1

I have a REST (or almost REST) web api,
I want the API users to be able to use all the api, even if for some reason the can only make GET calls, so the plan is to accept a url parameter (query string) like request_method that can be GET (default) or POST, PUT, DELETE and I want to route them.

My question is other than the standard request handler overrides and checking in each httpRequestHandler in the get(self) method if this is meant to be a POST, PUT, DELETE and calling the appropriate functions, is there a way to do this "routing" in a more general way, like in the URL patterns in the application definition or overriding a routing function or something?

To make it clear, these requests are all coming over GET with a parameter for example like ?request_method=POST

Any suggestions is appreciated.

Possible Solutions:

  • only have a ".*" url pattern and handle all the routing in a single RequestHandler. Should work fine, except that I won't be taking advantage of the url pattern matching features of Tornado.

  • add an if to all the get(self) methods in all the request handlers and check if the request should be handled by get if not, call the relevant method.

Ali
  • 18,665
  • 21
  • 103
  • 138
  • 1
    Once you circumvent the standard `GET`, `POST`, `PUT`, `DELETE` functionality, you no longer have a ReSTful API. Just for context on the framework, there are some good answers [here](http://stackoverflow.com/questions/671118/what-exactly-is-restful-programming). What are some reasons that API users would be restricted to `GET` requests? – Bryan Jan 29 '13 at 19:39
  • I think there are quite a few reasons to provide GET alternatives, one of them being if people want to do cross domain JSONP calls, which is not possible with POST. – Ali Jan 29 '13 at 21:09

1 Answers1

2

This would be a very foolish thing to do. Both Chrome and Firefox, along with many other web user agents, will speculatively fetch (GET) some or all of the links on a page, including your request_method=DELETE URLs. You will find your database has been emptied out just because someone was looking around. Do not deliberately break HTTP. GET is defined to be a "safe" method, meaning it's okay to GET any URL you like and nothing bad will happen.

EDIT for others in similar situations:
The OP says he is using JSONP and is in control of both the API server and the client web app. In such a case the ideal solution is Cross-Origin Resource Sharing (CORS, spec), although this technology requires IE8+, Firefox 3.5+, Safari 4+ or Chrome 3+. If you need to target earlier browsers, and you control both domains, I would recommend merging the content of the two domains at least for your own client web app. The api domain can remain for external clients, but they would be restricted by the CORS browser requirements.

Nicholas Shanks
  • 10,623
  • 4
  • 56
  • 80
  • Thanks, I understand this, and similar issues with bots and crawlers, but what is the solution to he original problem? You can't make a post jsonp call cross domains. – Ali Jan 30 '13 at 12:56
  • JSONP is a dead-end technology. Can you explain a bit more about the two websites in question. Which API is yours (or are they both yours?). Can CORS not be used instead? – Nicholas Shanks Jan 30 '13 at 14:48
  • Both the API server and the web app are ours, I am mostly responsible for the API side. – Ali Jan 30 '13 at 15:40
  • That's great, so then [you can use CORS](https://www.google.com/search?q=CORS) to allow requests on the API service's domain from the web app's domain. This permits use of all HTTP methods and you don't have to maintain the coupling between the JSONP request and the Javascript callback function. I don't know how it would work in Python, but if you were using jQuery, the AJAX jqXHR.success() method will be executed when the data is returned. Put your JSONP function code in there. – Nicholas Shanks Jan 31 '13 at 09:50