Looking at this and thinking about it a bit for the first time, I have the reaction that an HTTP server should respond to at least GET and POST requests. The draft docs say nothing about this. The server docs should at least explain how to send a request to the server. It should not be left to the sample client. And if there is to be a web server, it would be useful for it to serve one or a few actual web pages, which could in fact contain the documentation for using it. Tomcat does this by default, for example.
As an example of what I mean, the draft doc says "The **_do_message** method expects that incoming requests are JSON object ..." How is such a message to be sent? Perhaps a GET? GET: http://localhost:<port>/do_message?method=**&json={.....} If this is not correct, explain what is correct, and give some examples. If it is correct (and I am just guessing here), please give an example. If the request is supposed to be a POST or PUT, make sure to specify what the message encoding is, as well as the format of the message body. Typically requests, especially POST requests, are encoded as MIME type *application/x-www-form-urlencoded*. Is this the case for this server? What is the MIME type of the response? Is the utf-8 character encoding required? Will the response always by utf-8 encoded? And if there is to be a web server, security concerns need to be thought about from an early stage. For example, can the server be made to leak important information by deliberately sending it a message that will cause an error? Can an attacker get to the file system or the server configuration files? Can an attacker walk up the server's file tree? Can the server be configured to respond only to a specific URL? Is the server supposed to be stateful? HTTP servers are not really expected to contain state. They are supposed to return representations of a "resource". If the resource is the state of a Leo outline, the server needs to query something that can provide that information. This may be how the system is intended to work, but then the document should say so, and give some detail about how this all works. On Friday, May 14, 2021 at 4:46:55 PM UTC-4 Edward K. Ream wrote: > On Fri, May 14, 2021 at 2:39 PM Viktor Ransmayr <[email protected]> > wrote: > > > Would it make sense to ignore mentioning leoclient.py at this point in > time completely - or - at least defer mentioning it to the time, when the > CP: request / response model has already been described? > > I think it's worth mentioning that leoclient.py exists. It's a useful > example of client code. > > Edward > -- You received this message because you are subscribed to the Google Groups "leo-editor" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/leo-editor/cfc8fde3-c4a4-4591-85ba-7607e38293d9n%40googlegroups.com.
