Redirect GET to POST

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Redirect GET to POST

Aaron Dalton
I'm using the MethodDispatcher to create a RESTful API. I have a GET endpoint that returns a form that then POSTs to another endpoint. In one particular case, I want that GET endpoint to auto-redirect to the POST endpoint with prefilled data. How can I accomplish this?

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirect GET to POST

Joseph S. Tate
Don't. Make that first GET endpoint a POST endpoint and do the work there directly. Why do two requests when one will do?


On Tue, Jun 13, 2017 at 12:31 PM Aaron Dalton <[hidden email]> wrote:
I'm using the MethodDispatcher to create a RESTful API. I have a GET endpoint that returns a form that then POSTs to another endpoint. In one particular case, I want that GET endpoint to auto-redirect to the POST endpoint with prefilled data. How can I accomplish this?

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirect GET to POST

Aaron Dalton
To be specific, I'm implementing oauth. When a third party requests access on behalf of the user, the user needs to see and approve the permissions the third party is requesting. That's the form generated by the GET. The user's responss then gets POSTed to the authorizer endpoint that actually returns a valid access token (or not). But for the official front end, I want to streamline it so it gets auto-authorized. 

The simplest way I can see while maintaining the consistency of the workflow and isolation of the code is to redirect in this GET code to the POST point. Is it simply not possible to do?

On Tuesday, 13 June 2017 10:35:57 UTC-6, Joseph Tate wrote:
Don't. Make that first GET endpoint a POST endpoint and do the work there directly. Why do two requests when one will do?


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirect GET to POST

Joseph S. Tate
So you want to bypass the user's consent?



On Tue, Jun 13, 2017 at 12:57 PM Aaron Dalton <[hidden email]> wrote:
To be specific, I'm implementing oauth. When a third party requests access on behalf of the user, the user needs to see and approve the permissions the third party is requesting. That's the form generated by the GET. The user's responss then gets POSTed to the authorizer endpoint that actually returns a valid access token (or not). But for the official front end, I want to streamline it so it gets auto-authorized. 

The simplest way I can see while maintaining the consistency of the workflow and isolation of the code is to redirect in this GET code to the POST point. Is it simply not possible to do?


On Tuesday, 13 June 2017 10:35:57 UTC-6, Joseph Tate wrote:
Don't. Make that first GET endpoint a POST endpoint and do the work there directly. Why do two requests when one will do?


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirect GET to POST

Aaron Dalton
That sounds so nefarious! But yes, in the one single case where it's the official, sanctioned front end accessing the API, I want to save the click. The front end is a single-page app hosted on a completely different machine. But the API is also accessible to third-party developers.

On Tuesday, 13 June 2017 11:38:36 UTC-6, Joseph Tate wrote:
So you want to bypass the user's consent?


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirect GET to POST

Joseph S. Tate
Then don't you just redirect back to the return url? That's not your job to post that data as the authenticating agency. Your app that is the recipient of the redirect can issue auth tokens on a GET. That's not something that requires a POST.

Joseph

On Tue, Jun 13, 2017 at 2:05 PM Aaron Dalton <[hidden email]> wrote:
That sounds so nefarious! But yes, in the one single case where it's the official, sanctioned front end accessing the API, I want to save the click. The front end is a single-page app hosted on a completely different machine. But the API is also accessible to third-party developers.


On Tuesday, 13 June 2017 11:38:36 UTC-6, Joseph Tate wrote:
So you want to bypass the user's consent?


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirect GET to POST

Aaron Dalton
Let's get back to my initial question: 

Using MethodDispatcher, is it possible in a GET handler to redirect to a POST handler? I'm assuming it is not, given that nobody has said either way.

Based on that, then yes, I will have to find another solution, likely involving creating a different endpoint for this one case and refactoring some of the code to avoid duplication.

To answer your question, the POST in this case is necessary because the user needs to see what specific permissions the client is requesting and have the opportunity to back out or adjust those before approving the token.

- User clicks Log In button in whatever client (GET to initial oauth endpoint, which establishes a session and redirects to the main login page)
- User logs in (using password, Google, Facebook, whatever) (ultimately a POST to the core auth endpoint, though in a roundabout way if logging in with Google or something)
- User redirected to a page providing details on the client requesting access, what permissions they're requesting, and whatever other instructions they need to understand what's happening (GET to the authorization endpoint)
  - This is the step I want to skip if it's the official client trying to log in.
- User makes final decision as to the permissions to grant (POST to authorization endpoint)
- User is redirected to the authorized return URL with the token

On Tuesday, 13 June 2017 15:53:14 UTC-6, Joseph Tate wrote:
Then don't you just redirect back to the return url? That's not your job to post that data as the authenticating agency. Your app that is the recipient of the redirect can issue auth tokens on a GET. That's not something that requires a POST.


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirect GET to POST

Joseph S. Tate
Not sure if you figured this out yet, but you could probably quickly write a proxy using the requests module to do this, but you won't get the cookies right. In short, CherryPy (nor nginx) can handle GET to POST redirects as far as I know. You might be able to coerce InternalRedirect to do what you want, or call the POST class method directly from the GET handler (all handlers in cherrypy are just methods after all and none of the default decorators directly modify the response object).

I haven't read the OAuth spec for this specific use case, but it doesn't pass my smell test. Seems like there should be 1) an optimization when there's no third party to authenticate against so that your POST happens one step earlier, or 2) there be no requirement to use OAuth since you're not doing a three way handshake. Facebook doesn't redirect you to a third party at all to log in, neither does github. Launchpad does, but that's because it's a separate website/service, and poorly implemented IMHO.

In any case, good luck, and I'd be interested to know what you figure out.

Joseph


On Wed, Jun 14, 2017 at 8:16 AM Aaron Dalton <[hidden email]> wrote:
Let's get back to my initial question: 

Using MethodDispatcher, is it possible in a GET handler to redirect to a POST handler? I'm assuming it is not, given that nobody has said either way.

Based on that, then yes, I will have to find another solution, likely involving creating a different endpoint for this one case and refactoring some of the code to avoid duplication.

To answer your question, the POST in this case is necessary because the user needs to see what specific permissions the client is requesting and have the opportunity to back out or adjust those before approving the token.

- User clicks Log In button in whatever client (GET to initial oauth endpoint, which establishes a session and redirects to the main login page)
- User logs in (using password, Google, Facebook, whatever) (ultimately a POST to the core auth endpoint, though in a roundabout way if logging in with Google or something)
- User redirected to a page providing details on the client requesting access, what permissions they're requesting, and whatever other instructions they need to understand what's happening (GET to the authorization endpoint)
  - This is the step I want to skip if it's the official client trying to log in.
- User makes final decision as to the permissions to grant (POST to authorization endpoint)
- User is redirected to the authorized return URL with the token


On Tuesday, 13 June 2017 15:53:14 UTC-6, Joseph Tate wrote:
Then don't you just redirect back to the return url? That's not your job to post that data as the authenticating agency. Your app that is the recipient of the redirect can issue auth tokens on a GET. That's not something that requires a POST.


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Redirect GET to POST

Aaron Dalton-2
Thanks, Joe. You are correct that in an ideal situation, the official front end would have a separate channel. It just made a lot of sense at the time to use the same flow as third-party clients. The front end is a completely different machine from the API server.

What I've decided to do is short circuit in that first POST that happens to the core auth endpoint after they log in. Instead of redirecting them to the GET of the authorization endpoint, if it's the official front end trying to authenticate, it will simply return with the tokens. It just means factoring out some code to avoid duplication.

I appreciate your time.
Aaron

On 2017-06-16 9:04 PM, Joseph S. Tate wrote:
Not sure if you figured this out yet, but you could probably quickly write a proxy using the requests module to do this, but you won't get the cookies right. In short, CherryPy (nor nginx) can handle GET to POST redirects as far as I know. You might be able to coerce InternalRedirect to do what you want, or call the POST class method directly from the GET handler (all handlers in cherrypy are just methods after all and none of the default decorators directly modify the response object).

I haven't read the OAuth spec for this specific use case, but it doesn't pass my smell test. Seems like there should be 1) an optimization when there's no third party to authenticate against so that your POST happens one step earlier, or 2) there be no requirement to use OAuth since you're not doing a three way handshake. Facebook doesn't redirect you to a third party at all to log in, neither does github. Launchpad does, but that's because it's a separate website/service, and poorly implemented IMHO.

In any case, good luck, and I'd be interested to know what you figure out.

Joseph


On Wed, Jun 14, 2017 at 8:16 AM Aaron Dalton <[hidden email]> wrote:
Let's get back to my initial question: 

Using MethodDispatcher, is it possible in a GET handler to redirect to a POST handler? I'm assuming it is not, given that nobody has said either way.

Based on that, then yes, I will have to find another solution, likely involving creating a different endpoint for this one case and refactoring some of the code to avoid duplication.

To answer your question, the POST in this case is necessary because the user needs to see what specific permissions the client is requesting and have the opportunity to back out or adjust those before approving the token.

- User clicks Log In button in whatever client (GET to initial oauth endpoint, which establishes a session and redirects to the main login page)
- User logs in (using password, Google, Facebook, whatever) (ultimately a POST to the core auth endpoint, though in a roundabout way if logging in with Google or something)
- User redirected to a page providing details on the client requesting access, what permissions they're requesting, and whatever other instructions they need to understand what's happening (GET to the authorization endpoint)
  - This is the step I want to skip if it's the official client trying to log in.
- User makes final decision as to the permissions to grant (POST to authorization endpoint)
- User is redirected to the authorized return URL with the token


On Tuesday, 13 June 2017 15:53:14 UTC-6, Joseph Tate wrote:
Then don't you just redirect back to the return url? That's not your job to post that data as the authenticating agency. Your app that is the recipient of the redirect can issue auth tokens on a GET. That's not something that requires a POST.




--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Loading...