[API Request] Officialise POST support #26
Replies: 6 comments 15 replies
-
@opensubsonic/servers We need to move on with this to expand on the new APIs. The server who already support some cases like form post or something else please post here and let's try to define something simple. If there's no consensus for the new API it would be best to support json post and not form based list of params. |
Beta Was this translation helpful? Give feedback.
-
POSTs are accepted by Navidrome, based on a request by (IIRC) @MichaelBechHansen for play:Sub. It accepts a curl -v -X POST -H 'Content-Type: application/x-www-form-urlencoded' 'http://localhost:4533/rest/ping.view' --data 'c=client&v=1.8.0&f=json&u=user&p=password' |
Beta Was this translation helpful? Give feedback.
-
POSTs are accepted by @Astiga for all requests. The query string can be used for parameters, or |
Beta Was this translation helpful? Give feedback.
-
gonic works the same as Navidrome and Astiga 👍 |
Beta Was this translation helpful? Give feedback.
-
Ok so seems @epoupon LMS does not yet support that, so we can't just say it's in OS and need an extension. Since most already support We can still add json post later as it won't be incompatible if server check the content type. |
Beta Was this translation helpful? Give feedback.
-
The specification is too ambiguous regarding the handling of duplicated parameters in both the query and body, and specifically the authentication parameters. The ambiguity could potentially lead to a parameter pollution vulnerability, where a component authenticates one user, and another component handles the request for another user, especially since query parameters and form parameters are often merged in library/framework-specific ways. Although this could in principle be an issue already when you just have a subsonic server, it can actually become problematic in deployments where a reverse proxy in front is in charge of the authentication. It is especially problematic since a fully secure authentication service becomes potentially vulnerable when the subsonic backend is switched for an opensubsonic one that supports this extension. I suggest to improve the specification to address the issue specifically for the authentication parameters, as ambiguity with the other parameters should not create a security risk. My preferred solution would be to specify that authentication parameters must not appear in the body. If an alternative to query parameters is desired, the Some other ideas but they all feel just off the mark:
What do you think? |
Beta Was this translation helpful? Give feedback.
-
Type of change
API Clarification
Proposal description
It seems quite a few servers already support that but we need to officialise POST support to the API to allow large batch queries like editing playlists, or future extensions.
Backward compatibility impact
No response
Backward compatibility
API details
To be documented by servers that already support that as we should use what's existing to ensure compatibility.
Security impacts
No response
Potential issues
No response
Alternative solutions
No response
Beta Was this translation helpful? Give feedback.
All reactions