Fix CORSMiddleware configuration initializer parameter #2314
Conversation
|
This was discussed in #2295 and there are multiple cases where you may want a certain type of middleware before the error middleware. Having a special case just for CORS seems wrong to be and the way it's now documented in the docs where you create a new |
|
I disagree. CORS has to be before the error middleware, and it's a bad idea to force people to find something in the docs like this when we can easily resolve the issue for them. I think the most common case would be a person just adding CORS and nothing else. |
|
100% with @0xTim on this. Broken scenario: The docs clearly address the importance of ordering – if one is going to alter the default middlewares configuration, an expectation that they first read the essential docs is reasonable. While the intent is good, hard-coding is limiting and rarely the best solution. |
|
Oh, and just for sake of completeness, I don't have a strong opinion on the other proposed change in here – though do note that this would now require extending |
You can init |
There was a problem hiding this comment.
I agree that there should be an easier way to add CORS middleware. Needing to first empty the middleware then re-add CORS and error middleware in the correct order is not intuitive.
That said, I don't think this is the right approach as it has just as much potential to cause problems as the current API.
What if we instead expose collection-like APIs on app.middleware? This would let you do:
app.middleware.insert(cors, at: 0)We could copy collection directly here or add parameters to use:
app.middleware.use(cors, .first)This prevents the need for resetting the middleware config / re-adding error middleware. It also makes CORS configuration more easily copy-pastable. Most importantly though, it still gives the developer full control over how middleware are added. If they want something to go before CORS middleware, they can easily do it.
|
Another issue I didn't spot, changing the type of |
|
@0xTim Yup, it's a breaking change. I had mentioned that to Tanner in Discord. My vote would be that we go ahead and do it anyways based on:
That said, it's not that a big a deal if we decide not to :) @Tanner I don't think that's a "clean" API for people. What about, instead, if we allowed something more like app.middleware.use(cors, before: ErrorMiddleware.self) |
|
Going to have to say no to the breaking change - we're stable and we can't just break SemVer like that just because someone might not be using it. We've avoided smaller changes than this in the past and we should stick to it. It sets a dangerous precedent and destroys trust in Vapor. As for the API, I think having a finer grained control over the order is clearer: app.middleware.use(cors, before: ErrorMiddleware.self)Is that the slot before |
I agree, I also considered an API like
It would work just like array, the item currently at 0 would move to 1. |
Agreed. Semver must be followed as our docs promise:
In this case we can add a new init overload and deprecate the old one though. Win win. |
|
Great points, Tim. I pushed a new version (I had to do a force push of this branch) which deprecates the old one. I also removed all the stuff related to the location of the middleware as it seems that still needs some architecture work done. |
grosch
changed the title
[String]? parameter
tanner0101
changed the title
[String]? parameter
|
These changes are now available in 4.3.0 |
* Makes sure CORSMiddleware always adds before ErrorMiddleware * Deprecates the CORSMiddleware initializer which takes an [String] * Added the doc comment * Tanner's requested changes * Switched to a 'convenience' initializer
Updates
CORSMiddleware.Configuration'sexposedHeadersparameter to accept[HTTPHeader.Name]instead of[String]like the other parameters do (#2314).