-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft of using Yesod as an API server to a Javascript frontend #76
Conversation
Thanks for taking a stab at it! Unfortunately this specific example is very problematic from a security perspective. If instead of a |
Interestingly someone just made a similar example for servant. I still maintain that an an API to users is normally admin code. Adding admin code to the scaffolding would be quite useful, but it seems out of the scope of this PR. |
@gregwebs Good point about the security issues. Updated based on your suggestion to create comments instead. |
Want to add an optional |
sorry, I didn't notice the update. The UserId should come from maybeAuthId. Sorry for asking for tedious changes; I can also finish this off later. |
It's no problem! Updated to use |
I could also add comments to all of this code, much like |
Thanks for the change.
A test and CSRF protection would be great. |
@gregwebs I agree on adding an
I can change both, though. For |
sorry, I got confused about |
d4a8a77
to
62fa2f7
Compare
|
||
var message = $("##{rawJS commentTextareaId}").val(); | ||
// (Browsers that enforce the "required" attribute on the textarea won't see this alert) | ||
if (!message) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What browser doesn't enforce required? Can be removed since we always rely on the server for final validation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gregwebs Currently the server won't let invalid comments be created, but it also won't give a nice error message to show to the user (IIRC the default error for requireJsonBody
actually returns an HTML page with the error).
My general view on this is that client-side validation is fine (and even preferable, because it's instant) as long as it's just for UX, and the server is enforcing the actual integrity of the data, though it would be nice to get good errors from the server when it's own validation fails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, sorry, Safari doesn't enforce required
. Edit: and apparently mobile safari as well http://caniuse.com/#search=required
This looks like it will be good to merge when rebased. |
\ defaultHeaders[csrfHeaderName] = csrfToken; | ||
\ $.ajaxSetup({ | ||
\ headers: defaultHeaders, | ||
\ }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should maybe only add the header if the domain the AJAX request is being sent to is the current domain. Need to look into this.
ff72266
to
789170e
Compare
published |
* Includes frontend code making an AJAX request to post comments * Demonstrates JSON parsing/encoding * Includes CSRF protection
789170e
to
8fa7e7c
Compare
Updated cabal file to require yesod-test-1.5.0.1. Since Greg's reviewed this I'll merge shortly. |
Draft of using Yesod as an API server to a Javascript frontend
Thanks for reviewing this so many times @gregwebs ! |
Is it adding the token from the cookie? |
@gregwebs Yes, in default-layout-wrapper.hamlet |
In #73 there was some discussion about adding an example of using Yesod as an API server. I took a quick stab at that; this PR just adds a link you can click on the homepage, which triggers an AJAX request to the server to create a new user. The server inserts the user into the database and returns the data to the client, which updates adds the user to an
<ul>
.Is this roughly what we're looking for? I wrote functions to request all users and to delete specific ones as well, if we want to add more API server example code.