Readit News logoReadit News
TekMol commented on Most RESTful APIs aren't really RESTful   florian-kraemer.net//soft... · Posted by u/BerislavLopac
Scarblac · 2 months ago
There is, it's bad. Luckily votes aren't very crucial.
TekMol · 2 months ago
Votes are crucial. HN goes to great lengths to prevent votes that do not stem from real user intent.

See this post for example:

https://news.ycombinator.com/item?id=22761897

Quotes:

"Voting ring detection has been one of HN's priorities for over 12 years"

"I've personally spent hundreds of hours working on this"

TekMol commented on Most RESTful APIs aren't really RESTful   florian-kraemer.net//soft... · Posted by u/BerislavLopac
Scarblac · 2 months ago
That runs into CORS protections though.

CORS is a lot less strict around GET as it is supposed to be safe.

TekMol · 2 months ago
Nope, it would not have been prevented by CORS.

CORS prevents reading from a resource, not from sending the request.

If you find that surprising, think about that the JS could also have for example created a form with the vote page as the target and clicked on the submit button. All completely unrelated to CORS.

TekMol commented on Most RESTful APIs aren't really RESTful   florian-kraemer.net//soft... · Posted by u/BerislavLopac
buzzy_hacker · 2 months ago
https://news.ycombinator.com/item?id=3742902
TekMol · 2 months ago
The same would have worked with a POST endpoint.

The story url only would have to point to a web page that creates the upvote post request via JS.

TekMol commented on Most RESTful APIs aren't really RESTful   florian-kraemer.net//soft... · Posted by u/BerislavLopac
Scarblac · 2 months ago
Bots, browsers that preload URLs, caching (both browser and backend and everything in between), the whole infrastructure of the Web that assumes GET never mutates and is always safe to repeat or serve from cache.

Using GET also circumvents browser security stuff like CORS, because again the browser assumes GET never mutates.

TekMol · 2 months ago
So why is there no problem with vote/flag/vouche on HN being GET endpoints?
TekMol commented on Most RESTful APIs aren't really RESTful   florian-kraemer.net//soft... · Posted by u/BerislavLopac
Pooge · 2 months ago
That any bot crawling your website is going to click on your links and inadvertently mutate data.

Reading your original comment I was thinking "Sure, as long as you have a good reason of doing it this way anything goes" but I realized that you prefer to do it this way because you don't know any better.

TekMol · 2 months ago
If you rely on the HTTP method to authenticate users to mutate data, you are completely lost. Bots and humans can send any method they like. It's just a string in the request.

Use cookies and auth params like HN does for the upvote link. Not HTTP methods.

TekMol commented on Most RESTful APIs aren't really RESTful   florian-kraemer.net//soft... · Posted by u/BerislavLopac
Scarblac · 2 months ago
If you type it into the URL bar, it will use GET.

Surely you're not advocating mutating data with GET?

TekMol · 2 months ago
What's your problem with it?
TekMol commented on Most RESTful APIs aren't really RESTful   florian-kraemer.net//soft... · Posted by u/BerislavLopac
jaapz · 2 months ago
This is great for API's that only have a few actions that can be taken on a given resource.

REST-API's then are especially suited for acting as a gateway to a database, to easily CRUD and fetch lists of information.

The best API's I've seen mix and match both patterns. RESTful API endpoints for data, "function call" endpoints for often-used actions like voting, bulk actions and other things that the client needs to be able to do, but you want the API to be in control of how it is applied.

TekMol · 2 months ago
Can you give an example of an endpoint where you would prefer a "RESTful API endpoint"?
TekMol commented on Most RESTful APIs aren't really RESTful   florian-kraemer.net//soft... · Posted by u/BerislavLopac
TekMol · 2 months ago
You know what type of API I like best?

    /draw_point?x=7&y=20&r=255&g=0&b=0
    /get_point?x=7&y=20
    /delete_point?x=7&y=20
Because that is the easiest to implement, the easiest to write, the easiest to manually test and tinker with (by writing it directly into the url bar), the easiest to automate (curl .../draw_point?x=7&y=20). It also makes it possible to put it into a link and into a bookmark.

This is also how HN does it:

    /vote?id=44507373&how=up&auth=...

TekMol commented on WASM Agents: AI agents running in the browser   blog.mozilla.ai/wasm-agen... · Posted by u/selvan
m13rar · 2 months ago
From a quick gander. WASM is not to talk to the servers. WASM can be utilized to run AI Agents to talk to local LLMs from a sandboxed environment through the browser.

For example in the next few years if Operating System companies and PC producers make small local models stock standards to improve the operating system functions and other services. This local LLM engine layer can be used by browser applications too and that being done through WASM without having to write Javascript and using WASM sandboxed layer to safely expose the this system LLM Engine Layer.

TekMol · 2 months ago
No matter if the LLM is on the same machine or elsewhere, why would you need WASM to talk to it and not just JS?
TekMol commented on Poor Man's Back End-as-a-Service (BaaS), Similar to Firebase/Supabase/Pocketbase   github.com/zserge/pennyba... · Posted by u/dcu
gavmor · 2 months ago
> Hey, you are trying to save your data but the data on disk is newer than when you loaded it

You're suggesting an actual API-facilitated data sync via Dropbox? Sure, but at that point why? Unless the data also needs to be read by 3rd party applications, might as well host it myself.

TekMol · 2 months ago
Sure. You brought up Dropbox. Not me.
T

u/TekMol

KarmaCake day9453July 26, 2016
About
In love with technology
View Original