I've worked with lots of frameworks in my career and absolutely none of them do this, and because of that, user controlled input is still the Achilles' heel of web apps.
Bonus, the code that dumps the route map can also dump the parameters templates. This could be used for unit testing.
*routes map
Thanks in advance XD
Erin L Ptáček
@boboTjones
Oh, another argument in favor of parameter validation earlier rather than later -- why do all the work of starting to build the response and then discard all of that work if foo != bar
Obviously, that's over simplified. But I've just audited an app that checks the same parameter 4 times while routing a request object through 3 helpers and then punts the request back with a 403. For a small app, that's not a big deal, but for an app handling 100K+ requests per second, intuitively that seems like a waste of resources and cloud billable time.
Erin L Ptáček
@boboTjones
And possibly I will regret this, but I volunteer.
Tim Goddard
@pruby
I don't want to tell anyone else how to build their framework, but I'd second that the above is, in principle, a very good idea. See for example how .Net MVC applications often have a request object and response object from endpoints. My job is security testing, and I can tell you definitively that forcing input to conform to a schema, in that case by safely deserialising it to a well-defined type, takes a significant axe to certain types of security issues.
You could do this, for example, by using a type with some annotations along the lines of "take this from the body, this from parameter X, etc", and populating an instance of that type before the endpoint is even called.
Of course, you can already do that with the JSON body at least.
.Net calls these "Data Transfer Objects"
Erin L Ptáček
@boboTjones
That's why I brought it up. I'm tired of being an input validation janitor.
Mitsutaka Kato
@mikyk10
Hi there, is there any plan to accept/merge PRs to develop? I am willing to fix my PR if there's a problem.
so how is everyone auto starting the revel application on a webserver? if you reboot or shutdown the machine for maintenance you have to remember to revel run everytime? Is there a built in setting I am missing or do I have to create a startup .sh?
I would like to use revel to implement subdomain level routing. But it appears as though I can't create multiple "routers" to handle that (like labstack Echo does). Does anyone know of an example or how to do that?