You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The /publish endpoint of the admin API is used to publish (deploy) the site to a configured server.
Currently, the frontend uses GET when triggering a deployment. As it is highly dubious (albeit arguable) that publishing the site counts as idempotent, really, a POST should be required here. There may be CORS-related security advantages to requiring POST here, too. In any case, a GET sure feels wrong, in this case.
The reason the fix is not totally trivial is that /publish returns an SSE stream. The EventSource API, which we currently use to handle the SSE output, appears (for no good reason that I've figured out) to not offer any way to open an event stream using any method other than GET.
I'm not sure how best to fix this.
Perhaps use a third-party replacement for EventSource like sse.js which would allow for POST?
Or make the API call a two-step process where the POST to /publish would return a "303 See Other" to a URL that would produce (via GET) the SSE stream.
The text was updated successfully, but these errors were encountered:
The /publish endpoint of the admin API is used to publish (deploy) the site to a configured server.
Currently, the frontend uses GET when triggering a deployment. As it is highly dubious (albeit arguable) that publishing the site counts as idempotent, really, a POST should be required here. There may be CORS-related security advantages to requiring POST here, too. In any case, a GET sure feels wrong, in this case.
The reason the fix is not totally trivial is that /publish returns an SSE stream. The EventSource API, which we currently use to handle the SSE output, appears (for no good reason that I've figured out) to not offer any way to open an event stream using any method other than GET.
I'm not sure how best to fix this.
Perhaps use a third-party replacement for EventSource like sse.js which would allow for POST?
Or make the API call a two-step process where the POST to /publish would return a "303 See Other" to a URL that would produce (via GET) the SSE stream.
The text was updated successfully, but these errors were encountered: