Send session in POST & PUT requests ?

jumpinjackie / mapguide-rest

REST Extension for MapGuide Open Source

GNU Lesser General Public License v2.1

26 stars 14 forks source link

Send session in POST & PUT requests ? #197

Closed AlenKelemen closed 4 years ago

AlenKelemen commented 4 years ago

How to send session in POST & PUT requests where body is json feature definition ? In mapguide-rest API Reference POST & PUT sets only sessionId in body and (of course) returns 'Malformed JSON body' error.

jumpinjackie commented 4 years ago

Do you have an example POST/PUT route?

AlenKelemen commented 4 years ago

Just use Mg API reference (../mapguide/rest/doc/index.html#!/library/InsertFeatures) and set session. You can see that complete body is lost and only session is send. It occurs only with POST and PUT, DELETE works ok for instance ..

AlenKelemen commented 4 years ago

In my code DELETE looks like: fetch(this.url_, { method: 'DELETE', body:session=${this.sessionId_}&filter=${filter}, headers: { 'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8' } }) So we need to include session in POST/PUT body.

jumpinjackie commented 4 years ago

Ok this is an actual oversight of the API and possibly many others under /library that take POST/PUT requests with XML/JSON bodies. The fact that the swagger docs show a session field in the operation test UI is a case of sloppy copy-pasting of the operation metadata.

I think the easiest fix with the least amount of descriptiveness is to allow passing the session id as a request header of the POST/PUT request and have our relevant controller actions make sure to check the request header for the session id before checking any other places. Then there's the challenge of making sure that we can instruct swagger to make sure that session id field populates as a request header value.

jumpinjackie commented 4 years ago

Could you give d1a9e8c45a2a661f6d8792761ffacdfe1577f5c0 a go? I've fixed the swagger metadata for full-body POST/PUT operations to allow passing a session id through a new X-MG-SESSION-ID request header (that the swagger UI should provide a field for)

AlenKelemen commented 4 years ago

Works fine... I had to 'add X-Requested-With' to config.php: "MapGuide.Cors" => array( "origin" => "http://localhost:1234", "exposeHeaders" => array("Authorization,Content-Type"), "maxAge" => 1728000, "allowCredentials" => True, "allowMethods" => array("POST, GET, PUT, DELETE, OPTIONS"), "allowHeaders" => array("Authorization,Content-Type,x-mg-session-id") ), To use it in fetch then I can do: fetch(${basePath}, { method: 'POST', credentials: 'include', headers: { 'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8', 'X-MG-SESSION-ID':${loginData.session} }, body: JSON.stringify(body) })