Talk:HTTP API

From PostgreSQL wiki

Jump to: navigation, search

Hi!

Happy to see someone already working on a prototype, with coffeescript of all my favorite languages :)

I once started work on one like this myself, with the same approach of exposing as much as possible of the database over HTTP with a totally generic mediator application. However, I soon realized that this approach was simply too prone to leaks. You'd have to painstakingly define the access rules for each role to avoid security risks. Most people would just skip that, leading to some just downloading whole sites full of others' identities and whatnot.

A safer alternative approach would be to direct all HTTPS traffic after authentication to a broker database procedure that could use URI path or other request info to choose another database procedure to handle the request. Solely for security and information integrity reasons you'd still be forced to program an application layer, but it'd reside inside the database, very close to the data and the schema - where someone might clame it belongs. You could implement the whole "see all schemas and data" approach there as well, but perhaps more naturally adapt it to protect sensitive information.

The HTTPS server could be provided as an extension of PostgreSQL itself. That in turn would complete it as an application platform offering a way to produce a GUI straight out of it, with full traditional application style programmatic control of access and representation.

It'd probably be a challenge in that approach that each HTTPS TCP connection would be easiest to implement as a full user session, forking a process for that session, that would then be closed soon as the HTTPS TCP connection closed, possibly causing many inadvertent rollbacks, unless the caller (probably typically a Javascript web page application) was prepared for that.

As a sidenote, in my mind this somehow relates also to the PostgreSQL HTTP client

It would be great to have PostgreSQL as such a very easily communicating service platform in the HTTP world.

Cheers, --Korpiq 19:21, 28 September 2012 (UTC)

Personal tools