setValidExtensions()

Communities ColdBox HMVC
1

Hi all, I was looking through the “What’s new with ColdBox 3.0.0” page and came across the new function for setValidExtensions(“xml,json”);

http://wiki.coldbox.org/wiki/WhatsNew:3.0.0.cfm

I added these settings to my routes.cfm page like so:

//TODO: Reset route auto-reloading to false in production
setAutoReload(true);

// auto detect extensions, you don’t have to do this as the default is true.
setExtensionDetection(true);

// Set xml and json as the only valid extensions for routing.
setValidExtensions(“xml,json”);

If CB encounters an invalid extension what should happen? is a 403 returned?

I was able to add .foo to a REST formatted URL and the request still got down to my handler.

Thanks.

Nolan

2

HI Nolan,

If an invalid extension is detected the SES interceptor ignores it for parsing purposes and does not setup the rc.format variable for you.

I am not sure if an exception would be appropriate for this. Thoughts?

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

3

HI Luis,

My personal opinion would be that an invalid format was encountered an custom exception, 403, or 404 could be fired. As it relates to the REST based system i’m building, if a user tried to access an endpoint with a particular extension/format that was not trusted I would want to “gracefully” inform the user that resource does not exist. 403 would allow an unauthorized message back to the user since the extension is invalid or alternatively the extension doesn’t exist so 404 is also suitable.

When I came across the setValidExtensions() method I had actually just written some logic in my Main.onRequest to trap an invalid extension and throw an error. If I wanted to throw a 403 manually, how would this be done? using event.renderData()?

The code that I was writing into Main.onRequestStart was simply:

if( NOT reFindNoCase("^(json|xml)",event.getValue(“format”,"")) ){
rc.return.messages = “Invalid format detected or not passed: #event.getValue(“format”,”")#";
rc.format = “xml”;

//throw 403 or 404
}

Thanks.

N

4

I think adding a 403 exception with “invalid extension detected” might be the course of action here. It is pretty standard for other API’s to do this.

The only problem with this might be false positives as any URL that ends with “.” something is evaluated.

Does this make sense?

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

5

Hi Luis,

I agree, 403 makes the most sense. I’m not sure I follow on the false positives. I would assume that if an extension is appended to URL this means the requester is asking for a particular route/end point to be returned as a certain format, thus you would want the extension to be validated agains the valid list. I would also assume that some logic may need to be added so this doesn’t execute agains index.cfm?

Thanks.

Nolan