feat: add HTTP QUERY method support#10376
Conversation
datamweb
left a comment
There was a problem hiding this comment.
Overall, I like this PR.
- Add QUERY to HTTP method constants, routing, CURLRequest, and feature tests - Treat QUERY as raw-body input for validation and form requests - Document QUERY routing, request testing, and CURLRequest usage - Add coverage for routing, CSRF behavior, request input, and test helpers Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com>
Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com>
0e10ab7 to
e8558cf
Compare
Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com>
michalsn
left a comment
There was a problem hiding this comment.
I think two things should be addressed:
-
Page cache must not cache
QUERYusing the currentmethod+URIkey.QUERYrequest content is part of the request, socachePage()can serve one request body response to another body on the same URI. -
The behavior change for existing
$routes->add()routes should be documented.
Skip PageCache for QUERY requests because request content is part of the QUERY semantics and the current cache key only includes method and URI. - document the routes->add() CSRF behavior change for QUERY - clarify CURLRequest::query() versus the query request option - document that PageCache does not cache QUERY responses - add focused PageCache tests for QUERY requests Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com>
Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com>
|
Thanks for the review @michalsn. PageCache now skips |
michalsn
left a comment
There was a problem hiding this comment.
After reading RFC 10008 more closely, I have two thoughts, which are candidates for follow-up PRs.
Servers MUST fail the request if the Content-Type request field ([HTTP], Section 8.3) is missing or is inconsistent with the request content.
The user guide currently leaves this to the developer, which is acceptable for initial method support, but long-term we should probably provide a first-class way to enforce accepted QUERY content types / 415 / 422 behavior.
The cache key for a QUERY request (Section 2 of [HTTP-CACHING]) MUST incorporate the request content (Section 6 of [HTTP-CACHING]) and related metadata (Section 8 of [HTTP]).
Now, we safely disables QUERY page caching, which fixes the current issue. But eventually we probably should implement body-aware QUERY cache support instead.
Description
This PR proposes adding support for the HTTP
QUERYmethod defined by RFC 10008.QUERYfills a long-standing gap betweenGETandPOST.GETis the right semantic fit for read-only requests, but it pushes all query data into the URL. That works for simple filters, but it becomes awkward for advanced search screens, report previews, analytics queries, GraphQL-style reads, JSON-RPC queries, or audit-log filters with nested conditions.POSTcan carry that data in the body, but it no longer clearly communicates that the request is safe and read-only.QUERYgives applications a better option: a safe and idempotent request with query content in the request body. In CodeIgniter this can be expressed naturally with a route like:This is not just a CodeIgniter-specific idea. The web ecosystem has already started moving in this direction, with support merged or being discussed in nginx, Symfony, Laravel, Rails, Spring Framework, Node.js, and other projects.
This PR wires
QUERYinto the framework areas where CodeIgniter already exposes HTTP methods:CodeIgniter\HTTP\Method$routes->query(...)match(['QUERY'], ...)$this->query(...)CURLRequest::query(...)For input handling,
QUERYfollows the same raw-body path asPUT,PATCH, andDELETE. JSON requests continue to use the existing JSON handling based onContent-Type.This PR is intentionally conservative. It teaches CodeIgniter how to recognize, route, test, and send
QUERYrequests, but it does not add special cache handling,Accept-Querysupport, or globalContent-Typeenforcement. Applications should still decide which query content types they accept and validate that in the controller or request layer.Tests cover routing, route command output, feature testing,
CURLRequest, validation, Form Requests, raw input handling, and CSRF behavior.References
Checklist: