RFE: non-racy account creation

[sourcejedi]

recommendations-client.md:

Before creating new accounts, client applications must be able to check whether or not an account exists. To do that, clients only need to send a HEAD request to the account root URI [...] If the HTTP status code returned is 200, then it means an account with that name exists already.

If the status code returned is 404, it means that the account is available.

Once the client application has verified that the account is available, it can now proceed to create it. To do so, it must submit a form (or emulate it) to the account URI it previously checked (e.g. alice.example.org), containing at least the following form parameter names...

This is racy. The best solution is to define a structured error response, with "already exists" as one of the possibilities.

Checking an account in advance can be useful - e.g. for very quick feedback as the user is typing - but defining this as a "must" is sub-optimal.

[sourcejedi]

Ah, I found some interesting comments. I think clients can already get a structured error response if they want, by using If-None-Match: *. The error would be HTTP 412 "Precondition Failed".

[RubenVerborgh]

I honesly think this should not even be in the spec. Account creation should be up to the individual providers.

[dmitrizagidulin]

I'm a little puzzled by this issue's title. What is 'RFE'? And what is 'racy' supposed to mean in this context? I just searched for the definition of 'racy' again, just to double check -- "(of speech, writing, or behavior) lively, entertaining, and typically mildly titillating". So I assumed you were talking about account IDs as swear words or something...

[sourcejedi]

Shorthand for a race condition. Sorry for the unclearness.

Two clients can race trying to create the same account at once. Only one can win. The other should receive an informative error.

If it was an RFC-style "MUST" for all clients to check whether the account exists before attempting to create it, it suggests that there is some unfortunate problem with the "already exists" error response.

(Maybe it's a legacy detail to do with browsers and client certificates. But in that case it would not apply to all clients).

[sourcejedi]

RFE stands for Request For Enhancement i.e. feature request. It's an attempt to say I'm coming in as an outsider, I have a suggested enhancement, without claiming your project has a bug. I might think it's probably a bug, but it's not my project, you should set your own priorities about what you work on :-).

[Ryuno-Ki]

Reading the blockquote above I wonder what is supposed to happen if the client receives neither a 200 nor 404 … (like, a 500).