Add Sessions API controller implementation#8089
Conversation
[skip changelog]
Backward-compatibility, works just as well
aduth
changed the title
config/routes.rb
Outdated
| get '/api/sessions' => 'api/sessions#show' | ||
| put '/api/sessions' => 'api/sessions#update' | ||
| delete '/api/sessions' => 'api/sessions#destroy' |
There was a problem hiding this comment.
This is an internal API, like only for our own JS. WDYT about prefixing with /js or /api/js to clarify that it's different from all the endpoints above, which are for external clients? Maybe add a section comment?
There was a problem hiding this comment.
Interesting thought. We have a lot of other endpoints which are internal in the same way (examples). Personally, I hadn't considered there being a distinction between internal and public-facing API, at least as reflected in the route paths. I'm not opposed to it, but I'd be curious about naming and how we work to apply the convention consistently. And I suppose we'd probably want the class namespace to reflect it as well.
Maybe something like /api/internal/sessions / Api::Internal::SessionsController ?
I guess I worry that tying it to JavaScript may be too constraining, though I'm not really sure what other use-case there'd be where we'd expect to be calling these APIs, since the underlying distinction is that these endpoints are stateful and assume to be called with the session cookie.
Another idea could be to flip the expectation, and expect that a public API would be versioned, and an internal API would be any route without a version identifier, or at least a version identifier which marks it as unstable (e.g. v0).
There was a problem hiding this comment.
I pushed a namespacing of 'internal' in 80fd09b
There was a problem hiding this comment.
oh yeah I forgot about those because we alphabetize them lower 🙈
I like the /api/internal! seems like a thing we could consider standardizing on
2 participants
🛠 Summary of changes
Extracted from #7966
This adds a new API controller for managing the user session status (retrieval, updating, and destroy). See #7966 for more context and rationale.
The reason for creating a separate pull request is to have this endpoint in place in a deployment prior to the one including JavaScript changes using the new endpoint (see related discussion).
📜 Testing Plan
rspec spec/controllers/api/sessions_controller_spec.rb$ curl -H 'Content-Type: application/json' http://localhost:3000/api/internal/sessions{"live":false,"timeout":"2023-03-28T20:24:49.584Z"}