ncats-gamma / robokache Goto Github PK

Just make sure that the data folder exists and the database in initialized properly.

Visibility flag is confusing, especially for anyone consuming this API. There are a couple of options for replacing this. The simplest one would be using two boolean flags, one for public and one for shareable.

I can delete documents via the UI and they get removed from the DB. But then I check my local robokache-data folder and it looks like none of the documents actually get deleted.

Add ability to get all documents that have no parent.

Right now the API has unnatural routes for modifying question and answers. The goal for refactoring is to make the API more REST oriented and consistent.

Add an optional JSON metadata field. This field should accept an arbitrary dictionary of objects. This field will be useful for fields that are specific to document types that we don't want to manage within Robokache.

When updating a document with an invalid parent, make sure that the error message says that it could be because the parent is not owned by you.

Queries in the get.go are built using Sprintf. This allows a SQL Injection attack using a string like the following for the owner variable:

'DROP TABLE questions;'

Fix is to replace Sprintf with db.Prepare which accepts placeholders and fills them safely.

When calling:

PUT /api/:id/data
then
GET /api/:id/data

in quick succession, the data is not available. Likely cause is that the Go server is multithreaded by default, so the GET request is processed before the PUT finishes writing the file. We will need to write a test to confirm, and then fix probably with an RWMutex.

The published docker image (used for deployment) should be set to use the Gin production mode (without debug logging).

Visibility right now is exposed as an integer, but the integer does not have any meaning. What we should do is replace that with a string representation in the API.

It might be helpful to add --name robokache to the Readme instructions when running docker. Otherwise docker will assign a random name to the container, like agitated_visvesvaraya.

/api/document/foo/children behaves differently when foo does not exist than when foo exists but you are not authorized to access it. We want 404s in both cases.

Instead of returning owner, just return something like "yours/not yours".

Shareable and public documents should not need to be signed in to view. This affects the following endpoints:

• GET /api/document
• GET /api/document/:id
• GET /api/document/:id/children
• GET /api/document/:id/data

Add a shorthand route that allows creating a document and setting the data at once.

Right now the endpoint only returns public documents.

Currently the /api/document route returns both public and owned documents. The only way to differentiate between these is the "owned" flag, which is inconvenient for consumers. One solution for this would be to split the route into personal documents (/api/myDocuments/) and public documents (/api/publicDocuments).

Add automatically updated timestamps to documents for created and updated.

If you try to PUT or DELETE a public document that you don't own, we should return a 403

Right now the DB is cleared every time the app starts up. New idea is to create a shell script that clears the DB for testing and then to simply initialize the database if it doesn't exist at startup.