Fork me on GitHub
#ring-swagger
<
2017-05-08
>
eoliphant15:05:04

hi i’m having a weird problem I have a pretty simple route

(POST "/actions" []
      :return       String
      :body-params [action :- String]
      :summary      "Add a new action"
      (let [retval (act/add-action action)]
        (if (f/failed? retval)
          (bad-request (f/message retval))
          (ok "abc"))))

eoliphant15:05:34

I’m using the failjure library and basically (add-action) potentially returns a “Failure” which will trigger (f/failed). The issue I’m having is that when the if is true, i’m getting the 400 error code as expected, but the return of (f/message), a string, is getting sent with an application/octet-stream mime-type

juhoteperi15:05:17

If you are going to return a String, you'll have to provide the content-type yourself.

juhoteperi15:05:30

Does the success get correctly content-type JSON? I guess it will as you have :return String set

juhoteperi15:05:28

Compojure-api will set the content-type to JSON or transit etc. IF you have set return schema or it can detect that the response is serializable (is collection like map or vector)

juhoteperi15:05:45

string is not considered serializable, so you need to have return schema set if you want to use that

juhoteperi15:05:59

:return only sets return schema for 200 response

juhoteperi15:05:24

to set schema for 400 response you need :responses {400 {:schema String}}

juhoteperi15:05:51

reason why strings are not serialized by default is that that would case problems when users try to return raw JSON responses etc.

eoliphant15:05:11

yes it’s a little weird. The (ok “abc”) actually gets an application/json even though that’s not the case either lol. I actually tried this (bad-request {:message (f/message retval)}) and that did what was expected

juhoteperi15:05:24

Also, I'd recommend returning maps ~always

eoliphant15:05:50

getting there

juhoteperi15:05:51

Some older browsers don't even support strings as top level JSON objects (old IE or something)

eoliphant15:05:11

yeah fair enought as it’s not valid json

juhoteperi15:05:13

And there are security problems in certain JSON parsers when top level object is something else than Object

eoliphant15:05:37

so even say arrays etc?

juhoteperi15:05:37

It is in fact valid JSON, RFC 7159 allows it

eoliphant15:05:44

didn’t realize that

eoliphant15:05:54

a plain string was ok

juhoteperi15:05:58

previous RFC 4627 only allowed objects and arrays

eoliphant15:05:16

ok so I’ll go the map route

eoliphant15:05:36

this is good timing as i’m making a prototype API more robust

eoliphant15:05:42

with error handling, etc

juhoteperi15:05:56

I use vector/array as top level values myself, but I think there was a security problem with that in some browsers

eoliphant15:05:06

so can just adopt map wrappers

eoliphant15:05:11

the GET version of this API

eoliphant15:05:19

returns a [String

eoliphant15:05:24

[String] just fine

eoliphant15:05:12

i know there are different schools of thought about using a standard return wrapper

juhoteperi15:05:52

Something like anyone can add your JSON url as <script src="api.json"/> to any web page and browser will load that user cookies etc and evaluate that, normally the page can't access the value as it is not set to any var, but if one redefines Array constructor to save the value somewhere it would be possible to get access to secret data

juhoteperi15:05:27

that is why google/facebook prepend for(;;); or while(1); to JSON; if someone tries to evaluate JSON using script tags, browser will hang

juhoteperi15:05:53

> No, it is no longer possible to capture values passed to the [] or {} constructors in Firefox 21, Chrome 27, or IE 10.

juhoteperi15:05:10

So it should be quite safe to return maps and vectors as JSON

eoliphant17:05:57

got pulled away

eoliphant17:05:03

cool, I’ll check that out

fabrao22:05:07

Hello all, os there any way to start compojure-api from cider-repl?

mtkp23:05:16

the value of a "defapi" from compojure-api is a function that handles ring requests