#TIL the query component of a URI is actually completely opaque.
-
oblomov@sociale.networkreplied to trwnh@mastodon.social last edited by
@trwnh hm I'm not convinced. The main issue is that neither POST nor PUT are conceptually appropriate. Among the methods defined by HTTP, GET is the one that's conceptually closest. OTOH, those *are* problems with using a query string. Maybe they could be reduced by other means, such as additional headers or body payload (GET *can* have a payload)
-
deepaklonnu@mastodon.socialreplied to trwnh@mastodon.social last edited by
@trwnh
ENENCE Instant Translator: Any Language, Any Country
https://shorturl.at/QSb7Z -
trwnh@mastodon.socialreplied to oblomov@sociale.network last edited by
@oblomov well POST is "do something" not necessarily "create something". https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.3
> process the representation enclosed in the request according to the resource's own specific semantics
imo "take this request, parse some params out of it, then perform the action" is a valid way of thinking about search.
as for GET,
> requests transfer of a current selected representation for the target resource
is often but not always appropriate. depends on if you see results as a resource.
-
trwnh@mastodon.socialreplied to trwnh@mastodon.social last edited by
and that's what it really comes down to imo -- the use of a query component fundamentally alters the identity, you are asking for a different resource when you append the query component. /search and /search?query are different resources.
-
vcvwvwvsw@mastodon.socialreplied to trwnh@mastodon.social last edited by
@trwnh
Greater than $20k in Credit Card Debt -- We Can Help
https://shorturl.at/toZJL -
oblomov@sociale.networkreplied to trwnh@mastodon.social last edited by
@trwnh oh good point, so if it's done by GET it *must* include the query parameters in the URL. And yeah, now I can see better why POST would be a better choice.
-
trwnh@mastodon.socialreplied to oblomov@sociale.network last edited by
@oblomov there is one advantage to GET and that is the ability to share search results by copypasting a link to someone else or using it as an href
-
at1st@mstdn.careplied to trwnh@mastodon.social last edited by
@trwnh @oblomov I'd add one additional benefit: they're infinitely easier to debug and test.
At least it's pretty common practice as I recall in Java EE to make an HttpServlet, generate doGet/doPost, and have doPost just call doGet, or vice versa.
Then GET URL calls let you diagnose what's being passed to which query parameter.
-
trwnh@mastodon.socialreplied to at1st@mstdn.ca last edited by
-
jbqueru@fosstodon.orgreplied to trwnh@mastodon.social last edited by
@trwnh No matter what assumption you make, you'll find some code out there that breaks that assumption. Everything web-related is a nightmare.
-
snowfox@tech.lgbtreplied to trwnh@mastodon.social last edited by
@trwnh My favourite part of that rabbit hole is that + is (erroneously?) not reserved in RFCs 1738 or 1630 (and 1630's second BNF production for "safe" includes +): https://datatracker.ietf.org/doc/html/rfc1738#page-20 https://datatracker.ietf.org/doc/html/rfc1630#page-26
This, along with the "and then" in HTML 2.0, results in enough ambiguity that space-plus could be encoded as "++" or "%2B%2B" depending on how you interpret the spec.
From RFC 1630, it looks like "search" strings were originally intended to represent space-separated (user-specified?) search terms, and I still occasionally see query strings that are bare search strings.
Another fun thing is that RFC 1808 adds generic ;-params separate from the query string (and RFC 2396 moves them to be part of path components), but they are rarely used in HTTP and were too late for HTML forms. (I'm not sure any RFC defines semantics for "directory" params, but they exist.)
-
charrondev@mastodon.socialreplied to trwnh@mastodon.social last edited by
@trwnh @AT1ST @oblomov and how is it any more “right” to obscure the thing that was searched for in your logs, to the user, and when sharing links?
I definitely see the case for a search API endpoint (not exposed to the user) being a POST (and elastic search does this), but our user facing search page is definitely a GET. Modified filters and the query text end up as query parameters.
Just because full text search is suddenly involved why is GET no longer appropriate?
-
trwnh@mastodon.socialreplied to charrondev@mastodon.social last edited by
@Charrondev @AT1ST @oblomov is /search?query=foo&limit=10 the same resource as /search?limit=10&query=foo to you? or is it two different resources with the same representation?
functionally it is about resource identity. calling POST /search with {“query”: “foo”, “limit”: 10} keeps it clear that the resource is /search. putting request params in the identity string is mixing concerns. this matters a lot more when designing protocols where uri equivalence is important. query normalization sucks.
-
trwnh@mastodon.socialreplied to snowfox@tech.lgbt last edited by
@snowfox technology
-
trwnh@mastodon.socialreplied to jbqueru@fosstodon.org last edited by
@jbqueru for my purposes i was just curious about what ActivityPub might need to consider. since query component is opaque and query parameters aren’t real, it falls on the protocol level to specify how query strings should be parsed or normalized, if at all.
i think for now we can mostly just say that query strings SHOULD NOT be produced in identifiers, and if they are, they SHOULD be consistent with some over the top protocol/profile that defines normalization and parsing rules for the query
-
trwnh@mastodon.socialreplied to trwnh@mastodon.social last edited by
@Charrondev @AT1ST @oblomov more to the point of protocol design: the straightforward recommendation is don’t use query strings, or at least have the decency to normalize them according to some external protocol/profile that defines and specifies parsing and normalization rules. but then your peers need to agree on the protocol or profile.
-
charrondev@mastodon.socialreplied to trwnh@mastodon.social last edited by
@trwnh @AT1ST @oblomov well one massive negative to exposing your search as POST only is they your edge network can’t cache similar responses.
The query normalization doesn’t matter because the web app will ensure queries are in a consistent order.
As an example if you do /api/user/search?name=a* (such as in a mention lookup) then we can cache this response on our edge.
Now technically you could also cache a POST, but most edge networks can’t cache by body.
-
at1st@mstdn.careplied to charrondev@mastodon.social last edited by
@Charrondev @trwnh @oblomov As I understand it, part of the problem is that the order of query parameters means that "search?query=foo&option=bar" caches differently than "search?option=bar&query=foo" - because if you don't do query normalization before caching, they "look" different to the cache.
-
at1st@mstdn.careplied to trwnh@mastodon.social last edited by
-
trwnh@mastodon.socialreplied to at1st@mstdn.ca last edited by
@AT1ST @oblomov right, html forms + cgi-bin popularized it massively
at least for my purposes though (personal services, protocol design) it is enough to say that we should avoid query components in identifiers or otherwise we must define a consistent way to normalize/canonize them.
more generally, identifiers SHOULD be expressed in normal form where possible to avoid issues like domain.example being different from domain.example/