search

UP-NextPush / server-app

UnifiedPush provider for Nextcloud - server application - Moved to https://codeberg.org/NextPush/uppush
GNU Affero General Public License v3.0
67 stars 8 forks source link

HTTP PUT is supposed to be idempotent #3

Closed karmanyaahm closed 2 years ago

karmanyaahm commented 2 years ago

Consider changing this to a POST? https://github.com/UP-NextPush/server-app/blob/73efb123232c4f82f2405a779dc5ed2504fce150/appinfo/routes.php#L10-L13

According to MDN:

The difference between PUT and POST is that PUT is idempotent: calling it once or several times successively has the same effect (that is no side effect), whereas successive identical POST requests may have additional effects, akin to placing an order several times.

Here, when calling PUT /device/ several times with the same deviceName, it creates a new device each time, which is more suitable for POST than PUT.

Edit: the same would probably apply to createApp

p1gp1g commented 2 years ago

The main reason was to easily prevent CSRF. Modern browsers do an OPTIONS before a PUT and abort if the CORS doesn't match.

Actually, the @CORS decoration require a bearer header which does the same. But I did the PUT before doing the endpoint rules.

I'd say, PUT /device/ several times always create a new device id whether there is already one with the same name :)

karmanyaahm commented 2 years ago

Ok, that makes sense