TBD54566975 / ftl

FTL - Towards a 𝝺-calculus for large-scale systems
https://tbd54566975.github.io/ftl/
Apache License 2.0
21 stars 7 forks source link

Reevaluate how HTTP path parameters are serialized #2267

Open stuartwdouglas opened 3 months ago

stuartwdouglas commented 3 months ago

At the moment if you have a HTTP request for /hello/{greeting} it is sent over the wire as an object that looks like this:

{
  "method": "POST",
  "path": "/hello/Hi",
  "pathParameters": {"greeting": "Hi"},
  "query": {},
  "headers": {},
  "body": {
    "first": "Stu",
    "greeting": "Hi",
    "last": "Douglas"
  }
}

This results in the greeting parameter being sent in three different places (URI, path parameters and body), without it being clear which one is actually used. This can actually be a security issue in some circumstances if the end user can get these out of sync, if the security check is performed on one value but the implementation uses a different one.

A side effect of the current implementation is that the runtime must map the path and query parameters into the body. We should investigate how we can handle this better, to allow the runtimes to map the parameters how they would like, and to not mix request parameters and body JSON in the same object.

matt2e commented 3 months ago

Decision: come up with how we want this to work

matt2e commented 3 months ago

Porposed option: #2230