Closed Bug 783598 Opened 13 years ago Closed 11 years ago

Make conditions required response easier to detect

Categories

(Cloud Services Graveyard :: Server: Token, defect)

Product:
Cloud Services Graveyard
Component:
Server: Token
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED WONTFIX

People

(Reporter: gps, Unassigned)

References

Details

(Whiteboard: [qa+])

The current "conditions required" HTTP response looks like: 200 OK Content-Type: application/json {"status": 403, "errors": [{"description": "Need to accept conditions", "location": "body", "name": ""}], "urls": {"tos": "http://example.com"} } The heuristic for clients to detect this involves 3 steps: 1) Status == 403 2) Content-Type is application/json 3) JSON body contains "urls" field One issue is the generic "urls". At the least I think this should be "conditions_urls" or similar. The reason is I can see some other error handler recycling "urls" for its own use (it is generic, after all). That would throw off clients. Secondly, I don't like that the token server response message type is being determined by the presence of a field specific to that type. In other words, we are looking for traits to identify response message types instead of looking at a messageType field, different media type, other response header, etc. If we did this, my concern about "urls" would go away. While I have these concerns for all HTTP APIs, I am more concerned about it for 4xx and 5xx status codes. From my experience, misconfigured or misbehaving servers often will generate their own 4xx and 5xx response messages. In the absence of a clear and identifying property of the response, it is all too easy for clients to confuse actual token server responses with those generated by intermediate HTTP agents. This will cause client bugs. So, what I guess I'm asking for is something in the HTTP response that says without a doubt that the "conditions required" payload is actually that.
Blocks: 784592
Whiteboard: [qa+]
I propose something like the following: 403 Forbidden Content-Type: application/json {"status": 403, "errors": [{"description": "Need to accept conditions", "location": "header", "name": "X-Conditions-Accepted", "error_code": 42, "condition_urls": {"tos": "http//example.com}, }], } Key changes: * The location of the error is a specific header, not "body", so set the fields on the error object to reflect that. * The "urls" field belongs to one specific error, so it should live inside the specific error object rather than at the top level. Also renamed, although I think that's less of an issue after moving it. * Added an "error_code" field to the error object. This is not strictly necessary in this case because the error already identifies the specific header at fault. But for other cases it may be useful for machines to distinguish between e.g. "the header was missing" and "the header was malformed". Thoughts?
+1
+1 for this as well. The error_code thing should go in a different issue IMO.
Assignee: nobody → alexis
Status: NEW → ASSIGNED
r+
I have filed Bug 786523 to track the addition of an error_code field.
These were committed in relevant repos, closing out this bug.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
I am tentatively re-opening this in light of Bug 792674.
Status: RESOLVED → REOPENED
Depends on: 792674
Resolution: FIXED → ---
No longer blocks: 784592
Linking to sync+fxa bugtree for consideration, although I suspect we'll triage it back out in short order.
Blocks: 956217
conditions-accepted was removed from tokenserver 1.0 spec, unblocking the metabug
No longer blocks: 956217
Assignee: alexis+bugs → nobody
conditions-required is no longer required, I think we can just delete this.
Status: REOPENED → RESOLVED
Closed: 13 years ago11 years ago
Resolution: --- → WONTFIX
OK. Good.
Status: RESOLVED → VERIFIED
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.