What do you guys think about backend developers who design&implement POST requests with URL parameters? Is this even legal? 🙄

🤦‍♂️

I mean, there are legitimate use cases, even if it’s very rare.

This rant is too generic for me to figure out if its a legit rant or trolling.
Like what are we talking here? Using all query params instead of a post body? or do you just hate all URL params? Including path params?

Sure It's legal, It's valid HTTPs...

Also the body of a Post is for data. But if you want to specify a resource that's where url params and query params come in...

POST body should for the most part include things that are actually gonna be saved or used for creating a resource.

URL params should specify *which* resource you're using

Query params should further specify the scope of the resource if needed!

This is a made up nonsense example, but say you have a system like DevRant, and as an admin you want to post a comment on all rants tagged with "javascript" for the user "jerry". The Request might look like this then:

POST /user/jerry/rants?tag=javascript

Body:
{"text":"Stop pls..."}

I can't think of an actually useful example right now, but you can see the separation of concerns. It's cleaner than posting a body that has to be parsed into several objects and fields just to filtered and processed.

Kinda as if your post envelope had the address and stamp on the inside

What @Hazarth said, if you do it correctly, I don't see anything wrong with it.

@Hazarth mmh.
I kinda assumed that a post request expecting all params to be in query.

Too used to it. I usually just use jq or other to serialize the form in those cases.

It's slightly annoying with like forms containing personal data, like names or worse.. credit cards..

I usually just shrug and go " I just work here " in those cases.

@Hazarth fair enough. I totally get your point of view, but the API I'm supposed to work with requires me to send 30+ params as query string params (including stringifying an array because why not?) while the request body has to be empty. Do you feel my pain?

In the WordPress API, you sometimes have to authenticate through the query instead of the headers because the plugins erase the headers. But WordPress sucks and query authentication sucks too.

It's very legal and very cool.

Bad practice IMHO. I can't see a good use case for it personally.

POST request is for sensitive or long data, if there is some other kind of data which isn't either of above and is related to request metadata, then, it's good to put it as query parameter.

@kyokid
Oh god no... That's much worse than I thought and honestly breaks all the rules I tried to describe...

Yeah, that's not right :(

Link the http reference sheet to the backend devs, they don't know what they are doing

Yeah about that... Fuck em

@kyokid Thats all kinds of awful, and will almost certainly run into url character limit related issues at some point.