Default for Web API Feature Toggle

[jimohalloran]

Summary
In 4.1.0 a feature toggle was introduced to enable/disable the Web API. There's a config setting under System Setup > General Setup > Application Settings in the configuration pages to enable or disable the API. However when "Use Default" is checked the UI defaults to showing the "Enable API" checkbox as checked, implying the API is enabled. It is disabled, and will give a 404 error.

This is misleading, as the implicantion is that when a setting called "Enable API" is checked (i.e. turned on) that the API should be enabled. Having the default be the API is off, and the UI show the checkbox as checked is bad user/developer experience.

If I uncheck "Use Default", the API is enabled when the checkbox is checked, and disabled when not as expected. It's only when "Use Default" is checked, that the setting is forced to be on, but the API is actually disabled.

It seems like this only occurs in the "prod" environment. In the "dev" environment it seems to work as expected.

Steps to reproduce
Do a clean install of 4.1.0 or later. Look at the configuration page, note that "Enable API" setting is checked (but the checkbox is disabled), and "Use Default" is also checked. Make an API request.

Actual Result The API request will 404 because the API is disabled. Even though it appears enabled in the UI.

Expected Result
The API request will 200 because the API is enabled as the UI suggests it should be.

Details about your environment

• OroPlatform version: 4.1.0 (or later)
• PHP version: 7.3.13 (but shouldn't be PHP version specific)
• Database (MySQL, PostgreSQL) version: N/A

[anyt]

Hi @jimohalloran, Have you installed an application with the demo data?

[anyt]

I've just installed the oro/platform-application:4.1.0 without the demo data. By default the checkbox is unchecked:

It could be the specific browser issue, I checked in Chrome or the application cache issue.

Please note, the system configuration is environment-sensitive. When you change the setting in a prod env it will not affect dev env without clearing the cache.

[jimohalloran]

So I've done a little more digging. I usually access my development OroCRM in the dev environment. I'm willing to trade a bit of page load time for the convenience of not manually loading translation files, etc. My API client was using the prod environment. Whenever I changed a config setting, I would do a complete cache flush (more on this in a bit) before I used the API. So I don[t think this is an issue of config settings not propagating between environments due to cache.

When I clear cache, I stop the queue worker, websockets server and cron jobs. rm -rf var/cache/*, bin/console cache:warmup --env prod, bin/console cache:warmup --env dev and start the queue worker, etc again. This is all scripted, so everything stops, clears and starts reliably. There shouldn't be any possibility of cached data surviving in any form after this clear.

Your screenshot is interesting, because when the "Use Default" checkbox is checked, I was seeing the "Enable API" checkbox checked also. I'm also using Chrome. My database is the same one I've been developing this site on for the last 6 months, started live as a 3.1 install, which was upgraded to 4.0.x, and now 4.1.0. All migrations have been run, and demo data was not loaded. I'd expect with respect to this setting a clean install without demo data would replicate this issue, as I was not even aware of this parameter until today.

To respond to this ticket tonight, I've fired up my dev environment again, and once again checked "Use Default". Then I cleared cache as per the process described above. If I log into the "dev" environment, I can see "Enable API" is checked. But if I log into the "prod" environment, it isn't. See screenshot:

So it seems as though the default is different in each environment? I've done some searches on OroApiBundle and I can't find any code that would change the default depending on environment. So this seems very odd. However, it does seem as though the API honours this default depending on the environment you use for the API, which would explain why I couldn't repro this issue in the dev environment earlier. It also explains why when I look at the configuration page in dev environment but call the API in prod it's disabled but appears like it should be enabled.

Is the default being different in dev vs prod environments by design? It's not very intuitive. I would never have expected that the default config values could be different based on the environment I'm viewing. Is this the way it is meant to be? And if so, how is it implemented? I'd be curious to see the code so I know what to look out for in future.

[anyt]

Is the default being different in dev vs prod environments by design?

This is the bug. I'm able to reproduce it locally. Internal ticket id #BAP-19989

For now, as a workaround, please do not use "Use Default" for this option and define the value explicitly for both environments.

[anyt]

The behavior has been fixed (see: https://github.com/oroinc/orocommerce-application/commit/01d57c42e8af8d3dda9d84d53f8677722d12364f). It will be available with the next 4.1 patch release.

Thank you for your contribution!