-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect when accessing a container without trailing slash #1208
Comments
#server-authorization-redirect states (/TR/2021/protocol-20211217 and /TR/ED as of this writing):
(If request lacks valid authentication credentials or the provided credentials is refused, then 401.) If the word "authorize" in the requirement somehow got conflated with "401 Unauthorized" then I'm happy to update the text with what's intended, i.e., when access is denied due to permissions, which typically entails a 403. |
There's a comment in the code where we could add it: https://github.com/solid/community-server/blob/982d57e1d2812925b09353445a318d067a242943/src/storage/DataAccessorBasedStore.ts#L100 Doing it in that location has as consequence that we first do authorization on the wrong resource, and only if the agent has read access there would the redirect be thrown. Specifically:
If we want to only redirect to |
Would it be possible to have a better error message than |
I wrote a recommendation for server required/optional at linkeddata/rdflib.js#617 (comment) |
The required 404 is unfortunately not helpful to the client! At the very least, the error message saying "is a container" would be useful. |
404 is useful information because it gives the client a full stop. Consider the actual scenario in which the client ended up with the URI without the trailing slash. An error message with "is a container" information is a misapplication of the request/response semantics. There would be nothing for the client to do with that information unless further instructions are defined by a specification. Hence, if the server wanted to help the client automagically navigate to the proper location, it would use 301 (instead of introducing new payload instructions for a client). |
I am not literally saying "is a container" message, but something that will let the client know that it can try with Actually, I dislike the whole trailing slash business. But, I am trying to work out if there is any way that a client application can avoid a dead-end on servers that are lazily implemented. If we have a world with two sets of solid server, some that redirect and some that don't - users not being able to navigate some %age of time, this inconsistent expectation, is a broken experience. |
In the solution you're suggesting the client would need to process the response payload. It doesn't matter if the message "is a container" or a 10 GB RDF essay on what should happen. Bottom line is the same. That particular conformance model will need to be specified. Again, contrast that with 301 and Location header that every legitimate client under the sun already understands. How did the client get a hold of the URI without the trailing slash? Not found precisely reflects the request/response semantics. Redirect is not required for interop. If the need to let the client know the URI with the slash is so desired, redirect would be appropriate especially if the URI without the trailing slash was advertised by the server at some point in the past. |
Sure. I am not arguing with that (or with you). I am just trying to see if there is an iota of possibility of consistency for the client across all solid servers. Ideally, I would like all servers to redirect or similar. But clearly the 404 option means that there are two different behaviours that implementations can choose from. The same type of client request leads to two different outcomes.
That's besides the point, it could be a typo for all I care. But it certainly has a non-zero probability. Also, @csarven I get that you are passionate, but please be calm and empathetic to where someone else's concerns are coming from (even if you think that the concern is irrelevant or misguided), That's why I tried to speak to you in private first, where you chose not to respond, forcing my hand into making public comments instead. But when you are having the conversation in public, this unnecessary invocation of hyperbole is just not on and the lack of technical empathy makes public engagement difficult. |
There are always going to be additional considerations that the server and the URI owner may want to take into account. Which is why there is a degree of variability in specs. The 404 case is stronger than 301. 301 is more complex to implement and maintain than 404. With the exception of the URI of a resource legitimately changing, the server has no obligation to make that mapping (and commitment thereof). The typo scenario is a human-error, not client. The conformance model is set for clients and servers. 301 is mentioned in the Solid Protocol as some guidance. It could be dropped and it would not change interop. If a server wants to taken typos into account with a 301, they can, but that is not a significant reason for all servers to behave that way. I see no issue with some servers sticking to 404. Again, that's precisely the request/response. And I see no issue with some servers taking the 301 route (and possibly 200 as mentioned in the link earlier for some cases) whenever they need to for any given resource. That's all part of a normal implementation of HTTP specs. It is what also what the Architecture of the World Wide Web tells us. |
As for your last paragraph, happy to pick this up elsewhere:
|
Current behavior:
Desired behavior:
However, we should be careful about the first case. A
401
(or404
) should probably still be given forhttps://drive.verborgh.org/private
in order to not leak information about the thing being a container (although that does not seem major).The text was updated successfully, but these errors were encountered: