Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Currently, all available formats are enabled if supported_formats is not specified. Conversely, only Cookie auth is supposed if no supported_auth is specified.
It is a DX fail if you have two config keys which look almost the same but act in opposite ways.
Proposed resolution
Either:
All available formats and all available auth should be enabled by default... see #2064009: Review default authentication logic when no authentication methods are defined
Or:
Only enabled formats and only enabled auth should be enabled by default.
Comment | File | Size | Author |
---|---|---|---|
#42 | interdiff-42.txt | 633 bytes | juampynr |
#42 | supported-formats-2065193-42.patch | 9.66 KB | juampynr |
#37 | supported-formats-2065193-37-just-test.patch | 2.66 KB | juampynr |
#37 | interdiff_37.txt | 4.29 KB | juampynr |
#37 | supported-formats-2065193-37.patch | 9.67 KB | juampynr |
Comments
Comment #1
linclark CreditAttribution: linclark commentedOn the REST call today, Klaus said he would be on board for switching the way supported_formats works so that they have to be explicitly defined.
Comment #2
linclark CreditAttribution: linclark commentedBumping this to major since changes to config structures should probably be in ASAP.
Comment #3
klausiSo the proposal that we came up on our last meeting:
* Make supported_formats and supported_auth explicit: every method on every resource has to specify both.
* No default behavior: if either supported_formats or supported_auth is missing the config is broken and we throw errors.
* We ship a default YAML file with HAL enabled as format and basic_auth enabled as authentication.
YAML config before:
YAML config after:
The downside of this is that as soon as you have new formats or authentication providers you also have to update this config file, not wildcard possible anymore. But that will happen rarely.
Note that this also brings more consistency: enabled methods like GET, POST etc. also have to be explicitly specified and we have no wildcard there to allow all methods on a resource. So all configuration options in this YAML file work the same, work explicitly.
Comment #4
juampynr CreditAttribution: juampynr commentedHere is a first pass at it. I have not reviewed tests yet.
Should we use watchdog() to register an error when a route is not added or silently ignore it?
Comment #6
juampynr CreditAttribution: juampynr commentedHere is an improved version where I am verifying the resource structure.
While I let the testbot run all tests, I am about to review REST ones.
Comment #8
juampynr CreditAttribution: juampynr commentedRe-rolling
Comment #9
juampynr CreditAttribution: juampynr commentedSubmitting to the test bot.
Comment #11
juampynr CreditAttribution: juampynr commentedHere is another go at it. I am only making
supported_formats
available when there is a format requirement in the route.Comment #12
juampynr CreditAttribution: juampynr commentedHere I made both supported_auth and supported_formats mandatory. Error messages are logged if any of these is empty or not an array.
Comment #13
klausiPunctuation missing at the end.
Vague comment, should be something like "The configuration seems legit at this point, so we set the authentication provider and add the route."
The class property is not defined?
Otherwise this looks pretty good.
Comment #14
juampynr CreditAttribution: juampynr commentedThanks! Here it is.
Comment #15
juampynr CreditAttribution: juampynr commentedDiscussed documentation of rest.settings.yml with @klausi. Here it is.
Comment #16
juampynr CreditAttribution: juampynr commentedReviewed config with @klausi. Here it is.
Comment #17
juampynr CreditAttribution: juampynr commentedForgot to remove a phrase.
Comment #18
juampynr CreditAttribution: juampynr commentedWhat could I do without @klausi's surgeon eye? Nothing mate. Nothing.
Comment #19
klausiI'm happy if the testbot is.
Comment #20
linclark CreditAttribution: linclark commentedIt turns out that REST's auth test might not actually be testing what we want it to.
We should postpone committing this until we fix the test in #2099679: Changing the order of asserts in AuthTest::testRead makes them fail.
Comment #21
klausiWe might not need all those watchdog() calls, see #2107687: Provide configuration schema for Rest module. Anyone familiar with the config schema system? Could we use that for config validation?
Comment #22
juampynr CreditAttribution: juampynr commented#18: drupal-rest-explicit-formats-auth-2065193-18.patch queued for re-testing.
Comment #23
juampynr CreditAttribution: juampynr commentedIf tests pass now, I would rather commit this as it is and create a follow up so when #2107687: Provide configuration schema for Rest module gets in, we implement configuration schema validation. Looks like a fantastic way to validate resources.
Comment #24
klausiUnfortunately I have been told that configuration schema validation does not exist (yet?), so will have to leave this in place anyway.
Comment #25
klausiThe other issue got resolved, so this is still good to go.
Comment #26
alexpottPatch no longer applies.
Comment #27
klausiRerolled. I also changed http_basic to basic_auth in the configuration because of #2107483: Make basic_auth module and http_basic auth setting consistent.
Comment #28
Crell CreditAttribution: Crell commentedComment #29
catchREST module doesn't depend on basic_auth, so why enabling that by default for HAL? Also with the logic change doesn't this mean cookie auth is disabled when only basic_auth is specified, or am I reading wrong?
This is going to fall foul of #2090115: Don't install a module when its default configuration has unmet dependencies because the configuration depends on an optional module - which is fine but just flagging that this is the case.
Comment #30
juampynr CreditAttribution: juampynr commentedI do not see any relationship between the question and this patch.
Yes, if a REST resource just supports basic_auth, then the generated route will only accept this authentication system.
The sample configuration does not enable hal module, only defines REST resources. If hal module is not enabled, some of them (the ones for POST and PATCH methods) will simply not work.
Comment #31
catchRight this is what I mean - is that a problem? Or will they just work/not work automatically when the module is installed/uninstalled?
Comment #32
klausiIf HAL module is not available then the routes will not be exposed, so requests for nodes will not work. If basic_auth module is not enabled then only requests that are allowed for anonymous users will work.
We think that HAL and basic_auth are the most useful defaults for REST module users, while REST module does not necessarily depend on them.
So we should extend the comment at the beginning of the config file that people must enable HAL module for this to work and basic_auth if they want privileged access.
Comment #33
Crell CreditAttribution: Crell commentedIf we're going to advise people to enable basic auth, we should make sure to mention SSL for it, too. That comment is a good place for it. (And probably mention that other options are probably better; basic auth is in core to make sure we can do that sort of thing, not because basic auth is good. )
Comment #34
juampynr CreditAttribution: juampynr commentedHere it is.
Comment #35
Crell CreditAttribution: Crell commentedIs it kosher to reference contrib modules from core documentation specifically? If so, I'm fine with #43.
Comment #36
alexpottModule names in comments should be capitalised
How about?
An alternative to Basic_auth in contrib is OAuth module https://drupal.org/project/oauth
Do we have test coverage for this?
Comment #37
juampynr CreditAttribution: juampynr commentedAddressed the three suggestions given by @alexpott.
Comment #39
juampynr CreditAttribution: juampynr commentedThis is ready for review.w
Comment #40
Crell CreditAttribution: Crell commentedLet's do.
Comment #41
catchSorry I thought I'd followed up on this, but apparently I never did.
I don't think we should link directly to the oauth module - there might be a different oauth module that's better supported in three years and little chance the comment will get updated. Can reference oauth and then let google find the URL.
Otherwise this looks good so hopefully quick re-roll.
Comment #42
juampynr CreditAttribution: juampynr commentedRe-rolled since #2099439: REST's CSRF check is triggered even when using Basic Auth got committed and then removed link to OAuth module.
Comment #43
Crell CreditAttribution: Crell commentedReasonable.
Comment #44
alexpottCommitted 43a4ef2 and pushed to 8.x. Thanks!
Comment #45
juampynr CreditAttribution: juampynr commentedWriting change notification.
Comment #46
juampynr CreditAttribution: juampynr commentedDone https://drupal.org/node/2147705
Comment #48
xjm