-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
common: introduce reproducible http requests #542
Comments
Imagine this:
This requires:
Problems with this:
I think this is neat and I'd like to do it going forward. But is there a more immediate solution to #541? |
Thinking about the previous post some more. Do we want at least the option to post the request object even if the request succeeded? False positives do happen. If we fail, and write the response, we're writing potentially sensitive headers/credentials and data back to the state object. That will be saved back to lightning as dataclip and be subject to the data retention policy. I am not comfortable with this idea as a default. Maybe even as an opt-in it's dubious - users likely don't know all the data being saved back to lightning and how secure it is. Dumping the raw request in the log to be awkwardly copied out is no better. We're still exposing credentials, name and ideas in the logs. Also credentials will be scrubbed so it's not re-usable anyway. What I'm looking for is a safe way to "eject" that request (with its sensitive payload and credentials) into a JSON object which is downloaded for use in the CLI and then discarded by Lightning. And we just don't have the machinery for that. |
The only way I can really see it is if a user says "hey, it's cool to export my sensitive data and credentials for this one run. It's more important that I fix the issue". Which is the use-case we're chasing. That basically means the common helper needs to use a flag which says "eject on error", which means freely dumping stuff to state. This could be:
|
The other way of approaching this whole problem is to say: look, making your requests reproducible is a huge and unnacceptable security leak, sorry. But if you run in the CLI, we assume you're in a trusted environment (the credential is on your system after all). So download and run the workflow locally with the CLI and take a close look at the output there. That approach needs us to have some kind of env var like This would be free to implement and doesn't require any features lightning side (we could even later allow lightning to run in unsafe mode). The gotcha would be that its not easy yet to download your workflow and credential to run in the CLI. But that's a problem we need to solve anyway.... |
This is a speculative/design issue
A common pattern coming out of job work is: I called an adaptor function with some data, it did some stuff and sent a http request, the server returned an error.
How can I SEE my raw request and response, and further more, how can I repeat it?
I feel like I want to be able to easily copy the quest out of stdout, paste it somewhere, and run
curl request.txt
or something to reproduce it.We could use the CLI to reproduce requests - so long a the command is easy. But what about exporting to other tools, like postman or curl? How can I reproduce a request outside of the openfn context? This feels kinda useful to me
I think we need something like this:
The text was updated successfully, but these errors were encountered: