Skip to content

fix(hydra): match Caddy in making docs.jsonld Link header URI relative #7236

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

rvanlaak
Copy link
Contributor

This makes the client responsible of matching the original request's protocol.

Q A
Branch? main for features / current stable version branch for bug fixes
Tickets Relates to api-platform/admin#631
License MIT
Doc PR api-platform/docs#...

The HydraLinkProcessor includes an absolute URI as Link header, but as the Psr\Link\LinkInterface prescribes it is allowed to have a relative URI as well.

…addy and make client responsible of matching the original requeest's protocol
@dunglas
Copy link
Member

dunglas commented Jun 20, 2025

Why not but if the absolute URL is wrongly generated, this means that Symfony is misconfigured (usually, trusted headers aren’t configured properly) and this will cause other issues for users (for instance when sending mails).

This mitigation will just hide the underlying issue, and require a bit more logic client-side, I’m not against it but I’m also not sure it is worth it.

@rvanlaak
Copy link
Contributor Author

rvanlaak commented Jun 20, 2025

Thanks for the analysis!

if the absolute URL is wrongly generated, this means that Symfony is misconfigured

In my situation it seems that for some odd reason solely the documentation url gets generated as http, where the entire application is served over https. The stack route; Browser --(https)--> Cloudflare --> Managed loadbalancer --(http)-> k3s --> service --> pod --> Caddy / frankenphp container.

This PR is solely a change for the documentation / entrypoint URI if I'm correct? So generating an ABS_URL for emails thereby would be another responsibility? If I'm correct, the resource's @id's and also are relative.

An analysis on the codebase learns us that @vocab and iri are the sole other reference that have reference to ABS_URL, but I'm not sure how the PublishMercureUpdatesListener would be able to generate an absolute URL when triggered from a background task. Would it not be wiser to make it a client side concern over there as well?

For resources themselves userland is in control: #[ApiResource(urlGenerationStrategy: UrlGeneratorInterface::ABS_URL)]

@soyuka
Copy link
Member

soyuka commented Jun 20, 2025

I guess there could be a global configuration for this?

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants