Mercurial Repository: p/roundup/code: doc/rest.txt comparison

comparison doc/rest.txt @ 5710:0b79bfcb3312

Add support for making an idempotent POST. This allows retrying a POST that was interrupted. It involves creating a post once only (poe) url /rest/data/<class>/@poe/<random_token>. This url acts the same as a post to /rest/data/<class>. However once the @poe url is used, it can't be used for a second POST. To make these changes: 1) Take the body of post_collection into a new post_collection_inner function. Have post_collection call post_collection_inner. 2) Add a handler for POST to rest/data/class/@poe. This will return a unique POE url. By default the url expires after 30 minutes. The POE random token is only good for a specific user and is stored in the session db. 3) Add a handler for POST to rest/data/<class>/@poe/<random token>. The random token generated in 2 is validated for proper class (if token is not generic) and proper user and must not have expired. If everything is valid, call post_collection_inner to process the input and generate the new entry. To make recognition of 2 stable (so it's not confused with rest/data/<:class_name>/<:item_id>), removed @ from Routing::url_to_regex. The current Routing.execute method stops on the first regular expression to match the URL. Since item_id doesn't accept a POST, I was getting 405 bad method sometimes. My guess is the order of the regular expressions is not stable, so sometime I would get the right regexp for /data/<class>/@poe and sometime I would get the one for /data/<class>/<item_id>. By removing the @ from the url_to_regexp, there was no way for the item_id case to match @poe. There are alternate fixes we may need to look at. If a regexp matches but the method does not, return to the regexp matching loop in execute() looking for another match. Only once every possible match has failed should the code return a 405 method failure. Another fix is to implement a more sophisticated mechanism so that @Routing.route("/data/<:class_name>/<:item_id>/<:attr_name>", 'PATCH') has different regexps for matching <:class_name> <:item_id> and <:attr_name>. Currently the regexp specified by url_to_regex is used for every component. Other fixes: Made failure to find any props in props_from_args return an empty dict rather than throwing an unhandled error. Make __init__ for SimulateFieldStorageFromJson handle an empty json doc. Useful for POSTing to rest/data/class/@poe with an empty document. Testing: added testPostPOE to test/rest_common.py that I think covers all the code that was added. Documentation: Add doc to rest.txt in the "Client API" section titled: Safely Re-sending POST". Move existing section "Adding new rest endpoints" in "Client API" to a new second level section called "Programming the REST API". Also a minor change to the simple rest client moving the header setting to continuation lines rather than showing one long line.

author	John Rouillard <rouilj@ieee.org>
date	Sun, 14 Apr 2019 21:07:11 -0400
parents	c7dd1cae3416
children	59a3bbd3603a

comparison

equal deleted inserted replaced

-:e2378b6afdb5
+:0b79bfcb3312
 >>> r = s.get (u + 'issue/42')
 >>> etag = r.headers['ETag']
 >>> print("ETag: %s" % etag)
 >>> etag = r.json()['data']['@etag']
 >>> print("@etag: %s" % etag)
->>> h = {'If-Match': etag, 'X-Requested-With': 'rest', 'Referer': 'http://tracker.example.com/demo/'}
+>>> h = {'If-Match': etag,
+...   'X-Requested-With': 'rest',
+...   'Referer': 'http://tracker.example.com/demo/'}
 >>> d = {'@op:'action', '@action_name':'retire'}
 >>> r = s.patch(u + 'issue/42', data = d, headers = h)
 >>> print(r.json())
 >>> d = {'@op:'action', '@action_name':'restore'}
 >>> r = s.patch(u + 'issue/42', data = d, headers = h)
 >>> print(r.json())
 Note the addition of headers for: x-requested-with and referer. This
 allows the request to pass the CSRF protection mechanism. You may need
-to add Origin if this check is enabled in your tracker's config.ini.
+to add an Origin header if this check is enabled in your tracker's
+config.ini (look for csrf_enforce_header_origin).
+Safely Re-sending POST
+======================
+POST is used to create new object in a class. E.G. a new issue.  One
+problem is that a POST may time out. Because it is not idempotent like
+a PUT or DELETE, retrying the interrupted POST may result in the
+creation of a duplicate issue.
+To solve this problem, a two step process inspired by the POE - Post
+Once Exactly spec:
+https://tools.ietf.org/html/draft-nottingham-http-poe-00 is provided.
+This mechanism returns a single use URL. POSTing to the URL creates
+a new object in the class.
+First we get the URL. Here is an example using curl::
+curl -u demo:demo -s -X POST -H "Referer: https://.../demo/" \
+-H "X-requested-with: rest" \
+-H "Content-Type: application/json" \
+--data '' \
+https://.../demo/rest/data/issue/@poe
+This will return a json payload like::
+{
+"data": {
+"expires": 1555266310.4457426,
+"link": "https://.../demo/rest/data/issue/@poe/vizl713xHtIzANRW9jPb3bWXePRzmehdmSXzEta1"
+}
+}
+The value of expires is a Unix timestamp in seconds. In this case it
+has the default lifetime of 30 minutes after the current time. Using
+the link more than 30 minutes into the future will cause a 400 error.
+Within 30 minutes, the link can be used to post an issue with the same
+payload that would normally be sent to:
+``https://.../demo/rest/data/issue``.
+For example::
+curl -u demo:demo -s -X POST \
+-H "Referer: https://.../demo/" \
+-H "X-requested-with: rest" \
+-H "Content-Type: application/json"  \
+--data-binary '{ "title": "a problem" }' \
+https://.../demo/rest/data/issue/@poe/vizl713xHtIzANRW9jPb3bWXePRzmehdmSXzEta1
+returns::
+{
+"data": {
+"link": "https://.../demo/rest/data/issue/2280",
+"id": "2280"
+}
+}
+Once the @poe link is used and creates an issue, it becomes invalid
+and can't be used again.  Posting to it after the issue, or other
+object, is created, results in a 400 error [#poe_retry]_.
+Note that POE links are by restricted to the class that was used to
+get the link. So you can only create an issue using the link returned
+from ``rest/data/issue/@poe``. You can create a generic POE link by adding
+the "generic" field to the post payload::
+curl -u demo:demo -s -X POST -H "Referer: https://.../demo/" \
+-H "X-requested-with: rest" \
+--data 'lifetime=100&generic=1' \
+https://.../demo/rest/data/issue/@poe
+This will return a link under: ``https://.../demo/rest/data/issue/@poe``::
+{
+"data": {
+"expires": 1555268640.9606116,
+"link":
+"https://.../demo/rest/data/issue/@poe/slPrzmEq6Q9BTjvcKhfxMNZL4uHXjbHCidY1ludZ"
+}
+}
+You could use the link and change 'issue' to 'user' and it would work
+to create a user. Creating generic POE tokens is *not* recommended,
+but is available if a use case requires it.
+This example also changes the lifetime of the POE url.  This link has
+a lifetime of 15 minutes (900 seconds). Using it after 16 minutes will
+result in a 400 error. A lifetime up to 1 hour can be specified.
+POE url's are an optional mechanism. If:
+* you do not expect your client to retry a failed post,
+* a failed post is unlikely (e.g. you are running over a local lan),
+* there is a human using the client and who can intervene if a post
+fails
+you can use the url ``https://.../demo/data/<class>``. However if you
+are using this mechanism to automate creation of objects and will
+automatically retry a post until it succeeds, please use the POE
+mechanism.
+.. [#poe_retry] At some future date, performing a POST to the POE link
+soon after it has been used to create an object will
+change. It will not return a 400 error. It will will trigger a
+redirect to the url for the created object. After some period
+of time (maybe a week) the POE link will be removed and return
+a 400 error. This is meant to allow the client (a time limited
+way) to retrieve the created resource when the response was
+lost.
+Searches and selection
+======================
+One difficult interface issue is selection of items from a long list.
+Using multi-item selects requires loading a lot of data (e.g. consider
+a selection tool to select one or more issues as in the classic
+superseder field).
+This can be made easier using javascript selection tools like select2,
+selectize.js, chosen etc. These tools can query a remote data provider
+to get a list of items for the user to select from.
+Consider a multi-select box for the superseder property.  Using
+selectize.js (and jquery) code similar to::
+$('#superseder').selectize({
+	valueField: 'id',
+	labelField: 'title',
+	searchField: 'title', ...
+	load: function(query, callback) {
+		if (!query.length) return callback();
+		$.ajax({
+			url: '.../rest/data/issue?@verbose=2&title='
+			    + encodeURIComponent(query),
+			type: 'GET',
+			error: function() {callback();},
+			success: function(res) {
+			  callback(res.data.collection);}
+Sets up a box that a user can type the word "request" into. Then
+selectize.js will use that word to generate an ajax request with the
+url: ``.../rest/data/issue?@verbose=2&title=request``
+This will return data like::
+{
+"data": {
+"@total_size": 440,
+"collection": [
+{
+	  "link": ".../rest/data/issue/8",
+	  "id": "8",
+	  "title": "Request for Power plugs"
+},
+{
+	  "link": ".../rest/data/issue/27",
+	  "id": "27",
+	  "title": "Request for foo"
+},
+...
+selectize.js will look at these objects (as passed to
+callback(res.data.collection)) and create a select list from the each
+object showing the user the labelField (title) for each object and
+associating each title with the corresponding valueField (id). The
+example above has 440 issues returned from a total of 2000
+issues. Only 440 had the word "request" somewhere in the title greatly
+reducing the amount of data that needed to be transferred.
+Similar code can be set up to search a large list of keywords using::
+.../rest/data/keyword?@verbose=2&name=some
+which would return: "some keyword" "awesome" "somebody" making
+selections for links and multilinks much easier.
+Hopefully future enhancements will allow get on a collection to
+include other fields. Why do we want this?  Selectize.js can set up
+option groups (optgroups) in the select pulldown. So by including
+status in the returned data::
+{
+	  "link": ".../rest/data/issue/27",
+	  "id": "27",
+	  "title": "Request for foo",
+	  'status": "open"
+},
+a select widget like::
+=== New ===
+A request
+=== Open ===
+Request for bar
+Request for foo
+etc. can be generated. Also depending on the javascript library, other
+fields can be used for subsearch and sorting.
+Programming the REST API
+------------------------
+You can extend the rest api for a tracker. This describes how to add
+new rest end points. At some point it will also describe the rest.py
+structure and implementation.
 Adding new rest endpoints
 =========================
 Add or edit the file interfaces.py at the root of the tracker
 }
 Adding other endpoints (e.g. to allow an OPTIONS query against
 ``/data/issue/@schema``) is left as an exercise for the reader.
-Searches and selection
-======================
-One difficult interface issue is selection of items from a long list.
-Using multi-item selects requires loading a lot of data (e.g. consider
-a selection tool to select one or more issues as in the classic
-superseder field).
-This can be made easier using javascript selection tools like select2,
-selectize.js, chosen etc. These tools can query a remote data provider
-to get a list of items for the user to select from.
-Consider a multi-select box for the superseder property.  Using
-selectize.js (and jquery) code similar to::
-$('#superseder').selectize({
-	valueField: 'id',
-	labelField: 'title',
-	searchField: 'title', ...
-	load: function(query, callback) {
-		if (!query.length) return callback();
-		$.ajax({
-			url: '.../rest/data/issue?@verbose=2&title='
-			    + encodeURIComponent(query),
-			type: 'GET',
-			error: function() {callback();},
-			success: function(res) {
-			  callback(res.data.collection);}
-Sets up a box that a user can type the word "request" into. Then
-selectize.js will use that word to generate an ajax request with the
-url: ``.../rest/data/issue?@verbose=2&title=request``
-This will return data like::
-{
-"data": {
-"@total_size": 440,
-"collection": [
-{
-	  "link": ".../rest/data/issue/8",
-	  "id": "8",
-	  "title": "Request for Power plugs"
-},
-{
-	  "link": ".../rest/data/issue/27",
-	  "id": "27",
-	  "title": "Request for foo"
-},
-...
-selectize.js will look at these objects (as passed to
-callback(res.data.collection)) and create a select list from the each
-object showing the user the labelField (title) for each object and
-associating each title with the corresponding valueField (id). The
-example above has 440 issues returned from a total of 2000
-issues. Only 440 had the word "request" somewhere in the title greatly
-reducing the amount of data that needed to be transferred.
-Similar code can be set up to search a large list of keywords using::
-.../rest/data/keyword?@verbose=2&name=some
-which would return: "some keyword" "awesome" "somebody" making
-selections for links and multilinks much easier.
-Hopefully future enhancements will allow get on a collection to
-include other fields. Why do we want this?  Selectize.js can set up
-option groups (optgroups) in the select pulldown. So by including
-status in the returned data::
-{
-	  "link": ".../rest/data/issue/27",
-	  "id": "27",
-	  "title": "Request for foo",
-	  'status": "open"
-},
-a select widget like::
-=== New ===
-A request
-=== Open ===
-Request for bar
-Request for foo
-etc. can be generated. Also depending on the javascript library, other
-fields can be used for subsearch and sorting.

Mercurial > p > roundup > code

comparison doc/rest.txt @ 5710:0b79bfcb3312