I have some questions/issues concerning the safe launcher API below. These are too small for an RFC, and possibly too opinionated to be considered bugs.
- Can we remove encryption (and thereby base64 encoding on the whole body…still fine in JSON fields)? It serves little purpose for localhost-to-localhost and is not consistent (we encode query params but not paths, we encode the body sometimes, etc). If there is need, we can do X509 certs using TLS to auth/communicate w/ teh safe launcher (though I question whether it’s needed)
- Cannot retrieve public NFS files uploaded with demo app in another app (uses app key). What is the reason for this considering I can get them via the DNS API (but I can’t get sub directory listings there)? Is this related to “safe drive access”?
- Please add logging on errors (and maybe even access logs)…I know it’s a bit of a hassle when also handling things like rotation, but it’s worth it
- Please follow HTTP conventions on:
- Content-Disposition instead of “file-name” and “file-created-time”
- Content-Length instead of “file-size”
- Last-Modified instead of “file-modified-time”
- 404 when a file is not found
- 4xx when the error is my fault instead of 500
- Currently 500’ing when I use my JWT on things that don’t need it
- Consider having the NFS API accept a path at the end like the DNS API does instead of encoding the path (e.g. with slashes encoded) and having a boolean at the end. If you need to separate “shared” and not shared, I say that’s two separate path prefixes not a boolean’d-string suffix
- Isn’t a NACL nonce meant to change per message?
- Be more clear about the error format. Sometimes it encrypts, sometimes not
- “file-metadata” header is “undefined” instead of properly empty
- Do y’all have a responsible disclosure policy on security bugs?
- If y’all had to guess, how much time would I be wasting coding against the current API (meaning, how much do y’all think it will change)?
- If the maidsafe dev team had to suggest to a dev which entrypoint to use to build his app, would they say launcher API, FFI lib, or direct to Rust libs?
I came across these things (and more) when toying w/ my API client at https://github.com/cretz/go-safeclient/ and I am unsure whether it’s worth the effort of codifying all the quirks (e.g. checking for a specific error code from the JSON that comes from the FFI just to check not found) or if I am just coding against this prematurely and should just stop and wait.