-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better webhooks validation #93
Conversation
@nmaupu Thank you for submitting this Pull Request. I hope to look at the changes soon and provide useful feedback. I glanced at the CI failures and they're golint related:
If you're comfortable with me doing so, I can push to your branch to resolve that after I review the changes. |
ab0ad13
to
b7e4bff
Compare
CI fixed. |
@nmaupu Thanks again for submitting this PR.
I like the changes made here. I believe that the changes fit well and are clear and easy to understand. This feels like it really opens up options without making the library harder to use. For For I see that the overall theme is to move standalone functions/functionality out of standalone functions into methods and deprecate the exported validation functionality. For better or worse, I intentionally exported the validation functionality in dasrick#6 so that client code could directly use it. Looking back, while I can see that this might violate the A little copying is better than a little dependency proverb, the idea was to centralize the validation functionality in this library for use across multiple client applications. Do you feel that exposing this validation functionality directly is a poor fit? I see that you exported the default prefix regex (now named I originally did not export it thinking that it might not be a stable validation pattern, but maybe it is. Renaming it, both to add a "Default" prefix to the name and add "ValidationPattern" as part of the name makes sense. It is a much friendlier name and fits well with the idea that there is support for multiple validation patterns. With that thinking, it now makes sense why "Prefix" was dropped from other identifiers. This helps keep things consistent. That said, the I did not initially understand why I'm still looking over the other changes, will respond further when I can. |
Hi,
All questions and feedbacks are always welcome 👍 No one can know everything, I am also and always still learning!
I see what you mean, nevertheless,
I think API should provide basic components only and should try to keep things easy to read and to maintain as much as possible. Exposing helper funcs like this somewhat stutters features of the API and can make things confusing.
This is a const, I don't see why not to 🤷♂️
Yes sure, but as it's not really a prefix, I would assume naming it
I don't have a good answer to this, I would say no because existing code will compile and it won't really change the behavior of the API. EDIT: bumping go version would also be a good idea ;) |
b7e4bff
to
aa6e1ec
Compare
Validation was included in the v1 series. We expanded the validation first to support one additional "known" FQDN pattern, then later as you've probably seen as a hotfix to support other domains (or disable it entirely). As you're aware from submitting this PR, that experience has room for further improvement. Re the version bump, I think if we end up removing/renaming what is exposed/exported (what I meant by "API" earlier), then that might require us to alias it or do a major version bump as you said. Will respond further when I have more time to do so. |
The original line of thought was that by not exporting it we could modify the regex if needed to adjust the pattern. The regex has worked well thus far, so it should be fine to export.
I don't know where I picked it up, but out of https://fqdn/suburi I was referring to https://fqdn as the "prefix". Admittedly it may not be the best wording, but that is where the prefix naming comes from. After I ignored individual changes and looked at your code changes as a whole (before I responded) I agree that the new name fits better, but I'm focused on backwards compatibility at this point. Since the
To clarify, when I said this:
I was referring to "API" in the larger sense of the exported types/functions/constants and so forth and not the specific
I had to go look it up just to make sure I wasn't remembering wrong. At the risk of repeating myself, I think the
I responded to this with my last post, but since the functionality was in the 1.x series I would consider the changes made after that to be a modification or enhancement to the original single FQDN validation behavior. Admittedly not as flexible or elegant as this approach, but not a breaking change in itself.
Are you referring to the From https://golang.org/ref/mod#go-mod-file-go:
Are you aware of any changes made to this library that would require a newer Go version? On a different note, I see that you've pushed further changes to your branch. I'll pull those and take another look. |
Maybe something like the following (to mirror the approach used in the standard library): // ErrWebhookURLUnexpected is returned when a provided webhook URL does
// not match a set of confirmed webhook URL patterns.
var ErrWebhookURLUnexpected = errors.New("webhook URL does not match one of expected patterns")
// ErrWebhookURLUnexpectedPrefix is returned when a provided webhook URL does
// not match a set of confirmed webhook URL prefixes.
//
// Deprecated: Use ErrWebhookURLUnexpected instead.
var ErrWebhookURLUnexpectedPrefix = ErrWebhookURLUnexpected |
Unfortunately this might end up applying to other values that were exported also, even |
This makes sense. I've also seen similar approaches with some logging packages I've used. In most (all?) of those cases I've seen standalone functions and methods mirroring functionality. I don't know whether that means This sounds useful as a separate Pull Request. I'll go ahead and file an issue for it so further discussion can take place there (if needed). |
Say you have three different dependent projects that you maintain and you'd like to provide validation to each. One approach is to just let this library handle the task as-is without exposing validation functionality, handling it internally. The client application would simply accept the result/error code and deal with that. In another case, client code could apply validation when parsing flags or config files and reject known invalid URLs leveraging the validation functionality provided by this package. I've done this with at least one case and was adopting it by the others (at some point). It felt like a good fit to expose validation by this library for shared (related) use elsewhere. Admittedly this mindset was building off of the existing validation behavior already present. Had it not been present to begin with I may have just kept the validation functionality in a shared package elsewhere as a layer on top of this library. I can't say for sure. Just trying to reason this through. Moving the validation to internal-use only might be a good fit for a v3 design, if that is how things settle.
For this:
Is this the new Since both use cases are covered, the helper functions can be deprecated. I think I better understand where you are coming from. |
Thinking out loud: if GH-96 goes in, would providing exported validation functions (which internally use a singleton for method access) be a concern? If so, would moving validation functionality into a subpackage in any way change this? |
Sure, I added that in the PR! |
I agree but this is not used anymore (making a string comparison to enable / disable something is so-so :/) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all of your work on this. Overall I think the changes are really useful and make for a more cohesive package.
Unless you want to work it in, I'll plan to update the README coverage to illustrate the changes applied here, omitting use of functionality that is being deprecated by this PR.
92bf429
to
54e6e84
Compare
54e6e84
to
1fd45aa
Compare
I updated the README. Feel free to commit if you feel changes are inappropriate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your hard work on this. This library is much improved due to your efforts.
- Restore notes for example of disabling webhook validation - Add notes for custom webhook URL validation refs GH-93
@nmaupu fwiw: staticcheck flags use of |
MessageCard
can now be validated with a custom validation funcAPI
now supports custom webhook patterns for URL validation (added to the ability to deactivating it)