Use 308 status instead of 301 when redirecting

[nashley]

Motivation

Assuming a route for /path is defined,
POST /path/ currently may redirect to GET /path when it should redirect to POST /path (depending on the client).

This was outlined in #681.

This has potential security implications (e.g., if the POST contained sensitive data, that data may be saved by the user's client in their browser history and/or in the server's access logs).

It's worth noting that the internal test client, a wrapper for the popular reqwest client, is susceptible to this incorrect behavior.

Solution

This PR replaces the 301 redirect with a 308 and adds corresponding tests to verify the behavior (note that these tests fail without the accompanying code change).

• Determine if this counts as a breaking change
  • if so, this should be rebased onto axum-next
  • if not (or regardless), an entry in CHANGELOG.md should be added

[nashley]

Should this PR be against main or axum-next? The behavior is changing in a way that could be impactful [1][2], but I'd argue this fits more in line with a bugfix, so I went ahead and made it against main.

[1] e.g., if a server had a different route defined for the GET requests and the application somehow depended on the broken redirect functionality sending requests with a trailing / to the GET handler instead of the typically-desired handler
[2] Some clients (circa 2012) only support 301 and not 308 (e.g., Internet Explorer before version 11, Firefox before 14, Chrome before 36, etc). See caniuse for more info. Such clients would stop following trailing slash redirects properly.

[nashley]

Converted to draft while I add deprecation attributes to methods that return ambiguous response codes (viz., 301 and 302)

[nashley]

It looks like there's currently no built-in method for 301 redirects -- just 302. I refrained from adding that in this PR (since it seems odd to add a new method that's immediately deprecated), but I can do so if desired.

[nashley]

I'm not yet marking this as ready for review, since I haven't tested examples/oauth/src/main.rs after making changes to it (though I expect it will work without a hitch).

[ttys3]

if we change 301 -> 308
I think leave 302 alone is strange. maybe we also need change 302 to 307

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307

The only difference between 307 and 302 is that 307 guarantees that the method and the body will not be changed when the redirected request is made. With 302, some old clients were incorrectly changing the method to GET: the behavior with non-GET methods and 302 is then unpredictable on the Web, whereas the behavior with 307 is predictable. For GET requests, their behavior is identical.

[nashley]

@ttys3 I agree. I had already marked Redirect::found as deprecated and updated the examples to reflect that. Did I miss any other instances of 302?
> rg StatusCode::FOUND -B 4 yields only the aforementioned hit:

axum/src/response/redirect.rs
87-    #[deprecated(
88-        note = "This results in different behavior between clients, so Redirect::temporary or Redirect::to should be used instead"
89-    )]
90-    pub fn found(uri: Uri) -> Self {
91:        Self::with_status_code(StatusCode::FOUND, uri)

[davidpdrsn]

Thanks for fixing this!

IMO its not a breaking change so doesn't have to merged into axum-next.

[nashley]

I verified that the example still works and made some small improvements along the way (though I had to expose some previously-private fields to nicely destructure an existing error when requests without a Cookie header were made).

I'd like confirmation that exposing TypedHeaderRejection's fields directly instead of via accessor methods isn't a bad idea for some reason I can't foresee. But otherwise I think this is ready.

[nashley]

I'm not hugely fond of this, but I couldn't think of a better way to do it without introducing a wrapping type or using anyhow in a way I'm not familiar with. Suggestions welcome.

[davidpdrsn]

I'm not very familiar with this example but the fields should stay private. Users should not be able to construct this type directly or mutate the fields.

[davidpdrsn]

The fields of TypedHeaderRejection should stay private.

[nashley]

Apologies for all of the extra commits. I'm not squashing to abide by the contributing guidelines.

[davidpdrsn]

LGMT! Thanks 😃

[davidpdrsn]

Apologies for all of the extra commits. I'm not squashing to abide by the contributing guidelines.

Appreciated! Makes reviewing changes since my last review much easier.

[jplatte]

Appreciated! Makes reviewing changes since my last review much easier.

You know GitHub can also render force-push diffs though, right? (need to click the text "force-pushed" in the comments view)

[davidpdrsn]

Maybe 🤷 I remember not being able to figure it out

[jplatte]

It is definitely weird, but it works (just requires a few extra clicks because the notification will lead you to a "we couldn't find these commits" page). Example: ruma/ruma#796 (comment)

[davidpdrsn]

omg must subtle link ever! No wonder I never noticed 🧐