Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why does the API respond with keys like this?

    "this": "succeeded",
    "by": "getting",
    "the": "dweets"
It's cute that it's human readable but one would have to write awkward code like:

    if(response['this'] == 'suceeded') print response['with']


Agreed, in the code-readability sense it's a little on the strange side, but I wouldn't call it completely nonsense either. My thinking behind the design was that developers are a lot easier to deal with than end-users/laypeople who you might rely on to help debug things. Besides, it's easy enough to write wrapper functions or use DEFINE (in the case of C/C++) to make the code more code-readability-friendly.

Nothing is perfect for everyone, and I think the response is probably the least important aspect of HAPI. The biggest bang for the buck in my mind is self documenting URLs and support for only HTTP-GET verbs. Just my $0.02 :)


I don't understand why you insist changing operations like create, update and delete should be HTTP GET. That is a security nightmare.


It depends on what you want to support. I've done similar as I was working on platforms that didn't actually support POST/PUT/DELETE. However you then have to contend with misbehaving caching too.


Seriously? Look at the HTTP protocol and tell me you really believe that.

Their way:

DELETE /something HTTP/1.1

My way:

GET /delete/something HTTP/1.1

Do you really think one is more secure than the other?


Yes because browser implementations do not allow casual DELETE requests. There is a reason the standard says not to use GET for destructive changes.


So let's not a call it a security issue then. Let's call it an "it's too easy to delete" issue. And if that's the case, then that's what we're going for— easy. Remember, if you were truly protecting something that was secure then you would require a security token parameter— which BTW is something we're planning in the next rev, for people who want to protect their machines.

If I was phishing to get you to click on a link to delete a resource, then I would need to know that token, and if I knew that token, then I could just delete it myself. Note that the HAPI spec discourages the use of cookies (which I agree could allow a phishing attack if you were using cookies as a security mechanism).


It also limits the request size to something like 4K.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: