Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I spent last week triaging the REST module issue queue, to identify the top priorities for REST to support all use cases, and to be less painful to use. This is what I came up with.
Any use case (fully decoupled, progressively decoupled, content sync)
Impossible to update Comment entity with REST: #2631774: Impossible to update Comment entity with REST (HTTP PATCH): bundle field not allowed to be updated, but EntityNormalizer::denormalize() requires itBasic config entity support: #2724823: EntityResource: read-only (GET) support for configuration entities- EntityResource: translations support: #2135829: [PP-1] EntityResource: translations support
- File uploads: #1927648: Allow creation of file entities from binary data via REST requests
- Full config entity support: #2300677: JSON:API POST/PATCH support for fully validatable config entities
REST export entity views supporting translations: #2664880: DataEntityRow doesn't respect translations- Pagination support: #2100637: REST views: add special handling for collections
- REST export views supporting pagination: #2099281: [PP-1] REST views: pagination link relations
- REST export views break the HTML view if they're on the same path: #2730497: REST Views override existing REST routes + #2772537: REST Views override existing REST GET routes + #2449143: REST views specify HTML as a possible request format, so if there is a "regular" HTML view on the same path, it will serve JSON
- REST export views: row-level caching: #2648268: REST views: row-level caching doesn't exist, unlike for other types of views
REST export views: authentication support: #2228141: Add authentication support to REST viewsHEAD requests do not work: #2752325: Automatically provide HEAD support when a REST resource supports GET
Fully decoupled
Logging in: #2403307: RPC endpoints for user authentication: log in, check login status, log out- Registering: #2291055: REST resources for anonymous users: register
CORS (to put D8 on different domain): #1869548: Opt-in CORS support
DX
Content-Type request header missing: #2659070: REST requests without Content-Type header: unhelpful response significantly hinders DX, should receive a 415 responseX-CSRF-Token request header missing: #2681911: REST requests without X-CSRF-Token header: unhelpful response significantly hinders DX, should receive a 401 response- GET/PATCH/DELETE to /node, but POST to /entity/node: #2293697: EntityResource POST routes all use the confusing default: use entity types' https://www.drupal.org/link-relations/create link template if available
Configuring REST is a PITA: #2308745: Remove rest.settings.yml, use rest_resource config entitiesConfiguring REST permissions is a PITA: #2664780: Remove REST's resource- and verb-specific permissions for EntityResource, but provide BC and document why it's necessary for other resourcesSimplify REST configuration: #2721595: Simplify REST configuration
General reliability, maintainability & DX
#2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method — this actually relates to many of the above issues, and would provide much, much stronger assurances that REST works as expected & intended.
Comments
Comment #2
Wim LeersOne down :)
Comment #3
dawehnerAdded another issue which could be interesting: #2721595: Simplify REST configuration
Comment #4
aneek CreditAttribution: aneek as a volunteer commentedHello can this be added to this list #2653318: While in maintenance mode, REST routes respond with HTML instead of XML/JSON/…?
Comment #5
Wim Leers#4I don't consider that a top priority: it's an edge case. Everything listed in the top priorities is a huge problem/gap. Don't worry, it will get fixed. I moved it to the
rest.module
component for better visibility, so we don't forget about it.Comment #6
marthinal CreditAttribution: marthinal commented@Wim IMHO #2310307: File needs CRUD permissions to make REST work on entity/file/{id} would be a critical issue here if we want to upload files. AFAIK we want to create 2 entities in the same request and avoid to create the File and then the node(or the custom entity). @alexpott told me that we want to avoid the current solution("everybody can upload files").
And #1927648: Allow creation of file entities from binary data via REST requests uses this patch...
Comment #7
dawehnerComment #8
dawehnerAdding another issue to it: #2228141: Add authentication support to REST views
Comment #9
Wim LeersComment #10
Wim LeersOops, pasted the wrong issue ID.
Comment #11
Wim LeersOne down: #2730497: REST Views override existing REST routes.
Comment #12
Wim LeersYay, #2631774: Impossible to update Comment entity with REST (HTTP PATCH): bundle field not allowed to be updated, but EntityNormalizer::denormalize() requires it landed! The highest priority issue, because it literally made REST broken/impossible to use for many use cases!
Comment #13
Wim LeersClarify the different levels of config entity support.
Comment #14
Wim LeersComment #15
Wim LeersYay, #2724823: EntityResource: read-only (GET) support for configuration entities landed!
Comment #16
Wim LeersYay, #2308745: Remove rest.settings.yml, use rest_resource config entities landed! That unblocked #2721595: Simplify REST configuration.
Comment #17
Wim Leers#2752325: Automatically provide HEAD support when a REST resource supports GET was just reported, this is another significant bug.
Comment #19
Wim LeersYay, #2228141: Add authentication support to REST views landed!
Comment #20
larowlanOne more for consideration #2758897: Move rest module's "link manager" services to serialization module
Comment #21
tedbowI just wanted to try highlight a list of issue that would be great to get done before the Feature freeze for 8.2.0-beta1. I think this is Week of August 3, 2016.
Issues that are new Features or tasks, not listing but because I don't think they are affected by the freeze.
Very Close - could be done by deadline
#2403307: RPC endpoints for user authentication: log in, check login status, log out with related #2753681: Move CSRF header token out of REST module so that user module can use it, as well as any contrib module
#2291055: REST resources for anonymous users: register
Not as close
#1927648: Allow creation of file entities from binary data via REST requests
#1869548: Opt-in CORS support
#2664780: Remove REST's resource- and verb-specific permissions for EntityResource, but provide BC and document why it's necessary for other resources
Seems unlikely
#2099281: [PP-1] REST views: pagination link relations
#2300677: JSON:API POST/PATCH support for fully validatable config entities
#2135829: [PP-1] EntityResource: translations support
Not started but does is this test so is it affected by feature freeze? #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method
BTW: I could be totally wrong about above. Let me know. I was partly doing it for my own benefit to figure out what is the most important to work on.
Comment #22
dawehner#2113345: Define a mechanism for custom link relationships is an issue someone could review. If someone needs something special: #1928868: Typed config incorrectly implements Typed Data interfaces is up there for review. This will enable POST/PATCH of config entities.
Especially the later would be nice because we need probably a full release to add the required constrains so we can start supporting updates.
Comment #23
Wim Leers#21: thanks for that! I mostly agree. There are two things where I disagree:
So: +1 for attempting to land the following in the next few weeks:
You're right that #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method can happen after feature freeze. But, of course, it'll mean less clean tests in the ones above. Then again, most of those already have their tests written already anyway. So I think it's fine. #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method will put us in a great position to make D8 REST "best-in-class" in 8.3, per #2757967: API-first initiative.
#22: I reviewed #2113345: Define a mechanism for custom link relationships. I can't review #1928868: Typed config incorrectly implements Typed Data interfaces — that needs review from a Typed Data maintainer.
Comment #24
Wim LeersComment #25
dawehnerIt almost feels as if noone could review it :)
Comment #26
Wim LeersYou'll need to bribe a Typed Data maintainer :P
Comment #27
jacov CreditAttribution: jacov as a volunteer commentedfor another step toward api first & truly decoupling, voting for: #2771353: Support "auto-create" entity references by value (instead of by ID/UUID), just like tags are auto-created in the content creation UI
Comment #28
jacov CreditAttribution: jacov as a volunteer commentedshow stopper: #2772413: REST GET fails on entity/taxonomy_vocabulary/{id} 403 Forbidden with error
Comment #29
jacov CreditAttribution: jacov as a volunteer commentedComment #30
jacov CreditAttribution: jacov as a volunteer commentedComment #31
Wim Leers@jacov: Can you please not mark all of your own issues as "top priorities"? Can you leave that to the people maintaining the module, who are used to triaging incoming issues, and who have a much better understanding of the relations between different issues? Thanks.
Comment #32
dawehner@jacov
One thing you always have to keep in mind. Critical in an issue doesn't mean its critical for you, but rather the site. Each major is most likely a critical issue aka. show blocker on actual sites, but we cannot treat Drupal core as a union of sites. This simply doesn't scale.
Comment #33
Wim LeersApparently @jacov even put all of his top priorities at the very top of each list in the issue summary. I'm sorry, but that's just plain rude.
Comment #34
dawehnerThank you @Wim Leers for cleaning up this mess!
Comment #35
Wim LeersAdding #2772537: REST Views override existing REST GET routes to point 9.
Comment #36
Wim Leers#2721595: Simplify REST configuration and #1869548: Opt-in CORS support landed!
Comment #37
Wim LeersForgot to update the IS for #36.
Comment #38
Wim LeersLet's keep this issue just for Drupal 8.2.x. We can create a new Plan issue for 8.3.x later. That will keep both issues manageable in size, and they'll provide useful reference points in the future.
Comment #39
dawehnerGood idea. In general there are also things which are pure bug fixes, that can land more or less at any point, and there are more task/featurish things, which should be prioritized in the next 2 weeks.
Comment #40
Wim Leers#2403307: RPC endpoints for user authentication: log in, check login status, log out landed too!
#39: Exactly :)
Comment #41
Wim Leers#2659070: REST requests without Content-Type header: unhelpful response significantly hinders DX, should receive a 415 response landed!
Comment #42
Wim Leers#2752325: Automatically provide HEAD support when a REST resource supports GET landed!
Comment #43
Wim LeersComment #44
Wim Leers#2681911: REST requests without X-CSRF-Token header: unhelpful response significantly hinders DX, should receive a 401 response landed!
Comment #45
Wim Leers#2664780: Remove REST's resource- and verb-specific permissions for EntityResource, but provide BC and document why it's necessary for other resources landed!
Comment #46
dawehnerAfter trying to use the new configuration entity based system, I think we should fix #2777969: Provide an example REST configuration entity
Comment #48
Wim LeersThanks everybody for helping out here!
I'm proud of the progress we've made. We've tackled lots of tricky problems.
rest.module
is in a much better place now! We fixed the majority of things listed here.Note that of the 34 issues are tagged with , 9 are for REST module!, that's more than 25%!
Now it's time to move on to 8.3.x. I've opened #2794263: REST: top priorities for Drupal 8.3.x for that, which is the continuation of this issue.
Finally, I'll still work on getting #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method in 8.2, because that's only adding test coverage. It may uncover bugs, but those bugs need to be fixed in 8.2 anyway. If you're planning to use D8.2's REST API, you may want to follow that issue. If you're looking to use D8's REST API later, starting early next year, you may want to follow #2794263: REST: top priorities for Drupal 8.3.x, because 8.3 will be finalized near the end of Q1 2017.
Thanks, and see you around!
Comment #49
Wim LeersComment #51
Wim LeersPer #2794263-39: REST: top priorities for Drupal 8.3.x and #2794263-49: REST: top priorities for Drupal 8.3.x.