I spent last week triaging the REST module issue queue, to identify the top priorities for REST to support all use cases, and to be less painful to use. This is what I came up with.
Any use case (fully decoupled, progressively decoupled, content sync)
Impossible to update Comment entity with REST: #2631774: Impossible to update Comment entity with REST (HTTP PATCH): bundle field not allowed to be updated, but EntityNormalizer::denormalize() requires itBasic config entity support: #2724823: EntityResource: read-only (GET) support for configuration entities- EntityResource: translations support: #2135829: EntityResource: translations support
- File uploads: #1927648: Serialize file content (base64) to support REST GET/POST/PATCH on file entity
- Full config entity support: #2300677: [PP-1] Create/Update/Delete (POST/PATCH/DELETE) ConfigEntity via REST
REST export entity views supporting translations: #2664880: DataEntityRow doesn't respect translations- Pagination support: #2100637: Add special handling for collections in REST
- REST export views supporting pagination: #2099281: [PP-1] REST views: pagination link relations
- REST export views break the HTML view if they're on the same path: #2730497: REST Views override existing REST routes + #2772537: REST Views override existing REST GET routes + #2449143: REST views specify HTML as a possible request format, so if there is a "regular" HTML view on the same path, it will serve JSON
- REST export views: row-level caching: #2648268: REST views: row-level caching doesn't exist, unlike for other types of views
REST export views: authentication support: #2228141: Add authentication support to REST viewsHEAD requests do not work: #2752325: Automatically provide HEAD support when a REST resource supports GET
Fully decoupled
Logging in: #2403307: RPC endpoints for user authentication: log in, check login status, log out- Registering: #2291055: REST resources for anonymous users: register
CORS (to put D8 on different domain): #1869548: Opt-in CORS support
DX
Content-Type request header missing: #2659070: REST requests without Content-Type header: unhelpful response significantly hinders DX, should receive a 415 responseX-CSRF-Token request header missing: #2681911: REST requests without X-CSRF-Token header: unhelpful response significantly hinders DX, should receive a 401 response- GET/PATCH/DELETE to /node, but POST to /entity/node: #2293697: [pp-1] EntityResource POST routes all use the confusing default in <8.2: use entity types' https://www.drupal.org/link-relations/create link template if available
Configuring REST is a PITA: #2308745: Remove rest.settings.yml, use rest_resource config entitiesConfiguring REST permissions is a PITA: #2664780: Remove REST's resource- and verb-specific permissions for EntityResource, but provide BC and document why it's necessary for other resourcesSimplify REST configuration: #2721595: Simplify REST configuration- #2777969: Provide an example REST configuration entity
General reliability, maintainability & DX
#2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method — this actually relates to many of the above issues, and would provide much, much stronger assurances that REST works as expected & intended.
Comments
Comment #2
Wim Leers CreditAttribution: Wim Leers at Acquia commentedOne down :)
Comment #3
dawehner CreditAttribution: dawehner at Chapter Three commentedAdded another issue which could be interesting: #2721595: Simplify REST configuration
Comment #4
aneek CreditAttribution: aneek as a volunteer commentedHello can this be added to this list #2653318: While in maintenance mode, REST routes respond with HTML instead of XML/JSON/…?
Comment #5
Wim Leers CreditAttribution: Wim Leers at Acquia commented#4I don't consider that a top priority: it's an edge case. Everything listed in the top priorities is a huge problem/gap. Don't worry, it will get fixed. I moved it to the
rest.modulecomponent for better visibility, so we don't forget about it.Comment #6
marthinal CreditAttribution: marthinal commented@Wim IMHO #2310307: File needs CRUD permissions to make REST work on entity/file/{id} would be a critical issue here if we want to upload files. AFAIK we want to create 2 entities in the same request and avoid to create the File and then the node(or the custom entity). @alexpott told me that we want to avoid the current solution("everybody can upload files").
And #1927648: Serialize file content (base64) to support REST GET/POST/PATCH on file entity uses this patch...
Comment #7
dawehner CreditAttribution: dawehner at Chapter Three commentedComment #8
dawehner CreditAttribution: dawehner at Chapter Three commentedAdding another issue to it: #2228141: Add authentication support to REST views
Comment #9
Wim Leers CreditAttribution: Wim Leers at Acquia commentedComment #10
Wim Leers CreditAttribution: Wim Leers at Acquia commentedOops, pasted the wrong issue ID.
Comment #11
Wim Leers CreditAttribution: Wim Leers at Acquia commentedOne down: #2730497: REST Views override existing REST routes.
Comment #12
Wim Leers CreditAttribution: Wim Leers at Acquia commentedYay, #2631774: Impossible to update Comment entity with REST (HTTP PATCH): bundle field not allowed to be updated, but EntityNormalizer::denormalize() requires it landed! The highest priority issue, because it literally made REST broken/impossible to use for many use cases!
Comment #13
Wim Leers CreditAttribution: Wim Leers at Acquia commentedClarify the different levels of config entity support.
Comment #14
Wim Leers CreditAttribution: Wim Leers at Acquia commentedComment #15
Wim Leers CreditAttribution: Wim Leers at Acquia commentedYay, #2724823: EntityResource: read-only (GET) support for configuration entities landed!
Comment #16
Wim Leers CreditAttribution: Wim Leers at Acquia commentedYay, #2308745: Remove rest.settings.yml, use rest_resource config entities landed! That unblocked #2721595: Simplify REST configuration.
Comment #17
Wim Leers CreditAttribution: Wim Leers at Acquia commented#2752325: Automatically provide HEAD support when a REST resource supports GET was just reported, this is another significant bug.
Comment #19
Wim Leers CreditAttribution: Wim Leers at Acquia commentedYay, #2228141: Add authentication support to REST views landed!
Comment #20
larowlan CreditAttribution: larowlan at PreviousNext commentedOne more for consideration #2758897: Consider moving rest link manager services into serialization module
Comment #21
tedbow CreditAttribution: tedbow at Acquia commentedI just wanted to try highlight a list of issue that would be great to get done before the Feature freeze for 8.2.0-beta1. I think this is Week of August 3, 2016.
Issues that are new Features or tasks, not listing but because I don't think they are affected by the freeze.
Very Close - could be done by deadline
#2403307: RPC endpoints for user authentication: log in, check login status, log out with related #2753681: Move CSRF header token out of REST module so that user module can use it, as well as any contrib module
#2291055: REST resources for anonymous users: register
Not as close
#1927648: Serialize file content (base64) to support REST GET/POST/PATCH on file entity
#1869548: Opt-in CORS support
#2664780: Remove REST's resource- and verb-specific permissions for EntityResource, but provide BC and document why it's necessary for other resources
Seems unlikely
#2099281: [PP-1] REST views: pagination link relations
#2300677: [PP-1] Create/Update/Delete (POST/PATCH/DELETE) ConfigEntity via REST
#2135829: EntityResource: translations support
Not started but does is this test so is it affected by feature freeze? #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method
BTW: I could be totally wrong about above. Let me know. I was partly doing it for my own benefit to figure out what is the most important to work on.
Comment #22
dawehner CreditAttribution: dawehner at Chapter Three commented#2113345: Define a mechanism for custom link relationships is an issue someone could review. If someone needs something special: #1928868: Typed config incorrectly implements Typed Data interfaces is up there for review. This will enable POST/PATCH of config entities.
Especially the later would be nice because we need probably a full release to add the required constrains so we can start supporting updates.
Comment #23
Wim Leers CreditAttribution: Wim Leers at Acquia commented#21: thanks for that! I mostly agree. There are two things where I disagree:
So: +1 for attempting to land the following in the next few weeks:
You're right that #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method can happen after feature freeze. But, of course, it'll mean less clean tests in the ones above. Then again, most of those already have their tests written already anyway. So I think it's fine. #2737719: EntityResource: Provide comprehensive test coverage: for every entity type, every format, every method will put us in a great position to make D8 REST "best-in-class" in 8.3, per #2757967: API-first initiative.
#22: I reviewed #2113345: Define a mechanism for custom link relationships. I can't review #1928868: Typed config incorrectly implements Typed Data interfaces — that needs review from a Typed Data maintainer.
Comment #24
Wim Leers CreditAttribution: Wim Leers at Acquia commentedComment #25
dawehner CreditAttribution: dawehner at Chapter Three commentedIt almost feels as if noone could review it :)
Comment #26
Wim Leers CreditAttribution: Wim Leers at Acquia commentedYou'll need to bribe a Typed Data maintainer :P
Comment #27
jacov CreditAttribution: jacov as a volunteer commentedfor another step toward api first & truly decoupling, voting for: #2771353: Support "auto-create" entity references by value (instead of by ID/UUID), just like tags are auto-created in the content creation UI
Comment #28
jacov CreditAttribution: jacov as a volunteer commentedshow stopper: #2772413: REST GET fails on entity/taxonomy_vocabulary/{id} 403 Forbidden with error
Comment #29
jacov CreditAttribution: jacov as a volunteer commentedComment #30
jacov CreditAttribution: jacov as a volunteer commentedComment #31
Wim Leers CreditAttribution: Wim Leers at Acquia commented@jacov: Can you please not mark all of your own issues as "top priorities"? Can you leave that to the people maintaining the module, who are used to triaging incoming issues, and who have a much better understanding of the relations between different issues? Thanks.
Comment #32
dawehner CreditAttribution: dawehner at Chapter Three commented@jacov
One thing you always have to keep in mind. Critical in an issue doesn't mean its critical for you, but rather the site. Each major is most likely a critical issue aka. show blocker on actual sites, but we cannot treat Drupal core as a union of sites. This simply doesn't scale.
Comment #33
Wim Leers CreditAttribution: Wim Leers at Acquia commentedApparently @jacov even put all of his top priorities at the very top of each list in the issue summary. I'm sorry, but that's just plain rude.
Comment #34
dawehner CreditAttribution: dawehner at Chapter Three commentedThank you @Wim Leers for cleaning up this mess!
Comment #35
Wim Leers CreditAttribution: Wim Leers at Acquia commentedAdding #2772537: REST Views override existing REST GET routes to point 9.
Comment #36
Wim Leers CreditAttribution: Wim Leers at Acquia commented#2721595: Simplify REST configuration and #1869548: Opt-in CORS support landed!
Comment #37
Wim Leers CreditAttribution: Wim Leers at Acquia commentedForgot to update the IS for #36.
Comment #38
Wim Leers CreditAttribution: Wim Leers at Acquia commentedLet's keep this issue just for Drupal 8.2.x. We can create a new Plan issue for 8.3.x later. That will keep both issues manageable in size, and they'll provide useful reference points in the future.
Comment #39
dawehner CreditAttribution: dawehner at Chapter Three commentedGood idea. In general there are also things which are pure bug fixes, that can land more or less at any point, and there are more task/featurish things, which should be prioritized in the next 2 weeks.
Comment #40
Wim Leers CreditAttribution: Wim Leers at Acquia commented#2403307: RPC endpoints for user authentication: log in, check login status, log out landed too!
#39: Exactly :)
Comment #41
Wim Leers CreditAttribution: Wim Leers at Acquia commented#2659070: REST requests without Content-Type header: unhelpful response significantly hinders DX, should receive a 415 response landed!
Comment #42
Wim Leers CreditAttribution: Wim Leers at Acquia commented#2752325: Automatically provide HEAD support when a REST resource supports GET landed!
Comment #43
Wim Leers CreditAttribution: Wim Leers at Acquia commentedComment #44
Wim Leers CreditAttribution: Wim Leers at Acquia commented#2681911: REST requests without X-CSRF-Token header: unhelpful response significantly hinders DX, should receive a 401 response landed!
Comment #45
Wim Leers CreditAttribution: Wim Leers at Acquia commented#2664780: Remove REST's resource- and verb-specific permissions for EntityResource, but provide BC and document why it's necessary for other resources landed!
Comment #46
dawehner CreditAttribution: dawehner at Chapter Three commentedAfter trying to use the new configuration entity based system, I think we should fix #2777969: Provide an example REST configuration entity