If I were to extract the current errors handling to an interface and allow it to be replaced, would that be something that might be pulled? Or would I be wasting my time?

If the return type of a Marshaled handler interface implements the io.Reader interface the stream will be written directly to the requestor. A 'Content-Type' header is required to be specified in the response headers and the 'Accept' header for these particular requests can be anything.

Additionally, if the return type of the Marshaled handler implements the io.Closer interface the stream will be automatically closed after it is flushed to the requestor.

@wadey

The cipher suites in go-tigertonic all rely on RC4 which has many suspicions around it (its biases are a little funny and there are strong rumors of breaks from certain Government Bodies). While RC4 is a fine fallback for TLS 1.0 (due to BEAST), later versions of TLS are better off using CBC modes. Also, Go's crypto/tls already mitigates the BEAST attack.

The default list of cipher suites in crypto/tls is very solid and was chosen carefully.

If you wish to lock the cipher suite list down further, a more scalable way to do this would be to require TLS 1.2 as the minimum TLS version and continue to use the default cipher suite list. (TLS 1.2 and 1.1 fix the BEAST attack by changing how CBC is performed as one useful, if mooted, example). Using the defaults and setting the minimum version will net you the Langley-Approved cipher suites with few backwards compatibility problems.

Of course, perhaps I've mis-guessed why those were selected.

@mihasya's favorite thing about Dropwizard is the way configuration classes are declared and instantiated from YAML files. The flags package notwithstanding, Tiger Tonic should really have the same.

It'd be nice to have a HealthCheck registry, and some sort of "healthy" or "unhealthy" output with a Handler that can be linked up...

This is an attempt to introduce CORS (http://www.w3.org/TR/cors/#access-control-allow-origin-response-header https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS) headers into tigertonic. (#28)

Since CORS responses to OPTIONS requests are somewhat orthogonal to the actual handling of the request, I've decided to try and put the logic in a separate little wrapper in cors.go. I am now realizing that SOME of the headers need to be returned for non-OPTIONS requests as well (looks like just the Origin one, but who knows, this shit is super inconsistent), so I'll probably need to hook in at one other place and type-check for CORSHandler.

I need to access the remote address in a marshaled function, and for this I need access to the http.Request object. Currently there's no obvious way to do that. Am I missing something? Will be happy for any guidance if there is an easy way to do so. Otherwise, please add this option. Will be happy to do that myself and pull request if you'll guide me first.

I'm using the go1.3 branch because I need the graceful shutdown part. go1.3 is out now and the currently recommended go version. Would you consider merging the 1.3 shutdown work into the master branch now?

Adds tigertonic.StatusCodeCounted which increments counters for 1xx, 2xx etc responses.

I've tested this briefly in our lab environment and it appears to be working correctly.

@wadey says:

main thing I miss is a way to build up state as the request passes along the filters, not sure what the best way to model that is though i dont like how some frameworks just make a grabbag map on the request object but I feel like there is something we could do, maybe a domain specific request object you can create I want to noodle on that, thats the main thing I feel like tigertonic is missing

It's pretty dissatisfying to have to call a GetUser(request) function in every single http.Handler that needs a *User, for example.

Method values may give us something but we've used those so far to provide global, not per-request, context.

After testing with go1.2, I found that my tigertonic applications don't compile with the following error:

myfile.go:20: implicit assignment of unexported field 'error' in tigertonic.NotFound literal

The code I am doing on this line is basically:

err := &tigertonic.NotFound{fmt.Errorf("My error message")}

Looks like go1.2 is preventing assignment to embedded "error" fields if you aren't in the same package. This seems like a pretty unfortunate change, we might need to make a helper method to construct these wrapper errors.

The HTTP response returns unsanitized value from Accept header. This may allow the attacker to conduct cross-site scripting attack. Technically, the likelihood of exploiting this is very low. It requires the victim to use Internet Explorer with MIME sniffing feature enabled, on top of that, setting the these headers to the victim's request is not really possible from my knowledge. However, I believe it is worth sanitize user input here.

GET /xxx HTTP/1.1
Accept: xxx_<script>alert(/XSS/)</script>_yyy
Host: example.com
Connection: close

HTTP/1.1 406 Not Acceptable
Content-Type: text/plain
...

tigertonic.MarshalerError: Accept header "xxx_<script>alert(/XSS/)</script>_yyy" does not allow "application/json"

The underlying code is as follows: https://github.com/rcrowley/go-tigertonic/blob/master/marshaler.go

	if !isReader && !acceptJSON(r) {
		ResponseErrorWriter.WritePlaintextError(w, NewHTTPEquivError(NewMarshalerError(
			"Accept header %q does not allow \"application/json\"",
			r.Header.Get("Accept"),
		), http.StatusNotAcceptable))
		return
	}

Given a tigertonic based server that serves both REST and web socket endpoints. And the server uses a logged HTTP handler (e.g. tigertonic.ApacheLogged()).

When accessing a web socket API the request will fail complaining that apacheLoggerResponseWriter is not hijack-able (i.e. does not implement http.Hijacker).

The logged HTTP handlers should use response writers that are fully transparent. The logged response writer should support hijacking if the underlying response writer does.

A simple fix would be to add method Hijack to the logged response writers. However, this does not feel 100% right.

I'm handling a couple of URLs:

mux.Handle("GET", "/api/{organization}/groups", ...)
mux.Handle("GET", "/api/{organization}/groups/{group}/hosts", ...)

Given this set of handlers: GET @ /api/12345/foo - Returns 404, as I'd expect ...but... GET @ /api/12345/groups/ - Returns 405. GET @ /api/12345/groups/foo - Also returns 405.

Both 405 responses come back claiming:

{
    "description": "only OPTIONS are allowed",
    "error": "tigertonic.MethodNotAllowed"
}

There seems to be some weird behavior if it's trying to match URLs and the last segment of the requested URL matches a parameter portion of any other URL, even if there's no way the URL could match, as in /api/12345/groups/foo. It also doesn't seem to be checking for empty parameter values in cases like this, causing /api/12345/groups to work as expected but /api/12345/groups/ to fail with 405.

Also, if I add another handler:

mux.Handle("GET", "/api/{organization}/groups/{group}", ...)

...then requests to /api/12345/groups/ do get routed to this new handler, but it gets an empty "group" value.

This is a non issue really, I'm just curious! What's the design reason for spitting out the 'kind' of error? I don't get the benefit of return it to the end user (and exposing internals).

{
  "description": "Invalid id given",
  "error": "validator.Errors"
}

vs

{
  "error": "Invalid id given"
}

The HTTP spec is ambiguous in determining if a request could have no body when the method is POST, PUT, or PATCH. Some popular HTTP server, like nginx, adopt the policy that a request of the aforementioned methods with no body is allowed if and only if it has the header Content-Length set to 0.

It makes sense not to try to marshal the body when Content-Length has that value.

I understand that an empty body is not the same as no body, and this is why I said the spec is ambiguous. Even though a request of such methods with no body might be unRESTful it is useful for implementing "actions".

Would you consider merging this?

Regards, Alfonso.