Ryan McCue 06:16 on May 12, 2014
Tags: meta, metadata

Handling Post Meta

One of the longest standing feature requests for the API is to add support for modifying post meta. While at first it may seem like a reasonably simple request, it becomes quite the rabbit hole when you begin digging into the issues surrounding it. Here’s a quick summary of the issues surrounding meta, and how we’re looking at solving it.

The Issues

The biggest issue with post meta is the difference between the data model in WordPress, and the most common usage of meta. In general, the main meta usage is as a key-value store; that is, a one-to-one mapping between a meta key and a meta value. However, the data model in WordPress allows multiple values per key. Handling these in a coherent way is challenging, as we want to handle the most common case easily while also making the multiple value model possible.

The other main issue with meta is serialized data. As anyone who’s used post meta in WP knows, WP will store any type of data (except resources or closures) by serializing the data under the hood. This isn’t usually an issue, as the process is transparent for most uses of post meta. However, this presents a problem when accessing the data via the API, as we cannot expose this data transparently.

JSON has no distinction between associative arrays and objects, as associative arrays only exist in PHP. In addition, JSON cannot pass objects and their types; that is, the representation of stdClass and a custom MyAwesomeObject are the same in JSON. Exposing this data using the default JSON encoding semantics would cause data loss. On the flip side, while exposing the raw serialized string would not cause data loss, this would expose protected and private properties on objects, as well as the internal implementation details including the class. This could expose critical internal data.

In addition to these issues, combining the two can cause further problems. With a naive approach of mapping key-to-value in a JSON object and allowing multiple keys and serialization, we could have a result like:

{
	"my_key": [
		"value1",
		"value2"
	],
}

However, it’s impossible to tell whether this is a key with multiple values, or a key with a single value of a PHP array.

If we treat this as a key with multiple values, updating the values could prove problematic. How do we distinguish between adding elements, updating existing elements, and removing elements? Simply leaving elements out does not necessarily mean we want to remove them, as we may just want to reduce the amount of data being sent over the wire.

Proposals

With these issues considered, there’s a few resolutions we need to implement.

The first resolution is to not handle serialized data at all. That includes displaying it and allowing modification. For all intents and purposes, serialized data will be treated as protected meta. We cannot avoid this, due to the object data loss issue.

We’ve now come up with two proposals on how to handle updates.

First Proposal

The first proposal by Rachel Baker and Taylor Lovett uses the following format for reading the data:

{
	"post_meta": {
		"my_key": [
			"value1"
		],
		"my_other_key": [
			"value1",
			"value2"
		]
	}
}

For updating meta, you can then pass in data thusly:

{
	"post_meta": [
		{
			"key": "my_key",
			"value": "newvalue1",
			"action": "update"
		}
	]
}

For adding meta:

{
	"post_meta": [
		{
			"key": "my_new_key",
			"value": "newvalue1",
			"action": "add"
		}
	]
}

And for deleting:

{
	"post_meta": [
		{
			"key": "my_key",
			"action": "delete"
		}
	]
}

This approach has the advantage of keeping data access fairly simple, and means the most common case of key-value storage is simply post_meta.my_key[0], while multiple values can iterate post_meta.my_key.

However, it has the disadvantage that the input format does not match the output format. This means that you cannot send the post data straight back to the server without causing an error. In addition, it mixes actions into the data itself that is sent to the server. Multiple values are also not handled by this, however this could be corrected by including a previous_value when updating.

Second Proposal

The second proposal by myself builds on Rachel and Taylor’s work, but changes the format slightly. Data looks like the following when reading a post:

{
	"post_meta": [
		{
			"ID": 33,
			"key": "my_key",
			"value": "value1"
		},
		{
			"ID": 34,
			"key": "my_other_key",
			"value": "value1"
		},
		{
			"ID": 35,
			"key": "my_other_key",
			"value": "value2"
		}
	]
}

For updating meta:

{
	"post_meta": [
		{
			"ID": 33,
			"key": "my_key",
			"value": "newvalue1"
		}
	]
}

For adding meta:

{
	"post_meta": [
		{
			"key": "my_new_key",
			"value": "newvalue1"
		}
	]
}

And for deleting meta:

{
	"post_meta": [
		{
			"ID": 33,
			"key": null,
			"value": null
		}
	]
}

This approach has the advantage that the input format matches the output format. Submitting the post data back to itself will have no effect, as the value will already match. In addition, the action to take is implied from the data, rather than specifying it in the data; updating a value requires just updating the value, adding a value requires adding a value without an ID, and deleting a value requires renaming the key to null (that is, specifying an empty value). This format uses the meta ID from the database as the primary key, allowing manipulating multiple values easily.

One of the disadvantages of this approach is that reading data becomes more complicated. Accessing all data for a key now involves filtering the meta values on the client side, rather than a simple lookup. While this is reasonably easy to achieve, it’s not as obvious as a straight access (and also has worse performance characteristics). The updating format is less obvious, as it’s implied from the data format rather than being spelled out explicitly.

Other Approaches

One approach that isn’t considered above is using the first approach’s data for the post itself, and exposing meta in the second form via another endpoint (e.g. /posts/[id]/meta). While this would enable both simple and complicated uses nicely, it also introduces significant fragmentation and duplication. This means developers would need to learn and support two separate methods of achieving the same result, and also work out internally which to use. In practice, clients would end up simply supporting a single approach for consistency. This approach would also violate the Decisions, Not Options mantra of WordPress.

Decisions

We need to make a decision on how we handle meta data. Personally, I’m biased towards the solution I wrote, but it’s not the perfect solution, and we’ll never have a truly perfect situation. Both approaches are a compromise, and we need to decide on which compromise we want to choose.

I’d love to hear thoughts on which approach people would prefer, and anything we may have missed during consideration.

#meta, #metadata

Ryan McCue 14:03 on May 5, 2014

Weekly meeting in 10 hours;…

Weekly meeting in 10 hours; we’ll discuss remaining items for 1.0, the current and future authentication system, and post meta.

Ryan McCue 07:44 on May 5, 2014

Changes Coming in 1.0

We’re getting close to release for 1.0, so a quick heads up on some breaking changes that’ll be shipping with this release:

WP_JSON_Posts::prepare_author() is being removed: Use the new WP_JSON_Users::get_user() instead. (Previously a protected method, so only subclasses need worry.)
Basic authentication is being removed: This will now be available via a plugin if needed. This is mostly of use to developers working locally; live applications should begin using OAuth authentication instead.
Nonces will be required for cookie-based authentication: If you’re using WP API from Javascript, you’ll need to ensure you send the nonce with the request if you need authentication. Requests without nonces will be treated as being logged out, so they’re still fine for most GET requests.
Meta data will only be exposed for requests with the edit context: This is a workaround for the issues discussed with @iandunn previously, until we have more powerful permissions tools in core.

We’ve also got some awesome features shipping with this release:

User endpoints are now available: Thanks to the tireless efforts of tobych, the user endpoints are now active and useful! You can also use /users/me to check who you’re logged in as.
Revision endpoints are now available: Thanks to tlovett1, post revisions are now supported at /posts//revisions!
Post types can now use the show_in_json parameter: If you want to have a public post type, but still want to hide it from the API, you can now specify 'show_in_json' => false in your register_post_type call. This is the main resolution to the privacy issues previously discussed, props @iandunn.
Non-pretty permalinks sites are now supported: No need for weird hacks any more; you can now access the API at http://example.com/?json_route=/ instead. The discovery methods (Link headers and RSD) now also reflect this.

Thanks to everyone involved so far, and thanks to @rachelbaker for helping to manage the project! Thanks also to those who’ve been talking about and promoting the API at WordCamps; the evangelism is much appreciated!

We’re not done with this release yet: there’s also post meta on the radar that should make it into 1.0; you’ll be hearing more about that shortly.

I also know there’s people who’d love to get involved with the project. Your best bet is to take a look at the issues scheduled for 1.1. In particular, we’re looking for help in the following areas:

Javascript and theme developers: We have a JS library currently included with the API, but it’s in danger of not making it into the final version unless we put some serious work into it. Help is needed here; contributions always welcome!
WP-CLI developers: As a reference client for the API, Daniel Bachhuber is planning on working on a WP-CLI client. Help will definitely be wanted in this area, as there’s a lot of the API to use here.
Other developers: Help is always wanted on the API itself, but of special interest is the OAuth server code, which needs more testing. We also need more reference clients. If you can code in any language, we’d love your help creating clients in other languages.
Designers: The OAuth server currently contains a thrown-together UI, which certainly doesn’t match the slickness of WP.com’s UI. We could use help here.

Thanks again!

Ryan McCue 12:34 on April 20, 2014

No meeting this week, due…

No meeting this week, due to Easter holidays, however I’ll be around for office hours on Friday, 0:00 UTC instead.

Ryan McCue 14:13 on April 12, 2014

I’ve published the OAuth server…

I’ve published the OAuth server work so far. This is probably broken, but that’s OK, because at least it’s a start. 🙂

Of particular note is the specification, which I’d appreciate thoughts on. This is intentionally kept as simple as possible, since it’s mostly standard OAuth 1.0a.

I’d especially love feedback on the scopes section of the document. I think this lays out a general set of scopes that cover most use cases, and anything that needs more complicated permissions can fall back to the general * permission. I’m not sure yet whether defaulting to * is the right idea; we may want to default to read instead.

Ryan McCue 12:12 on April 12, 2014

Hi everybody! In case you…

Hi everybody!

In case you missed it, version 0.9 was finally released. Sorry for taking so long on that one, and thanks to everyone who helped with this release (nine contributors!).

OAuth as a Plugin
I’m splitting the OAuth support into a separate plugin. We need to get ready for merge into core, and we can’t be blocked on OAuth support. The current plan is to ship WP API in 4.0, and OAuth in 4.0 if it’s ready or a future release if not. Nonce-based authentication needs to ship in 4.0, so that we can start creating API-powered plugins and themes.

I’m working on extracting this out into something usable at the moment, I’ll update when this is available. I’d also like to approach the possibility of adding permission scopes since it’s now separate, so I’m working on preliminary support for this too.

Meeting Time Change
Seeing as the meeting time is going to change for anyone who’s recently switched from/to DST, I’d like to move the meeting time to a time that works better for me. I’d like to propose Tuesday, 0:00 UTC (01:00 BST, 10:00 AEST, Monday 20:00 EDT, Monday 17:00 PDT). This time is likely a little worse for some of you, but I’ll be able to consistently be available at this time. In future, we’ll start with a meeting and continue with office hours for the remainder of the time, during which I’ll be working exclusively on the API.

On that note, our next meeting will be this Tuesday. I’d like to discuss the OAuth plans, 1.0 and @iandunn‘s CPT privacy issues. Feel free to propose any other items of importance; otherwise, see you all there! 🙂

Ian Dunn 01:37 on March 25, 2014
Tags: 136

Custom Post Types and Privacy Expectations

I’ve been auditing the data that is exposed by default by the API, and I’ve run across several instances where sensitive data is shown to anonymous clients. In each case, this was caused by a plugin creating custom post types with posts and meta fields set to `public` rather than `private`.

I think the potential ramifications for this are pretty huge. For example, I was able to anonymously read contact form submissions from Jetpack, because those use a custom post type. The post type is set to `private`, but the posts themselves are set to `publish`.

I was also able to read threads in private bbPress forums for the same reason, as well as sensitive data stored in post meta fields on various custom post types, because they weren’t marked as private with the `_` prefix (or the `is_protected_meta` filter).

I think the vast majority of plugins using custom post types are flawed in the same way, because up until now there haven’t been any hard consequences for improperly setting the `public` flag on a post type, or for `publishing` posts that have no front-end archive, or failing to set meta fields to private.

I think this begs a lot of questions around privacy and the expectations of site admins and plugin developers, and I wanted to start a discussion around those.

Should the onus for privacy be on the API, on plugin developers, or on site admins? I think the answer to this question will shape how many of the other questions are framed and answered.
Should the API be enabled by default?
Should all “public” data be exposed by default, or should the admin have to whitelist the data they want exposed?
Should `published` posts belonging to a `private` post type be exposed?
Should there be a new flag added to `create_post_type()` to indicate whether or not a post type and it’s associated posts/meta are included in JSON API output?
Some post authors will manually create custom fields on a post to store notes, and they won’t know anything about using the `_` prefix to make it private. How can that situation be handled?
Do new best practices need to be developed around privacy and custom post types, and then spread out to developers? For instance, sending an email to every plugin author in repo who calls `create_post_type()`

#136

Ryan McCue 14:08 on March 5, 2014

Thanks to everyone who’s been…

Thanks to everyone who’s been helping out with 0.9, we’re down to just OAuth (and a smaller issue that needs a patch that does the opposite of the current one). Huge thanks to @ibaku for his work on the testing framework, and @rachelbaker for her help merging and triaging along with everything else.

I’d like to get more eyes and testing on the OAuth code before calling it final though. This has been sitting on my computer for a while, but still needs serious testing and more eyes before we can call it ready. I’d also love to hear thoughts on the approach in general too.

Aiming for 0.9 release this Friday. More posts to come during the week as we reach that, and scope for 1.0.

Ryan McCue 13:11 on February 10, 2014

Hi everyone! Apologies for the…

Hi everyone! Apologies for the long hiatus. Let’s get back into it!

Good news: I have a plan for authentication, and it’s time to start implementing it! Here’s the plan:

OAuth 1.0a: All remote consumers will need to use OAuth 1.0a to access the API.
OAuth Dynamic Registration: New consumers will be able to register via the dynamic registration protocol. The OAUTHWG is in the process of working on this and seems to be making good progress, so it should be ready for a V2 of the API.
Cookie authentication: For local (JS-based) clients, they’ll be able to leverage the existing cookie authentication in conjunction with a CSRF token.

Hopefully, this plan covers all the cases. In an ideal world, we’d be using OAuth 2.0 instead, but alas we can’t. I’m not sure exactly how much of the OAuth dynamic registration protocol we’ll have to adapt to OAuth 1.0, but in any case we’re better off adapting the protocol they’re working on, rather than reinventing from scratch.

The other big ticket item we need to handle is unit testing. @ibaku has made a great start on this, but we need tests to cover the rest of the API. I’d like to end up with >90% coverage eventually, but that’s a long-term plan. For anyone who wants to start contributing patches, this is a great place to start, since you can work in a modular way and learn the API as you go.

I’d like to set the timeline for our next release for next Friday. I think we should be able to get a pull request up for every issue in that time. I’ll start merging the existing pull requests from tomorrow. I could use help triaging the non-triaged issues if anyone has time!

Let’s also start getting into meetings again. Let’s go for next week, Monday 17th at 21:00 UTC (Tuesday 18th at 07:00 AEST, Monday 17th at 16:00 EST, Monday 17th at 13:00 PST). We can discuss the plans for 0.9 and progress towards it.

Boom. Let’s rock it.

Ryan McCue 01:41 on December 15, 2013
Tags: meeting

Also, as always, we’ve got…

Also, as always, we’ve got the meeting this week on Monday 16th at 21:00 UTC (Tuesday 17th at 07:00 AEST, Monday 16th at 16:00 EST, Monday 16th at 13:00 PST).

There’s nothing in particular I’d like to discuss this week, but I’ll be around for a few hours anyway. More than anything else, we just need to focus on getting all the tickets resolved for 0.9 and 1.0. If anyone wants to take a stab at anything, I’m happy to work with you on getting it done.

We’ll be skipping next week’s meeting over the Christmas break, and the meeting afterwards will be on Monday 30th (which hopefully shouldn’t conflict with anyone’s New Years plans).

#meeting