--
You received this message because you are subscribed to the Google Groups "Taffy Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to taffy-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hi Tom,I'm curious exactly why you want to put your Taffy Application.cfc into the webroot. If your Resource URIs end up being something like /api/v1/foo then why not just put Application.cfc into the /api/v1/ folder and make your Resource URIs /foo (which are relative to Application.cfc, so still functionally /api/v1/foo)?
At this time there are no plans to work on the unhandled paths exclusions engine... but that doesn't mean pull requests around it will be shunned. Your idea of adding more logic to isUnhandledPathRequest sounds reasonable, just be sure not to break any existing functionality by running the unit tests before and after you make your changes!
--
good chance there's a better way (e.g. more scalable, more stateless) to accomplish what you want to do with your sessions. If you want to share what the exact goal is for using sessions in your API, we can discuss that further. :)
both applications need to be capable of setting up everything that belongs in application scope (or at least smart enough to setup everything that it needs for itself even if the application was previously started in the "other" application in a prior request)...
On Thursday, June 25, 2015 at 4:28:55 PM UTC+1, Adam Tuttle wrotegood chance there's a better way (e.g. more scalable, more stateless) to accomplish what you want to do with your sessions. If you want to share what the exact goal is for using sessions in your API, we can discuss that further. :)
Always happy to hear what others think, and I totally get that you aren't meant to use sessions in APIs
It's related to why I asked about HMAC-type signed requests.
Think of the app as a per-user address book, so when the API receives a "GET /api/addressbook" it needs to know the logged in user. If session's are shared, then the resource can lookup session.userId and pass that into the manager for the query.
I'd considered instead, that wasn't as much work as full API-request signing, having the /api/ folder protected with HTTP Basic (it is over SSL). But we can't have the client send the username (anyone could impersonate anyone else then). So it ends up being as complex as signed requests.Unless there is an easy way to store the entered password from the login screen that doesn't leave it in plain text in the client ? Note sure there is...
We could also have the client call a 'login' api to get a token that it must present as part of all future requests, but that's a bunch of work to store, expire etc as well.
both applications need to be capable of setting up everything that belongs in application scope (or at least smart enough to setup everything that it needs for itself even if the application was previously started in the "other" application in a prior request)...
This is exactly the problem I'm avoiding by sticking both the api and webroot under a single Application.cfc :-)