST` but are just changing the web client to utilize `POST` moving forward.


### Checklist

Reviewed and we already have unit tests and end to end tests for these use cases so we are good with just updating them. 

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad added a commit to elastic/kibana that referenced this pull request Jan 15, 2021
#87914) (#88509)

## Summary

Changes `DELETE` to `POST` for _bulk_delete on the client only for a variety of reasons.

According to the RFC, not all servers and proxies need to honor DELETE having a body. From: https://tools.ietf.org/html/rfc7231

```
A payload within a DELETE request message has no defined semantics;
sending a payload body on a DELETE request might cause some existing
implementations to reject the request.
```

Within at least one proxy, h2o2, we have found that it does indeed change request headers which will cause NodeJS to not attach the body of a `DELETE`:
hapijs/h2o2#124

Also from other communities such as OpenAPI where they debated this, they allow it but discourage it for reasons outlined there that I will not repeat here:
OAI/OpenAPI-Specification#1937

Elastic Search API's and other Kibana API's use `POST` rather than `DELETE` for their bodies that are attached to `DELETE`:
https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-delete-by-query.html

We still support bodies in `DELETE` and `POST` but are just changing the web client to utilize `POST` moving forward.


### Checklist

Reviewed and we already have unit tests and end to end tests for these use cases so we are good with just updating them. 

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
paulsturgess added a commit to apiaframework/apia-openapi that referenced this pull request Nov 7, 2023
This gem allows us to generate an [OpenAPI schema](https://www.openapis.org/) of an [Apia API](https://github.com/krystal/apia).

## Why are we using v3.0.0 when the latest is v.3.1.0 ?

The [OpenAPI generator](https://openapi-generator.tech) does not support 3.1.0 (at least for Ruby yet).

So the specification is for version 3.0.0. Annoyingly in v3.0.0, having a request body against a DELETE is deemed to be an error. And this shows up in [swagger-editor](https://editor.swagger.io/). However, after [community pressure](OAI/OpenAPI-Specification#1801), this decision was reversed and in [version 3.1.0 DELETE requests are now allowed to have a request body](OAI/OpenAPI-Specification#1937). 

I have successfully used the Ruby client library to use a DELETE request with a v3.0.0 schema, so I don't think it's a big deal. We can bump to 3.1.0 when the tooling is ready.

## What is implemented?

- All endpoints are described by the spec.
- ArgumentSet lookups with multiple methods of supplying params are handled
- All the various "non-standard" Apia data types are mapped to OpenAPI ones (e.g. decimal, unix)
- If `include` is declared on a field for partial object properties, then the endpoint response will accurately reflect that
- Array params for get requests work in the "rails way". e.g. `user_ids[]=1,user_ids[]=2`
- [swagger-editor](https://editor.swagger.io/) works, so we can use the "try it out" feature (including bearer auth)
- Routes that exclude themselves from the Apia schema are excluded from the OpenAPI output
- Endpoints are converted into "nice" names so that the generated client code is more pleasant to use
- Apia types (enums, objects, argument sets, polymorphs) are implemented as re-usable component schemas
- The spec is good enough to generate [client libraries in various programming languages](https://github.com/krystal/katapult-openapi-clients)

## What isn't implemented?

- Only the "happy path" response is included in the spec, we need to add error responses
- There are places in the spec where we can explicitly mark things as "required" and this has not been implemented everywhere.
- Perhaps we can improve how ArgumentSet lookups are declared – currently [swagger-editor](https://editor.swagger.io/) allows both params (e.g. id and permalink) to be sent in the request which triggers an error.
- We can improve the accuracy of the [data types](https://swagger.io/docs/specification/data-models/data-types/#numbers) by declaring the `format`. This is not implemented.
- There's one specification test that simply asserts against a static json file generated from the example app. Perhaps we could try actually validating it with something like https://github.com/kevindew/openapi3_parser
- Might be nice to dynamically determine the API version
- The example app needs expanding to ensure all code-paths are triggered in the generation of the schema

## Any other known issues?
- We can't have deeply nested objects in GET request query params. This just isn't defined by the OpenAPI spec. [There's GitHub issue about it](OAI/OpenAPI-Specification#1706). I don't believe we can do much here and probably we don't need to.
- File uploads are not implemented, but I don't think we have a need for that.
- We do not try to be too 'clever' when the endpoint field uses include to customize the properties returned. e.g. `include: '*,target[id,name]'` in this case we could actually use a `$ref` for the object referenced by the `*`. But instead, if a field uses `include` we just declare an inline schema for that field for that endpoint.
- The example API has been copied and expanded from the apia repo. Some of the additional arguments and ways the objects have been expanded is nonsense, but they're there just to ensure we execute all the code paths in the schema generation. Maybe we could come up with a better example API or perhaps we just don't worry about it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.