Deprecate legacy REST API endpoints with Sunset headers and 410 Gone responses#1554
Deprecate legacy REST API endpoints with Sunset headers and 410 Gone responses#1554jrhoads wants to merge 9 commits into
Conversation
|
The idea of sun setting and disabling are not the same, which I feel like the description tries to say but the code seems to only do the sunset when its all disabled, just with the error message changing if a replacement URL is given. I like the sunset header (new one for me) but this should be active now before we disable the routes, as reading the RFC it's meant to give time for people to transition to the correct routes. In addition when we're ready to actually disable the route, I probably would do this at the load balancer and just return either a redirect or the 410 (a custom json can be included if desired). This would prevent it hitting the application, so reduces load. So maybe this PR could just be to enable sunsetting? which might be as simple as just adding a sunset concern which adds the header to the suggested replacement and I'd have this active all the time, we just include it on endpoints we wish. |
@richardhallett You are correct, that was not how the SUNSET header was intended. I've updated the PR in a couple of key ways. It has an explicit date for to sunset and adds the sunset header any time before that date. After that date the path will respond with a 410 gone response. I agree that the Load balancer is the correct place for this behavior ultimately in order to have less load on the application. I'd like to propose a YES-AND approach here where the application will handle it up-to and until we go ahead and have the load balancer take over. After that time we can remove the controller logic all together. I've also updated the PR description and title to reflect this new approach. |
|
I'm going to go ahead and close this. I've implemented the change at the load balancer level. And July 1 is tomorrow. There's not a reason to use the sunset header now. Perhaps in the future we could use it, but it's a bit later now. |
Purpose
Introduce a deprecation mechanism for legacy REST API endpoints (
/data-centers,/members, and/works) by communicating their upcoming sunset date via standard HTTP headers and, after the sunset date, returning410 Goneresponses.Approach
A reusable
LegacyRestDeprecationcontroller concern was created and included in the three legacy controllers. It allows each controller to declare a sunset date, a documentation link, and a replacement endpoint. Before the sunset date, responses includeSunsetandLinkheaders per RFC 8594. After the sunset date,GETrequests toindexandshowactions are rejected with410 Gone.RecordNotFounderrors are still rendered as404 Not Foundbut also include the deprecation headers.Key Modifications
app/controllers/concerns/legacy_rest_deprecation.rbwith configurable class methods, before/after action hooks, and custom error rendering.DataCentersController(replacement:/clients)MembersController(replacement:/providers)WorksController(replacement:/dois)Time.utc(2026, 7, 1).spec/requests/data_centers_spec.rb,spec/requests/members_spec.rb, andspec/requests/works_spec.rbto assert header behavior before sunset and410behavior after sunset.expect_legacy_sunset_headersandexpect_no_legacy_sunset_headerhelpers tospec/support/request_helper.rb.crassfrom1.0.6to1.0.7inGemfile.lock.Important Technical Details
indexandshowactions.Sunsetheader value is generated with.httpdateto conform to HTTP-date formatting.Linkheader usesrel="sunset"pointing to the configured documentation URL."status": "410"and, when a replacement path is configured, adetailmessage suggesting the replacement endpoint.legacy_render_not_foundoverrides the defaultRecordNotFoundhandler so that 404s on legacy endpoints still communicate deprecation information before sunset./clients,/providers,/dois) are unaffected.Types of changes
Reviewer, please remember our guidelines: