grpc-node icon indicating copy to clipboard operation
grpc-node copied to clipboard
verified publisher icon grpc

Server does not check the HTTP method of the request

Open jhump opened this issue 1 year ago • 2 comments

If the rest of the request looks like a gRPC request, the server will accept incorrect HTTP methods, such as “DELETE” or “PUT”. If the server generates an error status, it would be because some other issue was encountered in processing the request.

Ideally, the server would check some basics of the request before even attempting to process it as a gRPC request, the HTTP method and the content-type are the main attributes it should check to classify the request as gRPC or not.

jhump avatar May 30 '24 17:05 jhump

The gRPC protocol spec specifies the error to send if the client sends the wrong content-type, and this server implementation does check the content-type and send that error if appropriate. The gRPC protocol spec does not specify what to do if the HTTP method is incorrect.

murgatroid99 avatar May 30 '24 18:05 murgatroid99

I agree that there are deficiencies in the spec around this: https://github.com/grpc/grpc/issues/36767

jhump avatar May 30 '24 18:05 jhump