edgedb icon indicating copy to clipboard operation
edgedb copied to clipboard
verified publisher icon edgedb

GET HTTP queries are not idempotent

Open robsimmons opened this issue 10 months ago • 1 comments

  • EdgeDB Version: 6.2
  • EdgeDB CLI Version: 7.0.3
  • OS Version: OSX

Steps to Reproduce:

  1. Create a local database with this schema 
    using extension edgeql_http;

module default {
  type Person {
    required name: str;
  };
}
  2. Run the following command several times: 
    curl -i -H "Content-Type: application/json" --request GET -u admin:<PASSWORD> "http://localhost:10700/branch/main/edgeql?query=insert%20Person%20%7Bname%3A%3D%20%22Fred%22%7D%3B%0A%0A%0A"
    which URLencodes the query 
    insert Person {name:= "Fred"};

The expected behavior is that this query is rejected, like a GraphQL query containing a mutation would be rejected, given that it changes the database in a non-idempotent manner. The docs say "[Since HTTP is a stateless protocol, no DDL, transaction commands, can be executed using this endpoint.](https://docs.geldata.com/reference/clients/http)", but that applies equally to insertions, deletions, and updates.

The observed behavior is that each GET request adds a Person entity to the database.

robsimmons avatar Mar 11 '25 17:03 robsimmons

I wonder if we actually disallow GraphQL mutations on GET, too.

msullivan avatar Mar 11 '25 17:03 msullivan