Migrate ratings endpoints from web.py to FastAPI

[Shikhar-395]

referring: #11999

Changes

openlibrary/fastapi/internal/api.py

• Added get_ratings GET and POST as standalone decorated functions

openlibrary/plugins/openlibrary/api.py

scripts/test_ratings_migration.sh

Differences

Aspect	Legacy (web.py)	FastAPI
GET response JSON	identical	identical
POST response JSON	identical	identical
Authentication	Redirects to /account/login (303)	Returns 401 Unauthorized
Invalid rating	200 + {"error": "invalid rating"}	422 Unprocessable Entity

Stakeholder

@RayBB

[RayBB]

Few minor comments, but it's a good start. Please request another review when you push up the fixes.

[Shikhar-395]

Also removed JSONResponse wrapping from (GET) rating endpoint.

[RayBB]

Two small things here, but it looks really good. I'm excited to test it soon.

[RayBB]

A few small changes and then I'll look again!

[RayBB]

I pushed up some very minor changes.
However, this PR isn't complete. It does not handle most of the options possible for the post request.

Make sure the functionality is compatible with the old endpoint. ajax, redir, redir_url, and page need to be implemented.

Before asking me to review this again please be sure to test all of this functionality yourself to ensure it has pretty much the same response as the old endpoint.

[RayBB]

@395ShikharSingh do you plan to keep working on this or can it be assigned to someone else?

[Shikhar-395]

Hey @RayBB sorry for the delay! I've added full legacy compatibility to the POST endpoint (redir, redir_url, page, ajax, edition_id) and added unit tests covering all scenarios. Tested locally and everything is working. Let me know if anything needs.

[RayBB]

Thanks for the quick followup. I know mine have been slow lately.f

We're in the right direction and there's still quite a bit more feedback to address here. When in doubt please follow the way that other fastapi endpoints look.

[RayBB]

This already exists. Please do not recreate it.

[RayBB]

We now have mock_authenticated_user that you can use instead as long as your PR is caught up with master

[RayBB]

Please don't add one line function definitions unless there is a very good reason.

Please keep all of this as similar as possible to the old endpoint instead restructuring it when not needed.

[RayBB]

We should only use a raw request in special cases. In this case, inline the values just like we do with the others in this file on master. This gives us clearer documentation and follows best practices from fastapi.

[RayBB]

We don't need to do this. It's an authenticated endpoint.

[RayBB]

use require_authenticated_user because they must be logged in to use this.

[RayBB]

We won't need this because we should validate using the gt and lt options in the endpoint params

[RayBB]

we also will not need this

[RayBB]

Don't make a new function here. Keep it inline and simple.

[Shikhar-395]

One quick clarification before I push the next revision: for /works/OL{work_id}W/ratings, should legacy compatibility take priority over the usual FastAPI pattern when they conflict?
I’m asking because there are a few remaining cases where the old endpoint and the standard FastAPI approach differ:

• unauthenticated POST: legacy redirects to login, while require_authenticated_user returns 401
• invalid rating: legacy returns {"error": "invalid rating"} with 200, while param validation returns 422
• legacy web.input() accepts POST query params like ajax, redir, redir_url, and page, while plain Form(...) handling does not

Since your earlier feedback was to keep this compatible with the old endpoint, I wanted to confirm whether for this endpoint I should preserve the legacy behavior exactly in those cases.

[RayBB]

These can differ (follow modern fastapi):

• unauthenticated POST: legacy redirects to login, while require_authenticated_user returns 401
• invalid rating: legacy returns {"error": "invalid rating"} with 200, while param validation returns 422

This is a good question. In this case please ensure we have the exact same functionality. If before it was only query params then now it should accept query params. If it has working with forms before it should work with forms now:

• legacy web.input() accepts POST query params like ajax, redir, redir_url, and page, while plain Form(...) handling does not

[Shikhar-395]

Addressed the remaining /ratings migration feedback.
POST now accepts the legacy inputs via both form data and query params (ajax, redir, redir_url, page, rating, edition_id) while keeping the modern FastAPI behavior we discussed for auth (401) and invalid rating validation (422).
I also switched the ratings tests to the shared FastAPI fixtures, and updated the shared FastAPI test client setup in conftest.py so these endpoint tests can use that common fixture cleanly.

[RayBB]

@395ShikharSingh really excellent work here.

Since this is an internal endpoint I ultimately ended up deciding that instead of making the code so complicated supporting query params and redirects that we could just drop those. We already were not using the query params and the redirects only triggered when there is no JS (and for little gain at that). Since we're now in an OL world where we expect JS it's ok to remove that.

Anyway, your work is appreciated and you can look at the last couple commits I added to learn more. Let me know if you have questions!