-
Secret session cookies are now encrypted using
sodium. All priorreq$sessioninformation will be lost. Please see?sessionCookiefor more information. (#404) -
Session cookies set the
HttpOnlyflag by default to mitigate cross-site scripting (XSS). Please see?sessionCookiefor more information. (#404) -
Wrap
jsonlite::fromJSONto ensure thatjsonlitenever reads input as a remote address (such as a file path or URL) and attempts to parse that. The only known way to exploit this behavior in plumber unless an API were using encrypted cookies and an attacker knew the encryption key in order to craft arbitrary cookies. (#325)
-
Plumber's swagger definition is now defined using OpenAPI 3, upgrading from Swagger Specification. (#365)
-
The source files used in plumber must use the UTF-8 encoding if they contain non-ASCII characters (@shrektan, #312, #328).
-
Added support for promises in endpoints, filters, and hooks. (#248)
-
Added support to a router's run method to allow the
swaggerparameter to be a function that enhances the existing swagger specification before being returned to/openapi.json. (#365) -
Add support for swagger for mounted routers (@bradleyhd, #274).
-
If cookie information is too large (> 4093 bytes), a warning will be displayed. (#404)
-
Added new shorthand types for url parameters. (@byzheng, #388)
-
Changed Swagger UI to use swagger R package to display the swagger page. (#365)
-
Plumber files are now only evaluated once. Prior plumber behavior sourced endpoint functions twice and non-endpoint code blocks once. (#328)
-
Fix possible bugs due to mounted routers without leading slashes (@atheriel, #476 #501).
-
Fix bug preventing error handling when a serializer fails (@antoine-sachet, #490)
-
Fix URL-decoding of query parameters and URL-encoding/decoding of cookies. Both now use
httpuv::decodeURIComponentinstead ofhttpuv::decodeURI. (@antoine-sachet, #462) -
Fix bugs that prevented
do_provisionfrom deploying to DigitalOcean and updated to the latestanalogsea. (#448) -
Fixed bug where functions defined earlier in the file could not be found when
plumb()ing a file. (#416) -
A multiline POST body is now collapsed to a single line (@robertdj, #270 #297).
-
Bumped version of httpuv to >= 1.4.5.9000 to address an unexpected segfault (@shapenaji, #289)
-
Date response header is now supplied by httpuv and not plumber. Fixes non standard date response header issues when using different locales. (@shrektan, #319, #380)
- BUGFIX: Hooks that accept a
valueargument (postroute,preserialize, andpostserialize) now modify the incoming value as documented. - BUGFIX: The
postserializehook is now given the serialized data as itsvalueparameter. - BUGFIX: properly handle cookie expiration values (#216).
- Add support for tags in Swagger docs (#230).
- Optional
swaggerCallbackparameter forrun()to supply a callback function for reporting the url for swagger page. - Add RStudio Project Template to package.
- Support Expiration, HTTPOnly, and Secure flags on cookies (#87). EDIT: see #216 which prevented expiration from working.
- BUGFIX: properly handle named query string and post body arguments in mounted subrouters.
- Added support for static sizing of images.
@pngand@jpegnow accept a parenthetical list of arguments that will be passed into thepng()orjpeg()call. This enables annotations like#' @png (width = 200, height=500). - Enable
ByteCompileflag - Set working directory for DigitalOcean APIs.
- Respect
setErrorHandler - BUGFIX: export
PlumberStatic - Case-insensitive matching on
plumber.randentrypoint.rwhenplumb()ing a directory. - Support query strings with keys that appear more than once (#165)
- Fix the validation error warning at the bottom of deployed Swagger files
which would have appeared any time your
swagger.jsonfile was hosted in such a way that a hosted validator service would not have been able to access it. For now we just suppress validation of swagger.json files. (#149) - Support for floating IPs in DNS check that occurs in
do_configure_https() - Make adding swap file idempotent in
do_provision()so you can now call that on a single droplet multiple times. - Support an
exithook which can define a function that will be evaluated when the API is interrupted. e.g.pr <- plumb("plumber.R"); pr$registerHook("exit", function(){ print("Bye bye!") }) - Fixed bug in which a single function couldn't support multiple paths for a single verb (#203).
- Support negative numbers in numeric path segments (#212)
- Support
.in string path segments
- Development version for 0.4.2. Will be working to move to even/odd release cycles, but I had prematurely bumped to 0.4.0 so that one might get skipped, making the next CRAN release 0.4.2.
- BREAKING: Listen on localhost instead of listening publicly by default.
- BREAKING: We no longer set the
Access-Control-Allow-OriginHTTP header to*. This was previously done for convenience but we've decided to prioritize security here by removing this default. You can still add this header to any route you want to be accessible from other origins. - BREAKING: Listen on a random port by default instead of always on 8000. This
can be controlled using the
portparameter inrun(), or by setting theplumber.portoption. - BREAKING: Removed
PlumberProcessorclass and replaced with a notion of hooks. SeeregisterHookandregisterHookson the Plumber router. - BREAKING:
addGlobalProcessormethod on Plumber routers now takes a list which are added as hooks instead of a Processor. Note thatsessionCookiehas also been updated to behave accordingly, meaning that the convention ofpr$addGlobalProcessor(sessionCookie("secret", "cookieName"))will continue to work for this release. - BREAKING:
sessionCookienow returns a list instead of a Processor. Note thataddGlobalProcessorhas also been updated to behave accordingly, meaning that the convention ofpr$addGlobalProcessor(sessionCookie("secret", "cookieName"))will continue to work for this release. - DEPRECATION: Deprecated the
addAssetsmethod on Plumber routers. UsePlumberStaticand themountmethod to attach a static router. - DEPRECATION: Deprecated the
addEndpointmethod in favor of thehandlemethod for Plumber routers. Removed support for theprocessors,params, andcommentsparameters are no longer supported. - DEPRECATION: Deprecated the
addFiltermethod on Plumber routers in favor of the newfiltermethod. Removed support for the processor parameter. - DEPRECATION: Deprecated the
addGlobalProcessormethod on Plumber routers. - The undocumented
setDefaultErrorHandlermethod on Plumber routers now takes a function that returns the error handler function. The top-level function takes a single param nameddebugwhich is managed by thedebugparameter in therun()method. - Added support for
OPTIONSHTTP requests via the@optionsannotation. - Add support for
entrypoint.Rwhenplumb()ing a directory. If this file exists, it is expected to return a Plumber router representing the API contained in this directory. If it doesn't exist, the behavior is unaltered. If bothplumber.Randentrypoint.Rexist,entrypoint.Rtakes precedence. plumb()the current directory by default if no arguments are provided.- Added a
debugparameter to therunmethod which can be set toTRUEin order to get more insight into your API errors.
plumb()now accepts an argumentdir, referring to a directory containingplumber.R, which may be provided instead offile.
- Introduced the
do_provision(),do_deploy_api(),do_remove_api()anddo_configure_https()functions to provision and manage your APIs on a cloud server running on DigitalOcean. source()the referenced R file to plumb inside of a new environment that inherits directly from the GlobalEnv. This provides more explicit control over exactly how this environment should behave.- Added
@serializer htmlwidgetto support rendering and returning a self-contained htmlwidget from a plumber endpoint. - Properly handle cookies with no value. (#88)
- Don't convert
+character in a query string to a space.
- Add a method to consume JSON on post (you can still send a query string in the body of a POST request as well).
- BREAKING CHANGE: serializer factories are now registered instead of the
serializer themselves. Thus,
addSerializer()now expects a function that returns a serializer, andResponse$new()now expects a serializer itself rather than a character string naming a serializer. Internally it is the serializer itself that is attached to the response rather than the name of the serializer. This allows for a serializer to customize its behavior. - Accept an additional argument on the
@serializerannotation -- R code that will be passed in as an argument to the serializer factory. See example09-content-type.
- Add a filter which parses and sets req$cookies to be a list corresponding to the cookies provided with the request.
- Responses can set multiple cookies
- Bug Fix: convert non-character arguments in setCookie to character before URL- encoding.
- Set options(warn=1) during execution of user code so that warnings are immediately visible in the console, rather than storing them until the server is stopped.
- Add
sessionCookiefunction to define a processor that can be used as a globalProcessor on a router to encrypt values from req$session and store them as an encrypted cookie in on the user's browser. - Added
setCookiemethod to response which (primitively) allows you to set a cookie to be included in the response. - Add
addGlobalProcessormethod onplumberclass to support a processor that runs a processor only a single time, before and then after all other filters and the endpoint. - Document all public params so CHECK passes
- Add more Roxygen documentation for exported functions
- Remove the warning in the README as the API seems to be stabilizing.
- BREAKING: Changed variable-path routing to use bracketed format instead of just a colon.
- BREAKING: Renamed
PlumberRouterR6 object to justPlumber. - Support
addEndpoint()andaddFilter()on thePlumberobject. - Added support for the
#*prefix.
- Initial Release