Draft of using Yesod as an API server to a Javascript frontend #76
Conversation
|
Thanks for taking a stab at it! Unfortunately this specific example is very problematic from a security perspective. If instead of a |
|
Interestingly someone just made a similar example for servant. I still maintain that an an API to users is normally admin code. Adding admin code to the scaffolding would be quite useful, but it seems out of the scope of this PR. |
|
@gregwebs Good point about the security issues. Updated based on your suggestion to create comments instead. |
|
Want to add an optional |
|
sorry, I didn't notice the update. The UserId should come from maybeAuthId. Sorry for asking for tedious changes; I can also finish this off later. |
|
It's no problem! Updated to use |
|
I could also add comments to all of this code, much like |
|
Thanks for the change.
A test and CSRF protection would be great. |
|
@gregwebs I agree on adding an I can change both, though. For |
|
sorry, I got confused about |
MaxGabriel
force-pushed
the
jsonExample
branch
from
d4a8a77
to
62fa2f7
Compare
|
|
||
| var message = $("##{rawJS commentTextareaId}").val(); | ||
| // (Browsers that enforce the "required" attribute on the textarea won't see this alert) | ||
| if (!message) { |
There was a problem hiding this comment.
What browser doesn't enforce required? Can be removed since we always rely on the server for final validation?
There was a problem hiding this comment.
@gregwebs Currently the server won't let invalid comments be created, but it also won't give a nice error message to show to the user (IIRC the default error for requireJsonBody actually returns an HTML page with the error).
My general view on this is that client-side validation is fine (and even preferable, because it's instant) as long as it's just for UX, and the server is enforcing the actual integrity of the data, though it would be nice to get good errors from the server when it's own validation fails.
There was a problem hiding this comment.
Oh, sorry, Safari doesn't enforce required. Edit: and apparently mobile safari as well http://caniuse.com/#search=required
|
This looks like it will be good to merge when rebased. |
| \ defaultHeaders[csrfHeaderName] = csrfToken; | ||
| \ $.ajaxSetup({ | ||
| \ headers: defaultHeaders, | ||
| \ }); |
There was a problem hiding this comment.
I think this should maybe only add the header if the domain the AJAX request is being sent to is the current domain. Need to look into this.
MaxGabriel
force-pushed
the
jsonExample
branch
2 times, most recently
from
ff72266
to
789170e
Compare
|
published |
* Includes frontend code making an AJAX request to post comments * Demonstrates JSON parsing/encoding * Includes CSRF protection
MaxGabriel
force-pushed
the
jsonExample
branch
from
789170e
to
8fa7e7c
Compare
|
Updated cabal file to require yesod-test-1.5.0.1. Since Greg's reviewed this I'll merge shortly. |
Draft of using Yesod as an API server to a Javascript frontend
|
Thanks for reviewing this so many times @gregwebs ! |
|
Is it adding the token from the cookie? |
|
@gregwebs Yes, in default-layout-wrapper.hamlet |
In #73 there was some discussion about adding an example of using Yesod as an API server. I took a quick stab at that; this PR just adds a link you can click on the homepage, which triggers an AJAX request to the server to create a new user. The server inserts the user into the database and returns the data to the client, which updates adds the user to an
<ul>.Is this roughly what we're looking for? I wrote functions to request all users and to delete specific ones as well, if we want to add more API server example code.