ASF-ui abuses /Api/WWW/Send where it could use more appropriate API instead #1319
Labels
🐛 Bug
Issues marked with this label indicate unintended program behaviour that needs correction.
✨ Enhancement
Issues marked with this label indicate further enhancements to the program, such as new features.
🔴 High priority
Issues marked with this label indicate the most serious problems, especially security-related.
Description
In ui.js we have such function:
This abuses the internal API, as
Send
was intended to be used only for fetching resources that are not possible to reach through more appropriate endpoints.Expected behavior
ASF exposes two nice endpoints to fetch ASF release:
The above function should be rewritten and call for
/Api/WWW/GitHub/Release
whenasf.updateChannel === UPDATECHANNEL.EXPERIMENTAL
and/Api/WWW/GitHub/Release/latest
otherwise./Api/WWW/GitHub/Release
:/Api/WWW/GitHub/Release/latest
:Current behavior
ASF-ui calls the GitHub itself, which apart from looking awful and being much slower, is prone to breaking changes, not just the ones caused by GitHub, but also the fact that ASF repo could change URL in the future, making this whole call broken.
Additional information
Im evaluating whether I can implement the wiki requirements of ASF-ui in ASF itself and therefore remove the
Send
endpoint entirely, as it has a potential for broad abuse that I didn't consider before. The change mentioned here is something that should be done regardless ofSend
removal decision - I'm pointing it out to give this issue further pressure than low-priority wishlist.The text was updated successfully, but these errors were encountered: