Comments (6)
johanandren
commented on June 12, 2024
1
Thanks for the detailed write up, sounds like it would be safest to always quote the URIs
from akka-http.
johanandren
commented on June 12, 2024
Triggering with colon or always quoting would lead to quoting rel="acl, <http://localhost:8080/ldes/defaultCF/.acl>" from your sample which is probably not what you'd want, and always parsing to figure out if it is an URI or not sees expensive, hmmm.
from akka-http.
johanandren
commented on June 12, 2024
Or actually, maybe that is according to RFC 7230 because the value is not a valid token.
from akka-http.
bblfish
commented on June 12, 2024
Yes, so according to Postel's Law
Be conservative in what you do, be liberal in what you accept from others.
You should produce the headers that are most widely understandable, and that would be that Uri's be quoted, but when parsing Link headers you should allow the more liberal older version (which http4s does not but should).
This would allow me to create a Url for access control
Link: </.acl> rel="https://www.w3.org/ns/auth/acl#accessControl"and this could be interpreted as saying that the resource which created the representation in which the Link header appeared has a relation named "https://www.w3.org/ns/auth/acl#accessControl" to the resource at the local relative url /.acl.
from akka-http.
johanandren
commented on June 12, 2024
Ok, let me rephrase that, I have something like a question hiding in there:
In your issue over at http4s, the full header is Link: <http://localhost:8080/ldes/defaultCF/stream.acl>; rel=acl, <http://localhost:8080/ldes/defaultCF/.acl>; rel=https://www.w3.org/ns/auth/acl#accessControl but I don't understand how you achieved that, unless you stuffed acl, <http://localhost:8080/ldes/defaultCF/.acl> into one LinkParams.rel(...).
That would mean that defaulting to quote the whole rel would end up with ...; rel="acl, <http://localhost:8080/ldes/defaultCF/.acl>"; which seems a bit strange to me.
from akka-http.
bblfish
commented on June 12, 2024
The code that Produces the ACL Link Values is line 106 of BasicContainer
def aclLinks(acl: Uri, active: ACInfo): List[LinkValue] =
LinkValue(acl, LinkParams.rel("acl")) :: {
if acl == active.acl then Nil
else LinkValue(active.acl, LinkParams.rel(BasicContainer.effectiveACLink)) :: Nil
}which is used for example, on line 662
case OPTIONS =>
pcmd.respondWith(HttpResponse( // todo, add more
NoContent,
`Accept-Post` :: Link(
LDPLinkHeaders ::: aclLinks(uri, effectiveAcl)
) :: AllowHeader :: Nil
))
Behaviors.sameBut the problem is not the multiple links in one header. The problem comes from writing the URL in Akka. I duplicated the problem in http4s in this test which had to be ignored:
val ht1 = """<>; rel=https://www.w3.org/ns/auth/acl#accessControl"""
val ht1res: ParseResult[Link] = Link.parse(ht1)
assert(ht1res.isRight, ht1res)The above fails (I corrected the isLeft to isRight), but not if the quotes are places around the URL.
The problem is that I can't force the quotes to be there in Akka, and this will happen a lot more often as libraries are written for the latest Link RFC. So it's better to produce the stricter code, and accept the less strict one (eg. the above) in your incoming Link parser.
from akka-http.
Related Issues (20)
- failed: TimeoutDirectivesExamplesSpec - should be configurable in routing layer despite infinite initial value of request-timeout
- fail: Http2ServerSpec - The Http/2 server implementation should support stream for request entity data
- User-Agent fails to parse Facebook in App string HOT 4
- host-connection-pool.min-connections property with positive value HOT 1
- Internal server error triggered by “Accept-Charset” header with unexpected value HOT 4
- Not possible to load project in IntelliJ 2023.2.1 HOT 1
- Duplicated 100 responses if there is an exception thrown by the unmarshaller HOT 1
- Several HTTP/2 client settings are never used anywhere
- failed: RouteDirectivesSpec -> should allow easy handling of futured ToResponseMarshallers
- Cannot Unmarshall Seq[String] Outside HOT 1
- Release 10.6.0-M1
- Release 10.6.0-M2
- CVE-2023-44487 HOT 3
- Release 10.5.3
- Release 10.6.0
- Failed: Http2ClientSpec should send RST_STREAM if entity stream is canceled HOT 2
- Failed: Http2ServerSpec send RST_STREAM if entity stream is canceled
- Remove dependency on `sbt-dependency-graph` HOT 1
- Release 10.6.1
- Failed: Native image tests HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from akka-http.