Consolidate private with preliminary public api #338
Conversation
marcelklehr
changed the title
|
I merged public_controller#return_as_json() into bookmarkcontroller#getBookmarks. As a result there's some duplicate functionality / redundant parameters now. This is to keep compatibility with the client-side code. If you want, I can adjust the client-side code to use the new parameters and remove the old ones. Nonetheless, all tests are passing now and I also added docs for the API to the README :) |
| array('name' => 'public#return_as_json', 'url' => '/public/rest/v1/bookmark', 'verb' => 'GET'), | ||
| array('name' => 'public#new_bookmark', 'url' => '/public/rest/v1/bookmark', 'verb' => 'POST'), | ||
| array('name' => 'public#edit_bookmark', 'url' => '/public/rest/v1/bookmark/{id}', 'verb' => 'PUT'), | ||
| array('name' => 'public#delete_bookmark', 'url' => '/public/rest/v1/bookmark/{id}', 'verb' => 'DELETE'), |
There was a problem hiding this comment.
Totally removing them would kill compatibility. Better if we could deprecate them over a couple releases.
There was a problem hiding this comment.
we don't need to keep the newly added CRUD methods, though, right? They haven't made it into any release yet, afaik
There was a problem hiding this comment.
Yes, what wasn't there in 0.9.1 is vogelfrei.
| $sortby = "", | ||
| $search = array() | ||
| ) { | ||
| if ($user == null) { |
There was a problem hiding this comment.
always use === as equal comparison parameter
appinfo/routes.php
Outdated
| //Legacy Routes | ||
| array('name' => 'public#return_as_json', 'url' => '/public/rest/v1/bookmark', 'verb' => 'GET'), | ||
|
|
|
I rebased this locally. It seems something is wrong (perhaps with the annotated checks), because I am being logged out when access the bookmarks page normally via web interface. |
|
there lies the issue i think not the index, but that we are logged out and have no provided parameters for logging in. |
|
So, the problem I presume is that the client doesn't send auth data? Shouldn't there be a session cookie being sent along? |
|
The CORS annotation makes sure that sessions are not being used, therefore the logout happens. |
|
So, how do I realize an API that should be able to be used from within nextcloud as well as from other sites? Do we need to create a proxy Controller without CORS? |
to fix app ui logging out onload
|
Seems so, at least my thoughts go into the same direction. |
|
Without CORS it works, so there's some mistake in how I added CORS, I guess. Update: The tutorial doesn't mention anything else, though: https://docs.nextcloud.com/server/12/developer_manual/app/tutorial.html#adding-a-restful-api-optional |
|
Perhaps we need something like this: https://github.com/nextcloud/passman/blob/f8c13471b78b76a0576dd29e8c32d9e1e1f2359d/middleware/apimiddleware.php |
|
BernhardPosselt on IRC pointed out to me as well that CORS drops sessions, so we do need two controllers. The question is if this pr makes sense at all in this case. The whole idea was to have only one API controller. In this PR I basically merged the two, but now we're exposing the same interface at two different routes... Might still be better than having two entirely different interfaces on the two endpoints... What do you say? |
|
Sidenote: just came across the added If there is no use case for CORS (i am not aware of an request?), we can leave that out. The Passman middlewere reference would be about it? Two different routes are OK imho, however I do not see them duplicated? Actually, now I am thinking whether we should not keep a dedicated apicontroller, which would just inherit the internal one and just change the annotations, and call the parent. Probably there is a hook, though. |
|
I agree on the CSRF issue. CORS is not important to me, either. I agree on the approach and have started working on this. |
|
I think @cors imight be necessary for security, though, since NoCSRFRequired is added to API endpoints and all...? |
and expose public api add /public/rest/v2/ next to v1
Not really for security. While it disables sessions (client would also need to reauthenticate), it also allows to be used across origins, i.e. from other websites/webapps. Sounds OK to me to include it nevertheless. |
|
The changes seem to work so far from the UI. However, when returning bookmarks, only a piece of the data is returned back. Expected:
Returned:
You'll see it as the date in the list is represented as "Invalid date" in the UI. |
|
This is a symptom of merging the two APIs, it can be easily fixed by either modifying the client-side to include a parameter that tells the API all attributes it needs, or by modifying the API to deliver all those by default. Your call :) |
|
Just return all of them. It keeps things simple, and the only extra cost comes from the tags. This is fine, and nothing can go wrong by chance (e.g |
always return everything
| $tags = array(), | ||
| $conjunction = "or", | ||
| $sortby = "", | ||
| $search = array() |
There was a problem hiding this comment.
phpdoc (@param) annotation is missing for $user, $tags, $conjunction, $sortby, $search (yes, it was missing before already).
| }else { | ||
| $publicOnly = true; | ||
| if ($this->userManager->userExists($user) == false) { | ||
| return $this->newJsonErrorMessage("User could not be identified"); |
There was a problem hiding this comment.
newJsonErrorMessage() does not exist here
| @@ -218,7 +276,7 @@ public function deleteBookmark($id = -1) { | |||
| } | |||
|
|
|||
| /** | |||
| @NoAdminRequired | |||
| @NoAdminRequired | |||
| @@ -243,7 +301,7 @@ public function clickBookmark($url = "") { | |||
| } | |||
|
|
|||
| /** | |||
| @NoAdminRequired | |||
| @NoAdminRequired | |||
| @@ -271,7 +329,7 @@ public function importBookmark() { | |||
| } | |||
|
|
|||
| /** | |||
| @NoAdminRequired | |||
| @NoAdminRequired | |||
|
|
||
| use \OCA\Bookmarks\Controller\Lib\Bookmarks; | ||
| use \OCP\AppFramework\Http\JSONResponse; | ||
| use \OCP\AppFramework\Http; |
| use \OCP\AppFramework\Http\JSONResponse; | ||
| use \OCP\AppFramework\Http; | ||
| use \OCP\AppFramework\ApiController; | ||
| use OCA\Bookmarks\Controller\Rest\InternalTagsController; |
tests/bookmarkcontroller_test.php
Outdated
| @@ -19,91 +19,111 @@ class Test_PublicController_Bookmarks extends TestCase { | |||
| private $db; | |||
| private $userManager; | |||
| /** @var PublicController */ | |||
| private $publicController; | ||
|
|
||
| protected function setUp() { | ||
| parent::setUp(); | ||
|
|
||
| $this->userid = "testuser"; | ||
| $this->otherUser = "otheruser"; |
tests/bookmarkcontroller_test.php
Outdated
| @@ -19,91 +19,111 @@ class Test_PublicController_Bookmarks extends TestCase { | |||
| private $db; | |||
| private $userManager; | |||
| /** @var PublicController */ | |||
| private $controller; | |||
| private $publicController; | |||
There was a problem hiding this comment.
would need the /** @var BookmarkController */ typehint, too
|
|
||
| public function __construct($appName, IRequest $request, $userId, IDBConnection $db, IL10N $l10n, Bookmarks $bookmarks, Manager $userManager) { | ||
| parent::__construct($appName, $request); | ||
| $this->publicController = new BookmarkController($appname, $request, $userId, $db, $l10n, $bookmarks, $userManager); |
There was a problem hiding this comment.
Oh, missed this before. Typo in $appname, the n must be upper case.
| @@ -57,27 +60,81 @@ public function legacyGetBookmarks($type = "bookmark", $tag = '', $page = 0, $so | |||
| * @param string $tag | |||
| * @param int $page | |||
| * @param string $sort | |||
| * @param string user | |||
There was a problem hiding this comment.
sorry, but the $'s are missing in the var names
| * @param string $tag | ||
| * @param int $page | ||
| * @param string $sort | ||
| * @param string user |
|
I leave the two cosmetics for a quick additional PR. And use the moment to merge this. Good work, thanks a lot @marcelklehr :) 🚀 🎸 |
This basically changes access to the private bookmarks and tags API to everyone without CSRF tokens and with CORS support, removes the public controller, and adjusts the public controller tests to work with the bookmark controller.
This is a work-in-progress and a follow-up on #322
Fixes #330, #328, #2