Mint vs Finch vs Gun vs Tesla vs HTTPoison etc

Exadra37 · March 31, 2021, 11:04pm

Are you planning to share it?

Yes, at least for the default :httpc backend.

github.com/elixir-tesla/tesla

Secure by default

opened 08:53AM - 20 Apr 19 UTC

Exadra37

idea

# The Motivation Since my earlier days as developer I always have been astoni…shed with the mindset of our industry of being insecure by default, where normally security is opt-in, instead of opt-out, and this mindset is one of the main culprits for so many data-breaches that occur every week/month/year. So the current mindset is to release software with all the doors and windows of your home open, while your are away, and then hope that the developers using it will learn how to properly close all that doors and windows, and then also hope that when they learn how to properly do it, that they don't forget one open. Just to put things in perspective, try to use [shodan.io](https://www.shodan.io/search?query=mongodb) to see how software ends up in production without being properly secured, due to the current mindset of our industry of preferring convenience over security. This all started in [this tweet](https://twitter.com/Exadra37/status/1118874708064256001) and I was asked in [this other tweet](https://twitter.com/iteamon/status/1119254174326300673) to open this issue. # The Context So this have been brought up before by @lau in the issue #235 and by @rawkode in issue #138. By @lau > The default adapter is httpc, which does not check certificates when using HTTPS. This seems like an unsafe default. Many people will probably use the default and use it to communicate with APIs. Perhaps with sensitive data. I cannot agree more with this, but the issue on the time was solved with only a note in the README. Alerts, notes in the README or any other docs will be missed, ignored or forgotten, by beginners, juniors and senior developers, because human beings tend to prefer convenience above anything else., but convenience should not be put in front of Security. # The Proposal @teamon says on [this comment](https://github.com/teamon/tesla/issues/138#issuecomment-350702593): > The point of Tesla is not to get rid of hackney, nor any other http adapter. The point is to let the end use choose the adapter that suits best or write a custom one if needed. So in the README we have: > Configure default adapter in config/config.exs (optional). But instead we should have: > Configure default adapter in config/config.exs (**REQUIRED**). And we could then have a list of possible secure by default adapters. This change would leave Tesla agnostic of an adapter as per the goal of @teamon, but would not leave Tesla insecure by default... The developer would be required to explicitly opt-in for the adapter to use. So this means that if the Tesla was to be used without configuring the adapter, an exception should be raised with a very clear message. Once this is a breaking change a major version would be needed. > **PS:** I appeal to all developers to always embrace **Secure By Default** aproach when building software.

I have open it in 2019, but still not solved, and I even got downvoted because of a recent comment I made.

keathley · April 1, 2021, 4:19am

If you’re going to question how people spend their free time, you should at least offer to mow their lawn. I mean, it’s not surprising you’re getting downvoted. They’ve offered you code and insight into how they approach a problem - something that is much more valuable than the actual code btw. In return, you offered them an opinion on said code. When they didn’t respond to your opinion in the way you wanted, you criticized them. You’re being downvoted because you presumed that your opinion was worth more than that maintainers time. If you don’t like Tesla it’s really simple: don’t use Tesla. Or fork it and change it to your liking. But don’t assume that because you use a thing it gives you any right to tell people what they do with their projects or their time.

connorlay · April 1, 2021, 5:57am

I recently used Finch for a small project wrapping the Hue API. So far I am very happy with the results!

I’ve used HTTPoison, a wrapper around Hackney, for a couple years and found myself wishing for something implemented entirely in Elixir. When on-boarding engineers new to the Elixir ecosystem I received feedback that the Erlang-isms of Hackney presented an additional barrier to entry to engineers already busy with learning Elixir itself. I was excited when Mint was announced, but realized it was a bit low-level for most scenarios, hence my interest in Finch.

@keathley Thank you for your work on Finch! I’m curious to see how Req progresses Adding the ability to perform one-line requests like HTTPoison is great for developers new to the ecosystem.

connorlay · April 1, 2021, 6:02am

Interesting! I saw something similar on a Ruby project that surprised us when we moved the project to Alpine Linux images and forgot to install curl before deploying

Did you use the Ports module to handle instrumenting curl itself, or something else?

stefanchrobot · April 2, 2021, 9:19am

I think the best way to pick the HTTP client is to start with the requirements. Here’s what my app needs:

Security,
Testability,
Out-of-the box support for various formats,
Customizability and extensibility,
Retries,
Logging.

You might also want to care about:

Telemetry support,
High performance,
Out-of-the box authentication support (like Basic Auth).

I guess you can get all/most of that features with any client, but Tesla gives you a lot of them for free. This is mostly because it was explicitly designed around the idea of swappable adapters and pluggable middleware.

For example, the testing story is great. You could use the provided mock adapter, but you can do even better than that - Tesla defines a simple behaviour for adapters which works great with Mox: define a mock adapter and plug it into your config/test.exs and you can test all the way down to bare-bones HTTP calls.

Customizing Tesla is really important for my use case: I need to log the requests, but they can contain sensitive data in query strings, so I just copy-pasted the provided logging middleware, tweaked it and plugged it into the client.

I also built an adapter that dumps and loads requests from disk which allowed me to built test fixtures that enabled fast and repeatable unit testing and fearless refactoring.

I’m keeping an eye on @wojtekmach’s req and I hope it will tick all the boxes.

What I’d love to see though is a unified, agreed-upon interface for HTTP requests/responses which would make swapping HTTP clients easier.

Exadra37 · April 2, 2021, 9:29am

No, I never assume that. My observation is about security of the library not about features to be added or improved.

Once more is about security of the library.

Libraries that are not secure will harm developers using them in good faith, A maintainer that doesn’t have time to keep his library secure should step down from maintaining it or retire it.

It’s not about liking or not of Tesla. On the time I open the issue I was not even using any library, because I was not coding in Elixir.

It is about having secure libraries to their end users, and in my opinion backwards compatibility should not take precedence on secure defaults.

Nowadays I have some pet apps and they use Finch. Thanks for your awesome work on it

Exadra37 · April 2, 2021, 9:59am

In the BEAM world we could try to create standards for defining this behaviours, like PHP has with PSR standards, that allow any library implementing the PSR Interface for HTTP to be swapped with another one.

Maybe something in the lines of Erlang Enhancement Proposals(EEP) or done as part of it?

Then any HTTP library could adhere to the EEP beahaviour for HTTP and the community would benefit from a unified interface, and the number of concrete implementations would not be an issue, because we could swap them easily in our code.

ryanwinchester · September 22, 2022, 1:54pm

Sounds like you did it, so why not publish it. Be the change you want to see.

mindreader · September 22, 2022, 2:46pm

It is a bunch of files scattered throughout a proprietary code base, so I can’t really just take them. There is nothing special about it, it is just a wrapper around curl. Anyone could put up an alpha version in a half hour.

outlog · July 26, 2023, 11:54am

tyoc213 · February 11, 2024, 2:32am

Any of this can I use on a nerves project? in particular I need to request a digest auth service but not sure which of this option is the correct one for the job