Default route version invoked when garbage Accept header supplied

bploetz / versionist

A plugin for versioning Rails based RESTful APIs.

MIT License

971 stars 51 forks source link

Default route version invoked when garbage Accept header supplied #58

Closed theirishpenguin closed 10 years ago

theirishpenguin commented 10 years ago

Given the following route with a default, eg.

MyApi::Application.routes.draw do
  api_version(:module => "V20120317", :header => {:name => "Accept", :value => "v20120317"}, :default => true) do
  end
end

When I supply any garbage Accept Header (eg. application/garbage) it matches the default route version.

Is there a way to only match the default route version in the absence of an Accept header - so that it does not match in the presence of a garbage Accept header?

bploetz commented 10 years ago

If you omit the Accept header altogether, then the default version would still be served up, as there's no version being explicitly requested. In other words, no Accept header and an Accept header that doesn't contain a supported version string are essentially the same thing, and will result in the same behavior (version not found, serve up default if configured).

theirishpenguin commented 10 years ago

If you omit the Accept header altogether, then the default version would still be served up, as there's no version being explicitly requested.

That's cool, and I like this behaviour.

No Accept header and an Accept header that doesn't contain a supported version string are essentially the same thing

This is not the behaviour I'd expect. Let's say a third party dev is trying to call my API...

I have four versions available - v1, v2, v3 and v4
They want to target v3
I've made v1 the default version
They should use Accept: application/blah.v3 but they accidentally put in Accept: application/blah.3 (they omit the 'v' by accident)
Suddenly they are hitting the v1 API and it looks like it's working. I'd like it to not work in this case - so that they don't get the false assumption that there are hitting the v3 API.

What do you think? Maybe it's just me :)

bploetz commented 10 years ago

I would suggest you simply do not configure a default version if you're worried about this scenario. Without a default version configured, when they request application/blah.3 they'll get a routing error (i.e. 404). It will fail fast, and they'll know something is amiss, instead of being lulled into a false sense of security while they unknowingly hit the wrong version.

theirishpenguin commented 10 years ago

Sure. I'd like to have a default just to make it easy for someone to consume with needing to worry about Accept headers. I'll figure out a workaround. Thanks for the quick replies.

johnkelly commented 9 years ago

@theirishpenguin Did you find a workaround for this? I'm facing the same issue where I'd like to distinguish garbage Accept headers from the absence of an accept header.

theirishpenguin commented 9 years ago

@johnkelly I haven't worked with this stuff for a while. But I don't think I did find a workaround at the time.