JSONP support

[organisciak]

Unless I'm mistaken, the API won't be accessible across domains in Javascript. It would be really nice to support JSONP, then clients (the GUI foremost) don't have to be on the same system as the API.

A search for "python jsonp" returned a JSONP extension for Flask. So, for the path of least resistance, I'll extend the Flask-based minimal server that I wrote a few weeks ago with that library. However, since we seemed in agreement that my Flask implementation overlaps with bookworm server and will eventually be pulled out, we should discuss how to implement it into the regular dbbindings.py.

That is, unless I'm mistaken about there not being support currently.

[organisciak]

Assigning to myself, at least for the band-aid approach of extending the Flask implementation.

[borice]

You should consider using CORS. Edit: http://enable-cors.org/

[bmschmidt]

So CORS would be a solution lying entirely in the webserver configuration?

One note: A full implementation of JSONP will require fulfilling the split in this issue, since you would also want a JSONP version of the book arrays.

[bmschmidt]

A third option would be to extend the general_API class to make a call over the web to a different host. The client wouldn't even know.

1. Allow a 'host' field in the API.
2. If 'host' is specified and not localhost or a synonym, then instead of running the query locally just build the url for where the query is going (without host as a term this time). Then just pass through the results to the client.

This is probably slower than the other two results unless there's some nice way to just route the results through an internet connection rather than processing them on python on the intermediate server, but might be the easiest to implement.

[borice]

@bmschmidt To use CORS all you have to do is set appropriate headers in your API response. The rest is up to the web browser. All modern browsers I came across support it...

Here's a Python example of how to set those to allow requests from everywhere:

 # set CORS headers
response.headers['Access-Control-Allow-Origin'] = '*'
response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Origin, Accept, Content-Type, X-Requested-With, X-CSRF-Token'

[organisciak]

Boris, thanks, CORS is a more elegant solution than JSONP.

I tested it with a local GUI on my PC accessing a server-based API and it works great. Ben, unless you have objections, I'll commit the update to dbbindings.py.

Regarding Ben's earlier message, changing the host is useful for two real but different issues. The first is changing the host in the client, which we're working on at the moment for the BookwormGUI. This is necessary even for the same server because sometimes you may want the API to be in a different location than cgi-bin/dbbindings.py. The second is changing the mysql host for the API, which we have a ticket on already. This one I'm driving on because in the Docker implementation, the DB is never on localhost, regardless of whether it's on the same machine or not.

On Thu, Feb 18, 2016 at 8:44 AM Boris Capitanu notifications@github.com wrote:

@bmschmidt https://github.com/bmschmidt To use CORS all you have to do is set appropriate headers in your API response. The rest is up to the web browser. All modern browsers I came across support it...

Here's a Python example of how to set those to allow requests from everywhere:

set CORS headers

response.headers['Access-Control-Allow-Origin'] = '*' response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS' response.headers['Access-Control-Allow-Headers'] = 'Origin, Accept, Content-Type, ' \ 'X-Requested-With, X-CSRF-Token'

— Reply to this email directly or view it on GitHub https://github.com/Bookworm-project/BookwormDB/issues/94#issuecomment-185783644 .

[bmschmidt]

Thanks Boris and Peter.

CORS sounds like the best solution to me. Patch welcomed.

[organisciak]

Added in 35cf1ef.