Handling slash in object ids

[rma-rripken]

I'm going to use Clob as an example but this affects other things, not just clobs. Say you have a clob with an id of "idwith/slash".
To get that clob you'd try to issue a get request to:
http://localhost:7000/cwms-data/clobs/idwith%2Fslash?office=SPK

The clob-id is in the path portion of the url. The id is not a query parameter (like office) its a path-parameter.

Also notice that the id has been url-encoded.

Unfortunately CDA is going to return to you this 400 error:

<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Invalid URI: noSlash</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).</p><hr class="line" /><h3>Apache Tomcat/9.0.64</h3></body></html>

Tomcat, by default, doesn't allow the url to include slash characters.

Stackoverflow ( https://stackoverflow.com/a/52778888/249623 ) suggests adding:

jvmArgs += "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
jvmArgs += "-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"

Adding that will make the id with slashes get passed thru to our CDA code!
Unfortunately we'd have to add those options to the Tomcat run config so it would affect all the servlets on that server. Its thought that blocking Slash and Backslash characters was explicitly called out by the STIG as something we must do for security. Apparently the feature is too often abused as part of other bad behavior so we can't have nice things anymore. Even if we could get those Tomcat flags set we'd also have to get proxies configured to allow it also. Basically its probably not going to happen.

I don't think this is Javalin's fault. At least not this specific error.
The point of this discussion: What to do?

[rma-rripken]

One suggestion was to expose native db codes - this isn't going to happen.

[rma-rripken]

Another possibility is to allow users to encode the id some other way - maybe base64?

[adamkorynta]

Can it just be a query param instead of a path param? Easy enough to add a note to the OpenAPI doc to describe why this one is non-standard.

[rma-rripken]

query parameters can have slashes in them. Whatever we do we probably have to do across the board b/c its not just clobs.

[rma-rripken]

to get requests routed to the right place users probably have to put something in the {clob-id} portion of the path and it can't have a slash

[MikeNeilson]

My thought is this:

The natural representation of an object, for example (office,location), (office,timeseries name), is place in query parameters.
But The API generates a (to the user) opaque arbitrary "ID" field that maps to those somehow. Likely a simple base64(natural key).

This way we're not actually exposing the column surrogate key (I really wish SQL had a keyword for surrogate key to make it really obvious) but the API itself can still be used as some expect it.

@willbreitkreutz and (Will, I don't know Randy's github handle) were discussing this at our meeting last week.

I get why they want it, and I see the value in the type of ID, I just want to hide the actual database implementation from the level of the database API so it's easier to shift the rug out later. So i think an encoded ID field is a reasonable compromise; considering how common it is to use uuids to surrogate keys these days a base64 encoded value really isn't much different visually at least. And it's more a machine-to-machine detail anyways; someone manually querying data is more likely to use the natural keys and search fields.

And this split makes it a little more practical to make all the clear.

[MikeNeilson]

This also has the added benefit of then making the Clob and Blob controllers non-divergent from the rest.

And a transition period wouldn't be too hard, just attempt a base64 decode real quick (or may just a check for only has the b64url alphabet) and operate appropriately for a time.

[MikeNeilson]

The really controversial question (should this prove to be the solution.) Should we call that new field:

1. ID - (need to change Blob and Clob to use "name", but should probably do that anyways.)
2. Key - I like it, obvious, it's just a point to the object and has little other meaning (as it should be.)
3. Slug - not uncommon, but usually reserved for readable text.
4. something else?

[rma-rripken]

Follow-up comment. Blob and Clob end-points can now take an optional clob-id/blob-id query-param. If that query param is found it will be used instead of the value of the path parameter. When using the clob-id query parameter the user must still provide a valid (in the sense that it doesn't contain slashes or other illegal characters) path parameter so that the request will get routed to the correct controller end-point. When the path parameter is overridden it doesn't really matter what the user puts in the path-parameter as long as there is something there. It would be a mistake to put an invalid id in both the path-parameter and the query-parameter because in that situation the request would get blocked. A hardcoded path parameter like: "NA" "ignored" "default" "none" would all be fine choices when query-parameter override is going to be used.