Skip to content

profiles: handling mismatch between content-type and links.profile list of profiles #1359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

profiles: handling mismatch between content-type and links.profile list of profiles #1359

wants to merge 3 commits into from

Conversation

ethanresnick
Copy link
Member

As @wimleers pointed out in his original review of #1268, we don't currently say what happens when a different list of profiles is specified in the document (in links.profile) than in the Content-Type header.

I've been thinking about a bunch of options and have concluded that the solution I offered in my original response to Wim's comment — i.e., making any mismatch trigger a 400 — is the wrong way to go. One issue with that solution is that it only covers documents sent to the server; i.e., it doesn't cover how the client should process documents sent from the server that have the same mismatch. (We could say that the client must entirely discard such responses... but I'm not sure clients would actually do that.) Another problem with the 400 approach — and actually any approach that requires the recipient to read both lists of profiles — is that it introduces a preprocessing step (e.g., to check that the lists match), and we have to pay the cost of that preprocessing step on every request, even though a mismatch should be a very rare event. That seems like a bad idea.

So, my preferred approach at this point, which is embodied in this PR, is simply to treat links.profile as the definitive list of applied profiles in the event of any mismatch. By treating one list as definitive, recipients can simply ignore the other (no comparison step required), but we can keep both in the spec, which is nice because both bring something of value. (Specifically, if we removed the parameter on Content-Type, profile negotiation would look pretty asymmetrical; i.e., the client would use the profile parameter in Accept, but not get it back in the response. Meanwhile, links.profile is offering an elegant place to list profile aliases, which have to go in the document somewhere.)

I chose to treat links.profile as the definitive source because recipients have to look there anyway before processing the document (to check for aliases), so making that the only place they have to look to determine the applied profiles seemed to make the most sense.

Note: one small issue with making links.profile definitive is that the "missing a server-required profile error" from #1354 would probably have to be a 400 rather than a 415, because the required profile actually could be listed in Content-Type but still be "missing" if its not listed in links.profile. I think that's fine, but it means #1354 will have to be tweaked after this PR is merged.

Note 2: Wim also pointed out that we don't say what should happen when the client lists a profile in the profile query parameter that isn't in its Accept header. But I think that case is already covered implicitly, and the answer is that the server should pay attention to the query parameter. That's because JSON:API says that the profile query parameter lists required profiles -- while both HTTP and JSON:API say that a profile can be applied to a response document even if it isn't in the Accept header.

@ethanresnick ethanresnick added this to the JSON-API 1.1-beta milestone Dec 22, 2018
@wimleers
Copy link
Contributor

wimleers commented Jan 2, 2019
edited
Loading

have to pay the cost of that preprocessing step on every request

That's indeed a strong reason.

So, my preferred approach at this point, which is embodied in this PR, is simply to treat links.profile as the definitive list of applied profiles in the event of any mismatch. By treating one list as definitive, recipients can simply ignore the other

This seems like a pragmatic solution.

But also somewhat confusing, because in the ideal case, the same information is present twice in the same response (once in the header, once in the body). In the less-than-ideal case, it'd be different.

Perhaps we can at least ensure the ideal case by making a strong recommendation in the spec: recommending to compute the Content-Type response header on every response based on the value in the links.profile response document?

@ethanresnick
Copy link
Member Author

Perhaps we can at least ensure the ideal case by making a strong recommendation in the spec: recommending to compute the Content-Type response header on every response based on the value in the links.profile response document?

Given that the spec already (intends to) require that senders make the two lists of profiles identical, it feels a bit overboard to suggest that implementations meet that requirement in a particular way (e.g., by computing content-type from links), when they could just as reliably use some other strategy (e.g., compute links.profile from content-type).

However, I do think it was a bit unclear that the spec was requiring these lists to be identical, so I've added a commit clarifying that.

@wimleers
Copy link
Contributor

It may be valuable to explain the "why" in the new Identifying a Document's Profiles section — i.e. why did we pick this one and not the other? You've explained it in this issue. I'm saying that bringing that rationale into the spec may be valuable.

I think this is a step forward. Let's do this? 🚢

@ethanresnick ethanresnick requested a review from dgeb January 13, 2019 03:47
@ethanresnick
Copy link
Member Author

I think this is a step forward. Let's do this? 🚢
👍 Requesting @dgeb for review.

It may be valuable to explain the "why" in the new Identifying a Document's Profiles section

I'm feeling a bit swamped to think through the text of that right now, but would be totally open to a PR to that effect (either made directly to this different-profile-lists branch, or to gh-pages after this is merged).

auvipy
auvipy suggested changes May 3, 2020
View reviewed changes
Copy link

@auvipy auvipy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rebase, please

@auvipy
Copy link

auvipy commented Aug 30, 2021

@dgeb should this be closed?

@jelhan jelhan mentioned this pull request Feb 4, 2022
Merged
@bradjones1
Copy link
Contributor

Trying to help with some issue cleanup to help get 1.1 in release state.

links.profile was removed at https://github.com/json-api/json-api/pull/1484/files#diff-a80e2578f8c89d0702e3677e4f40fd400711ffd6be44a637a5e0b61560d378feL135 though I can find no information in the PR comments or related issues as to why. That being said, this isn't in the spec anymore so this is likely stale? There's no mismatch if there's no links.profile member to contradict the content-type?

@dgeb
Copy link
Member

dgeb commented May 8, 2022

Closing in favor of #1607, which addresses effectively the same issue for 1.1 in its current state.

@dgeb dgeb closed this May 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@auvipy auvipy auvipy requested changes

@dgeb dgeb Awaiting requested review from dgeb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.1
Development

Successfully merging this pull request may close these issues.
5 participants
@ethanresnick @wimleers @auvipy @bradjones1 @dgeb
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy