apache
Add dag re-parsing request endpoint
API endpoint to request reparsing of DAG.
The API is useful in cases when users have lots of dags and want to prioritize the parsing of a particular dag. We record the requests in the DB table and rearrange the file_path_queue variable such that the requested DAG is prioritized over other dags in the queue.
I feel this should be POST since the action feels more like a write than read. But it’s a bit grey I guess.
I feel this should be POST since the action feels more like a write than read. But it’s a bit grey I guess.
Yes we should change it to POST. From security point of view any requests that change state of the DB should be POST/PUT/DELETE - rather than GET, For the API requests that require Content-Type: application/json - that will prevent a CSRF attack, where malicious user could send a GET Request using the session from a user who is already logged in another tab - because it is not possible to post a HTML form with "application/json" content type.
Our APIs are CSRF-exempt so as opposed to POST requests, malicious user can send arbitrary GET requests using session of the logged in user in another TAB (but it cannot retrieve the result of such get requests), so GET requests should not be used to change the DB state.
In this case there is a file token that gives additional protection, but changing it to POST is the best way to protect from malicious user.
I agree, changed the request to use HTTP POST method.
Thanks, @potiuk, I didn't know the security implications of GET Vs POST here.