[wp-trac] [WordPress Trac] #38521: REST API: Get rid of the `/users/me` redirect

Sun Oct 30 13:08:38 UTC 2016

#38521: REST API: Get rid of the `/users/me` redirect
--------------------------+--------------------------
 Reporter:  jnylen0       |       Owner:  rachelbaker
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:  4.7
Component:  REST API      |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:  close         |     Focuses:
--------------------------+--------------------------
Changes (by rmccue):

 * keywords:   => close

Comment:

 So, I think that we should look at this issue, but I don't believe that
 removing the redirect gains us enough to warrant breaking the resource
 paradigm. Additionally, this issue does not apply currently, as external
 authentication is not included in core yet.

 As @jnylen0 noted, there are three types of client:

 * Internal
 * External, JS-based
 * External, non-JS

 There are two separate issues caused by redirects:

 * CORS issue: Browsers do not appear to be allowing access to the resource
 due to the CORS preflight OPTIONS request. This applies only to External,
 JS-based clients.
 * OAuth issue: If the request is not re-signed on redirect, the signature
 will be invalid. This can apply to any External client.

 The CORS issue is a bug, and we should look at how we can fix this. CORS
 ''should'' work fine, as it's [https://www.w3.org/TR/cors/#resource-
 requests designed into the spec] to follow redirects; I think the issue
 may be that we need to issue a redirect on the OPTIONS request too.

 The OAuth issue is really about the usage, and I think this is '''a
 documentation issue only'''. Clients '''must''' be able to follow
 redirects correctly, otherwise we leave ourselves in a state where clients
 may be broken by changing server URLs, potential backwards-compatibility
 redirects, and a whole host of other issues. We should document that OAuth
 must be reapplied on redirects.

 The only potentially unsolvable issue is that some clients cannot control
 redirects, primarily JS-based ones using XMLHttpRequest. This however is
 solvable by using the newer `fetch()` API, which allows `{ redirects:
 'manual' }` to be set; this is [https://github.com/github/fetch/issues/137
 not polyfillable]. It is for this client only (external `XMLHttpRequest`)
 that `_envelope` is the preferred solution.

 We should open two new issues:

 1. Document redirect behaviour for OAuth.
 2. Fix CORS issue with redirects.

 This ticket should then be closed.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38521#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform