HTTP API uses redirects with 301 status, which leads to GET subsequent request in some clients #1415
Labels
effort/hours
Estimated to take one or several hours
exp/beginner
Can be confidently tackled by newcomers
kind/bug
A bug in existing code (including security flaws)
P1
High: Likely tackled by core team if no one steps up
status/in-progress
In progress
Milestone
Describe the bug:
niftysave uses cluster's HTTP API to pin content discovered on chain using IPFS path. On paths e.g. like
/api/pins/ipfs/bafybeihqrzwradmal4ok5irhpxhst6fedq7kd5kumx724v4lekh2daj4eq/
cluster responds with301
status redirecting request to/api/pins/ipfs/bafybeihqrzwradmal4ok5irhpxhst6fedq7kd5kumx724v4lekh2daj4eq
(no trailing slash), which causes node fetch implementation to make subsequent GET request which fails (because API only accepts POST requests).Initially I thought it was
fetch
implementation bug web-std/io#11, however browser implementation seems to fail as well.As it turns out rfc7231 has note about it (quoting inline below)
Browser implementation seems to do exactly that and perhaps unsurprisingly node (re)implementation of that API does the same, both failing due to reasons described above.
** Proposed fix **
Use 307 status code instead as per note in the spec to avoid this issue.
The text was updated successfully, but these errors were encountered: