Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reevaluate how HTTP path parameters are serialized #2267

Open
stuartwdouglas opened this issue Aug 6, 2024 · 2 comments
Open

Reevaluate how HTTP path parameters are serialized #2267

stuartwdouglas opened this issue Aug 6, 2024 · 2 comments

Comments

@stuartwdouglas
Copy link
Collaborator

At the moment if you have a HTTP request for /hello/{greeting} it is sent over the wire as an object that looks like this:

{
  "method": "POST",
  "path": "/hello/Hi",
  "pathParameters": {"greeting": "Hi"},
  "query": {},
  "headers": {},
  "body": {
    "first": "Stu",
    "greeting": "Hi",
    "last": "Douglas"
  }
}

This results in the greeting parameter being sent in three different places (URI, path parameters and body), without it being clear which one is actually used. This can actually be a security issue in some circumstances if the end user can get these out of sync, if the security check is performed on one value but the implementation uses a different one.

A side effect of the current implementation is that the runtime must map the path and query parameters into the body. We should investigate how we can handle this better, to allow the runtimes to map the parameters how they would like, and to not mix request parameters and body JSON in the same object.

@github-actions github-actions bot added the triage Issue needs triaging label Aug 6, 2024
@ftl-robot ftl-robot mentioned this issue Aug 6, 2024
@matt2e
Copy link
Collaborator

matt2e commented Aug 7, 2024

Decision: come up with how we want this to work

@matt2e matt2e removed the triage Issue needs triaging label Aug 7, 2024
@matt2e
Copy link
Collaborator

matt2e commented Aug 7, 2024

Porposed option: #2230

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants