Update HTTP status codes #18063
Update HTTP status codes #18063
Conversation
KN4CK3R
added
the
type/refactoring
routers/api/v1/org/member.go
Outdated
| @@ -161,7 +161,7 @@ func IsMember(ctx *context.APIContext) { | |||
| } | |||
|
|
|||
| redirectURL := setting.AppSubURL + "/api/v1/orgs/" + url.PathEscape(ctx.Org.Organization.Name) + "/public_members/" + url.PathEscape(userToCheck.Name) | |||
| ctx.Redirect(redirectURL, 302) | |||
| ctx.Redirect(redirectURL, http.StatusTemporaryRedirect) | |||
There was a problem hiding this comment.
In a sense, this is breaking as this will return a different status code now.
There was a problem hiding this comment.
Although it might break some old HTTP clients, IMO these old HTTP clients should upgrade themselves to support modern HTTP status codes. 😀
There was a problem hiding this comment.
Does a practical tool really check "if I send request x it should always be redirected"?
There was a problem hiding this comment.
Although it might break some old HTTP clients, IMO these old HTTP clients should upgrade themselves to support modern HTTP status codes. grinning
Well not only that, certain tools built for gitea could have a check that expects a specific statusCode, e.g. 302
Does a practical tool really check "if I send request x it should always be redirected"?
In a certain sense they work the same, but from experience, tools can differ in the implementation and the behavior as the specs aren't clear on it.
GiteaBot
added
the
lgtm/need 2
GiteaBot
added
lgtm/need 1
|
@silverwind are we ok with turning these StatusFounds into StatusTemporaryRedirect ? |
|
We need to check that our form submissions that end up being redirected still load the page correctly after this change because with 307/308 browsers will not change method to |
|
Just a note: Browsers are not supposed to change the method to |
Yep, we might keep 302 for login forms / logout request, etc, since they are fine now. Maybe we can keep most 301/302, and only use 307/308 if there is really a necessary case. For most cases, 301/302 are still correct and won't bring problems. |
|
Here is a quick check per file (tests excluded):
I think most of the time we used 302 it should more likely be a 303 to enforce the use of GET. |
True, the spec forbids a method change during 302 redirection, but I'm note sure what the current status of this behavior is in modern browsers. MDN refers to them as "bugged software" while Wikipedia says "popular browsers", so it might just be that this behaviour was already corrected and we don't need to worry about it. 303 redirection on the other hand seems to be specced to change method to |
|
Yes, our OAuth handling is wrong as per spec
We use 302 at the moment. The NotFound handler should become 303 too because it redirects all requests to the root url. |
|
Agree, we should remove all usage of 302 and replace it with either
API should probably exclusively use 307 and 308, while form submissions may need 303 to work. |
6543
added
the
pr/breaking
|
I created a table with all redirect calls which contains a reason for every change. I have added a comment if I was not sure or there is something else. Please have a look at it. |
|
Is this ready? |
|
Yes. |
GiteaBot
added
lgtm/done
There was a problem hiding this comment.
Since this is a breaking change, this PR should have a detailed explanation in the release notes. If an existing tool breaks as a result, it will help the person impacted by the problem to figure out why it happened. Otherwise they will be left with a breakage that would be difficult to diagnose.
There should be a solid rationale to justify a breaking change in Gitea. Something like a list of pros and cons that anyone could read to understand why the breaking change was necessary. In other words, the associated problems caused by the breaking change for Gitea users and software depending on Gitea have to be justified so that people that will have to do extra work because of it can be convinced this is for the greater good.
|
The API surface does not change (except from |
I'm confused then. In what respect is this PR introducing a breaking change? My understanding is that it is not related to the structure of the pages but to the http status changing:
Which may impact known tools depending on Gitea and strict conformance to the specs cannot be expected at all times. Are you referring to something else? |
|
The tools you mentioned use the API which does not change with this PR. |
This PR is marked as |
I'd just like to say that there is a specified format currently for breaking PR's: see https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#code-review |
|
To me, I think this PR is not that If most people agree to move on, we had better get this merged ASAP, otherwise conflicts would come .... |
|
No objection since one month ago. If CI passes, this PR can be merged. |
|
@go-gitea/maintainers merged. please help to double check. |
* giteaofficial/main: Bump minimist from 1.2.5 to 1.2.6 (go-gitea#19194) Changelog for 1.16.5 (go-gitea#19189) (go-gitea#19192) Fix showing issues in your repositories (go-gitea#18916) Update issue_no_dependencies description (go-gitea#19112) Prevent redirect to Host (2) (go-gitea#19175) Prevent start panic due to missing DotEscape function Fix compare link in active feeds for new branch (go-gitea#19149) Redirect .wiki/* ui link to /wiki (go-gitea#18831) Try to prevent autolinking of displaynames by email readers (go-gitea#19169) Update HTTP status codes to modern codes (go-gitea#18063)
* 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect
http.Status...http.StatusFound->http.StatusTemporaryRedirecthttp.StatusMovedPermanently->http.StatusPermanentRedirectFrom MDN: