Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
chronicler 4 hours ago

Making GET requests have bodies as the norm would also handle this

badbotty 4 hours ago | parent | next [-]

GET is a keep things simple stupid approach to caching. The URL is the cache key plus any headers touched by the vary header. Adding the requirement to vary on the body and understand the body content semantics brings in a whole lot of complexity that GET avoids.

platzhirsch 4 hours ago | parent | prev | next [-]

I might be misunderstanding something, but it seems the issue isn't really about whether GET can technically carry a body. The deeper concern is that HTTP methods have specific meanings, and mixing those signals can causes confusion and it's nice to have this semantic separation.

cortesoft 3 hours ago | parent | next [-]

If you look at the summary table, the only difference between a GET and a QUERY is that the query can have a body. Other than that, they have the exact same characteristics and purpose, so there isn’t really a need to semantically separate them.

Veserv 4 hours ago | parent | prev [-]

The problem is that they are not enforced. You can already have GET requests that modify state even though they are not supposed to.

What you are actually doing when making a specific kind of request is assuming the actual properties match the documented properties and acting accordingly.

A QUERY seems to be no more than a POST that documents it is idempotent. Furthermore, you should only QUERY a resource that has advertised it is idempotent via the “Accept-Query” header. You might as well name that the “Idempotent-Post” header and then you just issue a POST; exactly the same information and properties were expressed and you do not need a new request type to support it.

notatoad an hour ago | parent | next [-]

HTTP semantics aren’t hard enforced but that only means something if you always control the client, server, and all the middle layers like proxies or CDNs that your traffic flows over.

Your GET request can modify state. But if your request exceeds a browser’s timeout threshold, the browser will retry it. And then you get to spend a few days debugging why a certain notification is always getting sent three times (ask me how I know this)

Similarly, you can put a body on your GET request in curl. But a browser can’t. And if you need to move your server behind cloudflare one day, that body is gonna get dropped.

happytoexplain 4 hours ago | parent | prev | next [-]

I'm confused - wouldn't idempotent POST be PUT? Isn't the proposed QUERY for fetching semantics?

an hour ago | parent | next [-]
[deleted]
dragonwriter 44 minutes ago | parent | prev | next [-]

Essentially correct, QUERY is safe, like GET, not merely idempotent, like PUT. Safety implies idempotence, but not vice versa.

simonkagedal 22 minutes ago | parent [-]

Does “safe” here mean just “non-mutating”?

dragonwriter 15 minutes ago | parent [-]

No, it doesn't just mean that (it does mean non-mutating from the point of view of the client and in regard to the target resource, but the essential meaning involves more than that and it is more subtle than simply “non-mutating”.)

The specific definition is in the HTTP spec, and I don't think I can describe it more concisely without losing important information necessary for really understanding it.

https://www.rfc-editor.org/rfc/rfc9110#section-9.2.1

pcthrowaway 3 hours ago | parent | prev | next [-]

I think the idea is that POST creates a record (and in theory fails if that record already exists). I guess the commenter above is saying that if you inverted that (fail when the record doesn't exist, return the record if it does) it would be similar to QUERY? Not sure if I agree with that, but PUT's return semantics are a bit vague.. it often returns partial or combined records, or just a 200 OK (with or without a response body), or 204 No Content for unchanged records (with or without a response body)

It's clear what POST returns, so... perhaps QUERY is more similar to it in that sense?

johncolanduoni 3 hours ago | parent | next [-]

Whatever the original intent was, POST definitely does not return a new record consistently in most actual APIs. It's frequently used for actions that don't conceptually create anything at all.

LoganDark 3 hours ago | parent | prev [-]

PUT is the idempotent one. POST typically performs an action; PUT just creates-or-updates.

Veserv 4 hours ago | parent | prev | next [-]

The existing mechanism to get QUERY semantics is a POST that encodes the “fetch parameters” in the body and the response contains the fetched values. You then out-of-band document that this specific use of a fetching POST is idempotent.

This is literally expressed in the document in section 1: Introduction. They just want to take that POST request and replace the word POST with QUERY which also means the server is intended to assure the request is idempotent instead of needing that documented out-of-band.

johncolanduoni 4 hours ago | parent | prev [-]

For some reason the RFC focuses on idempotency, but then says it's explicitly intended for enabling caching semantics. Caching a query that mutates visible state doesn't really make sense, and like you point out if you just want idempotent modifications PUT already has the relevant semantics. I guess we haven't learned our lesson from making the original HTTP semantics super squishy.

dragonwriter 2 minutes ago | parent [-]

> For some reason the RFC focuses on idempotency,

It focuses on a bit more on safety, which is why every mention of it the proposed method having the "idempotent" property is immediately preceded (in most cases in the same sentence) by description of it having the "safe" property.

cortesoft 3 hours ago | parent | prev [-]

It would be pretty impossible to actually ‘enforce’ that GETs don’t modify state. I am not sure if I would call the lack of enforcement a problem when it is more a simple fact about distributed systems; no specification can enforce what a service does outside of the what is returned in a response.

Veserv 2 hours ago | parent [-]

That is exactly my point. There is no reason to syntactically distinguish what is semantically non-distinguishable.

The interpretation of a request is up to the server. There is no reason for the client to syntactically distinguish that the request body is for a POST vs QUERY; the request parameters and response have the same shape with the same serialization format.

However, on the other side, a server does control interpretation, so it is responsible for documenting and enforcing how it will interpret. QUERY semantics vs generic POST semantics is a receive/server-side decision and thus should not be a syntactic element of client requests, merely a server description of endpoint semantics (“QUERY endpoint” meaning shorthand for POST endpoint with query semantics).

edit: Thinking about it some more, there is one possible semantic difference which is that a transparent caching layer could use a syntactically different POST (i.e. QUERY) to know it should be allowed to cache the request-response. I do not know enough about caching layers to know how exactly they make fill/eviction choices to know if that is important.

vlovich123 3 hours ago | parent | prev | next [-]

I suspect the challenge would be all the middleware that assumes that get never had a body.

ashu1461 3 hours ago | parent | prev [-]

or get requests with query params already handles this in majority of the cases, unless the query size is too big (which ideally should not be the case since in the end it is a get request)