:httpc cheatsheet

:httpc HTTP client is part of Erlang standard library, and as such can be easily used in Elixir code too. One particular advantage of using :httpc is that you can do a lot with it even with a minimal number of external dependencies. I prefer to use :httpc in one-off scripts and in production.

The :httpc reference is available at the Erlang standard library documentation website, here:

httpc — inets v9.3.1

For now, I just wanted to publish an initial version of compilation of my own notes. Later I intent to update this post by adding notes to existing examples, adding references and even more examples. Feel free to modify the contents of the post too!

These examples are self-contained, can be copied to a script.exs file and executed via elixir script.exs command. Enjoy!

Index:

• sending a GET request returning a JSON payload
• sending a POST request with JSON request payload
• sending a POST request with no payload
• downloading a file
• uploading a file
• low-level tracing of HTTP interaction

General notes

• for :httpc to work, :inets app needs to be started beforehand; in case you intend to interact with HTTPS endpoints (which is what you want to do in most cases when making requests on public internet), :ssl app needs to be started as well; all examples bellow start both apps,

• all examples below pass a big-looking “parameter” called http_request_opts - this is how you make sure :httpc performs validation of the server’s TLS certificate; more on why this is necessary is described in “Erlang standard library: inets” page of “Secure Coding and Deployment Hardening Guidelines” by ERLef; without params under ssl key, you are likely to see the following warning on OTP < 26:

  [warning] Description: 'Authenticity is not established by certificate path validation'
       Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'
  

• :httpc appears to like char lists a lot; a common mistake I made in the beginning when using :httpc is feeding it with "https://example.com" a string, while it should be a a list of characters, e.g. ~c"https://example.com"

Sending a GET request returning a JSON payload

Example

:inets.start()
:ssl.start()

url = ~s"https://httpbin.org/get"
headers = [{~s"accept", ~s"application/json"}]

http_request_opts = [
  ssl: [
    cacerts: :public_key.cacerts_get()
  ]
]

:httpc.request(:get, {url, headers}, http_request_opts, [])

Sending a POST request with JSON request payload

Example

:inets.start()
:ssl.start()

url = ~c"https://httpbin.org/post"
headers = []
content_type = ~c"application/json"
body = :json.encode(%{hello: "world"})

http_request_opts = [
  ssl: [
    cacerts: :public_key.cacerts_get()
  ]
]

:httpc.request(:post, {url, headers, content_type, body}, http_request_opts, [])

Sending a POST request with no payload

Example

:inets.start()
:ssl.start()

url = ~s"https://httpbin.org/post"
headers = []
content_type = ~c""
body = ~c""

http_request_opts = [
  ssl: [
    cacerts: :public_key.cacerts_get()
  ]
]

:httpc.request(:post, {url, headers, content_type, body}, http_request_opts, [])

Downloading a file

Example

:inets.start()
:ssl.start()

url = ~c"https://www.rfc-editor.org/rfc/pdfrfc/rfc1149.txt.pdf"
headers = []

path_to_file =
  System.tmp_dir!()
  |> Path.join("rfc1149.txt.pdf")
  |> String.to_charlist()

http_request_opts = [
  ssl: [
    cacerts: :public_key.cacerts_get(),
    customize_hostname_check: [
      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
    ]
  ]
]

{:ok, :saved_to_file} =
  :httpc.request(:get, {url, headers}, http_request_opts, [stream: path_to_file])

Uploading a file

Example

Mix.install([:multipart])

:inets.start()
:ssl.start()

part = Multipart.Part.file_field("/tmp/rfc1149.txt.pdf", "my_file")

multipart =
  Multipart.new()
  |> Multipart.add_part(part)

content_length =
  multipart
  |> Multipart.content_length()
  |> Integer.to_string()
  |> String.to_charlist()

content_type =
  multipart
  |> Multipart.content_type("multipart/form-data")
  |> String.to_charlist()

url = ~c"https://httpbin.org/anything"
headers = [{~c"Content-Length", content_length}]
payload = Multipart.body_binary(multipart)

http_request_opts = [
  ssl: [
    cacerts: :public_key.cacerts_get()
  ]
]

:httpc.request(:post, {url, headers, content_type, payload}, http_request_opts, [])

Notes

• some HTTP clients offer convenient API around sending file payloads; UX varies on the library API design, and sometime can serve as a source of confusion (see this discussion, for instance),

• because design of :httpc appears to make little-to-no assumptions regarding the semantics of request payload, one can fairly say that :httpc simply send bytes. As such, we should be able to “manually” construct any payload, including one to upload a file, and :httpc will just handle it,

• multipart package, originally mentioned by its author @engineeringdept here focuses on just putting together a bunch of bytes that look like a correct “HTTP payload containing a file upload”,

Low-level tracing of HTTP interaction

Example

:inets.start()
:ssl.start()

url = ~c"https://httpbin.org/get"
headers = []

http_request_opts = [
  ssl: [
    cacerts: :public_key.cacerts_get()
  ]
]

:httpc.set_options([verbose: :debug])
:httpc.request(:get, {url, headers}, http_request_opts, [])

Notes

• :debug option value will easily generate several megabytes of information, while :trace value can potentially generate several tens of megabytes, so use it with care.

Nit:

There is no need to set the “Content-Type” header in a request that does not include a body. If you want to indicate to the server that you are ready to accept a JSON response body, us the “Accept” header instead:

headers = [{'accept', 'application/json'}]

Just appreciation response. I just started exploring escript yesterday and was trying out elixir clients and they kept failing on castore and then moved to httpc. Though it worked but it kept showing following warning

[warning] Description: 'Authenticity is not established by certificate path validation'
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

There is actually no working solution when you search online but your post has the the solution I needed and now its works like a charm without any warning.

Thanks and gotta love the elixir/erlang/beam community

Thanks, this is really great! Instant browser bookmark from me.

There is actually no working solution when you search online

There is a solution online, though it might not be immediately found if you’re searching for Elixir, and not Erlang: Erlang standard library: ssl | EEF Security WG. In the page body you’ll find

%% Erlang (OTP 25 or later)
ssl:connect("example.net", 443, [
    {verify, verify_peer},
    {cacerts, public_key:cacerts_get()},
    {depth, 3},
    {customize_hostname_check, [
        {match_fun, public_key:pkix_verify_hostname_match_fun(https)}
    ]}
]).

The Secure Coding and Deployment Hardening Guidelines, by the Erlang Ecosystem Foundation’s Security Working Group, is a great read, btw.

Same here. I’ve been looking for something like this.

Just wanted to say, this helped me out a lot today. Thanks!

For some odd reason whenever I pass this opts (this is for test environment), it threw an error:

     ** (ArgumentError) cannot convert the given list to a string.

     To be converted to a string, a list must either be empty or only
     contain the following elements:

       * strings
       * integers representing Unicode code points
       * a list containing one of these three elements

     Please check the given list or call inspect/1 to get the list representation, got:
    .....

So this http_request_opts, which is a list, is converted to string? If I’m not passing that opts (just empty list) it ran just fine.

@soyjeansoy no idea, off the top of my head

Could you show more of the code you have, preferably isolated to an elixir script (e.g. ending with .exs) where I could reproduce the problem? Also, which version of Elixir and Erlang are you using?

All examples have been updated and now target Elixir 1.17 and Erlang 27

Hello,

Do erlang have a library that can be used with :httpc to support request signing using RSA keys in line with OAUTH specs , in addition to request/response encryption and decryption.
A sample of what I am trying to do is available below but using other languages: GitHub - Mastercard/mastercard-api-client-tutorial: Generating and Configuring a Mastercard API Client
Thanks in advance

@gmile this is a test file for posting page views in analytics (using exvcr):

• Phx v1.7.12
• Bandit v1.2
• Exvcr v0.15
• osx sonoma
• Elixir 1.16.2 (asdf)

defmodule MyAppWeb.AnalyticsTest do
  use ExUnit.Case, async: true
  use ExVCR.Mock, adapter: ExVCR.Adapter.Httpc

  setup_all do
    :inets.start()
    # :ssl.start()
    :ok
  end

  test "increment pageviews to analytics" do
    use_cassette "post data to analytics" do
      uri =
        %URI{
          scheme: "https",
          host: "analytics.domain.com",
          path: "/api/event"
        }

      payload =
        %{
          domain: "analytics.local",
          name: "analytics",
          url: "http://127.0.0.1:4000"
        }

      http_opts = [
        # ssl: [
        #   versions: [~c"tlsv1.2"],
        #   verify: :verify_none,
        #   cacerts: :public_key.cacerts_get(),
        #   customize_hostname_check: [
        #     match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
        #   ]
        # ],
        # timeout: 3_600,
        # connect_timeout: 3_600
      ]

      request = {
        URI.to_string(uri),
        [{~c"X-Forwarded-For", ~c"127.0.0.1"}],
        ~c"application/json",
        Jason.encode!(payload)
      }

      {:ok, result} = :httpc.request(:post, request, http_opts, [])
      {{_http_version, status_code, _reason_phrase}, _headers, body} = result
      code = Plug.Conn.Status.code(:accepted)
      assert status_code == code
    end
  end
end

There’s GitHub - lexmag/oauther: OAuth 1.0 for Elixir, though the library appears quite dated I won’t be surprised it it’s still works - I doubt the standard has changed significantly in the past years Perhaps something else exists these days too, I am not sure.

Also, a shallow search on GitHub reveals various projects implement signing of request body themselves Code search results · GitHub

Are you by any chance getting an error that looks like this too?

CleanShot 2024-07-16 at 16.45.23@2x1200×292 32.3 KB

The error from screenshot is coming from VCR:

code: {:ok, result} = :httpc.request(:post, request, http_opts, [])
stacktrace:
  (elixir 1.17.0) lib/list.ex:1084: List.to_string/1
  (exvcr 0.15.1) lib/exvcr/adapter/httpc/converter.ex:6: anonymous fn/1 in ExVCR.Adapter.Httpc.Converter.parse_keyword_list/1
  (elixir 1.17.0) lib/enum.ex:1703: Enum."-map/2-lists^map/1-1-"/2
  (exvcr 0.15.1) lib/exvcr/adapter/httpc/converter.ex:64: ExVCR.Adapter.Httpc.Converter.request_to_string/1
  (exvcr 0.15.1) lib/exvcr/adapter/httpc/converter.ex:6: ExVCR.Adapter.Httpc.Converter.convert_to_string/2
  (exvcr 0.15.1) lib/exvcr/handler.ex:235: ExVCR.Handler.get_response_from_server/3
  help-forum.exs:43: (test)

I’d suggest perhaps ExVCR, while serializing a request to cassette file, it stumbles upon writing SSL certificates, which are represented as binaries and cannot be dumped as mere strings. But this is a pure speculation, I am not sure how VCR works.

ExVCR also has this open issue, it contains a somewhat similar error: TLS 1.2 ssl doesn't work for hackney (httpoison) · Issue #105 · parroty/exvcr · GitHub