Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clean up plan for http module #3655

Closed
Tracked by #3489
kt3k opened this issue Sep 19, 2023 · 8 comments · Fixed by #3661
Closed
Tracked by #3489

Clean up plan for http module #3655

kt3k opened this issue Sep 19, 2023 · 8 comments · Fixed by #3661

Comments

@kt3k
Copy link
Member

kt3k commented Sep 19, 2023

There are 12 public paths in std/http:

  • cookie.ts
  • cookie_map.ts
  • etag.ts
  • file_server.ts
  • http_errors.ts
  • http_status.ts
  • method.ts
  • negotiation.ts
  • server.ts
  • server_sent_event.ts
  • user_agent.ts
  • util.ts

I'd suggest we should stabilize the following in first pass:

and I'd suggest we move the below to unstable/ sub directory of std/http

  • cookie_map.ts (Looks overly complex. Not sure signed cookie is best practice today. KeyRing abstraction might be confusing)
  • http_errors.ts (Not sure error status code as Error object is the general enough abstraction)
  • method.ts (Our mothod list deviates from IANA's method registry, instead aligned to http.METHODS of node.js. Not sure this is correct)
  • server.ts (Server is confusing as now CLI has Deno.Server. Also the usage of this is niche now as CLI has Deno.serve).
  • server_sent_event.ts (The issue [http/server_sent_event] Missing ServerSentEventStreamTarget ReadableStream "open" event listener #3645 looks concerning)
  • util.ts (Not sure it's worth exposing this (createCommonResponse) as std API)
@lino-levan lino-levan mentioned this issue Sep 20, 2023
Merged
@bartlomieju
Copy link
Member

I'd suggest we should stabilize the following in first pass:

This makes sense to me 👍 these seem to be very stable

and I'd suggest we move the below to unstable/ sub directory of std/http

  • cookie_map.ts (Looks overly complex. Not sure signed cookie is best practice today. KeyRing abstraction might be confusing)

Agreed, let's not stabilize this one.

  • http_errors.ts (Not sure error status code as Error object is the general enough abstraction)

This seems useful and I would err on stabilizing it.

  • method.ts (Our mothod list deviates from IANA's method registry, instead aligned to http.METHODS of node.js. Not sure this is correct)

I think we should align with IANA here

  • server.ts (Server is confusing as now CLI has Deno.Server. Also the usage of this is niche now as CLI has Deno.serve).

That's a though one; maybe we should deprecate and remove it once we provide feature parity in Deno.serve API?

Can we change the class to expose the body and fire off requested events?

  • util.ts (Not sure it's worth exposing this (createCommonResponse) as std API)

We should move this method into file_server.ts and delete the module

@kt3k
Copy link
Member Author

kt3k commented Sep 28, 2023

Thanks for the feedbacks!

  • http_errors.ts (Not sure error status code as Error object is the general enough abstraction)

This seems useful and I would err on stabilizing it.

There's also similar feedback from Asher. Let's keep discussing this in an independent issue.

  • method.ts (Our mothod list deviates from IANA's method registry, instead aligned to http.METHODS of node.js. Not sure this is correct)

I think we should align with IANA here

👍

  • server.ts (Server is confusing as now CLI has Deno.Server. Also the usage of this is niche now as CLI has Deno.serve).

That's a though one; maybe we should deprecate and remove it once we provide feature parity in Deno.serve API?

Sounds reasonable to me.

  • util.ts (Not sure it's worth exposing this (createCommonResponse) as std API)

We should move this method into file_server.ts and delete the module

I agree with this idea.

@kt3k kt3k mentioned this issue Sep 29, 2023
Closed
16 tasks
kt3k added a commit that referenced this issue Oct 13, 2023
@lino-levan @kt3k
BREAKING(http): move cookie_map, errors, server_sent_event, and metho…
65125db 
…d to unstable category, deprecate server.ts (#3661)

See #3655 and #3646 for details.

Co-authored-by: Yoshiya Hinosawa <stibium121@gmail.com>
@iuioiua
Copy link
Collaborator

iuioiua commented Oct 26, 2023

I think we should re-open this issue. I agree with the following with pretty much the same opinions:

  • Remove cookie_map.ts
  • Stabilise errors.ts
  • Align method.ts with IANA

Which features are we waiting on for http/server.ts to be on par with Deno.serve()?

@iuioiua iuioiua mentioned this issue Oct 28, 2023
Closed
@kitsonk
Copy link
Contributor

kitsonk commented Dec 6, 2023

@kt3k

  • cookie_map.ts (Looks overly complex. Not sure signed cookie is best practice today. KeyRing abstraction might be confusing)

Why would you not consider it best practice today? It isn't encrypting the cookie, it is signing the cookie to prevent tampering.

@iuioiua

[ ] Remove cookie_map.ts

Why?

@iuioiua
Copy link
Collaborator

iuioiua commented Dec 6, 2023

@kitsonk, we considered removing cookie_map.ts because it overlaps with cookie.ts, which uses more straightforward pure functions. According to analytics, it also has nearly no usage, probably for that reason. Are there any advantages to using cookie_map.ts over cookie.ts?

@kitsonk
Copy link
Contributor

kitsonk commented Dec 6, 2023

Secure cookie maps offers transparent cookie security to help ensure that client side cookies are not tampered with. It was a foundational API of oak based on similar concepts around cookie management in Koa. It was contributed to std. It's relative low usage is in part due to relative low adoption of more recent versions of oak where it was contributed to std and has been in std far shorter time period than cookie, less than a year.

The insecure version was requested to be added to keep API parity.

If there is such a keen desire to get rid of it, then it should have never been accepted in the first place.

@iuioiua
Copy link
Collaborator

iuioiua commented Dec 6, 2023
edited

Ok. I understand the point of keeping the insecure version, CookieMap, for API parity with SecureCookieMap. Either way, I still think there should only be one cookie implementation.

Also, I'm not opposed to having a signed cookies implementation. My main thought is that it could probably done a little simpler using a functional approach and complimenting the current cookies.ts. I'd have to do a little more research before forming a strong opinion.

@kt3k
Copy link
Member Author

kt3k commented Dec 7, 2023

@kitsonk

Why would you not consider it best practice today? It isn't encrypting the cookie, it is signing the cookie to prevent tampering.

The way to sign it isn't standardized (or is it?). Application or framework can sign it in their own ways. I'm not confident providing it from deno_std is a good idea.

There's also alternative and standardized way to sign data such as JWT. I'm also not sure these methods could compete with signed cookie at this point.

BTW cookie_map is not deprecated or removed. They are just marked unstable to make it possible for us to explore it more extended time (Non-unstable modules will be released as v1.0 near future (probably 2024 Q1)).

@iuioiua iuioiua mentioned this issue Dec 13, 2023
Closed
@iuioiua iuioiua mentioned this issue Jan 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

BREAKING(http): clean up module lino-levan/deno_std
4 participants
@kt3k @kitsonk @bartlomieju @iuioiua