Home | Forum | Unread | Sign in | Sign in
Wirebird
Forum

blogs > rest > html

Notes on using HTML and CSS to support a RESTful web site.
Subscribe | Unread | Recent | Group options | Topic options | Post
KarenCravens
Karen Cravens

Tue

Jul 1
2008

17:30



Wikify

REST anti-patterns

Stefan Tilkov wrote an interesting article listing some REST anti-patterns:
http://www.infoq.com/articles/rest-anti-patterns
Unfortunately, I make use of a few of these... though not without consideration.
#2: Tunneling everything through POST.
It's more commonly called "overloaded POST," and the problem is, it's still necessary if you support the browser as a REST client. (Decreasingly so, but still.) PUT and DELETE are not predictably, reliably supported.
Of course, Wirebird is perfectly happy to accept a real PUT or DELETE, so maybe that doesn't count. It still follows the idempotency rule, so a fully-compliant client could use a PUT confidently without having to put its trust in a mere overloaded-POST with a "method" parm set to "put".
#4: Ignoring status codes.
Purity yields to pragmatism again. Wirebird used to issue a full suite of error codes, until I realized that comment spammer robots don't recognize them. Only a 404 or 403 makes (some of) them stop hammering on forms. So the real errors are commented out, or it issues mutant things like "404 409 Conflict" and such. This makes me grumpy ("oh look, yet another perfectly useful Internet feature ruined by spammers"), but as the debug levels get turned down and performance improves, I'll probably turn the real status codes back on, and focus more on blacklisting griefers. Or maybe I'll just be more proactive and buy a sniper rifle.
#5: Misusing cookies.
Only a little. The authentication cookie, while it's called a session id, *only* holds a session ID... at the moment, essentially a temporary password. There again, that's because not very many browsers can handle authentication well. Eventually, for smarter browsers and other clients, there will be a proper authen protocol, and the form-based cookie stuff will be a fallback only. I don't think it'll be a really serious matter until Wirebird is less obscure; right now there's no real value in hacking someone's account, especially as long as we accept mailing-list posts. (Want to spam a mailing list? Just forge the email address of one of its authorized senders. No password required.)
On the plus side, I'm feeling relatively good about how I handle the other five anti-patterns.
Permalink | Thread | Add reply
Subject (required)




 
Refresh