API design refrence , Empty list response (REST, SOAP, …) type compatibility

Not sure where to go for an authoritive/text book answer for this question.

Suppose a service returns a list of something e.g. Cutsomer, Employee, Fruits,.. what ever.

what should be retruned when the list is empty? I am working with people using SOAP, and they are sure that just a “success” result is enough.

Is there a analogue of LSP in OOP for SOA world? I mean should the there be a type compatibility? for example returning a list object with a single definition with no values for homegnousity.

SQL Database theory used relational calculus for rigour, what is the the analogue for API REST,SOAP or otherwise in terms of type compatibility etc.

PS : this is not about preference, but about the stablished patterns and practices. There must be somethig similar to OOP design patterns for APIs.

Magento 2. Make soap response as array

I’m implementing custom API for Magento 2. My client want the response to be as associative array. Here is my class method:

class Gcapiapi implements GcapiapiInterface {      /**        * Returns greeting message to user        *        * @param string[] $  products        * @return array        */         public function list($  products  = NULL)        {           $  result = array();           $  stockItems = ...           ...           foreach($  stockItems as $  stockItem){              $  itemData = array('product_id' => $  product->getId(), 'sku' => $  productSku, 'qty' => $  stockItem->getQty(), 'is_in_stock' => $  stockItem->getIsInStock());              $  result[] = $  itemData;           }           return $  result;        } } 

Here is interface declaration:

interface GcapiapiInterface {    /**    * Returns greeting message to user    *    * @param string[] $  products    * @return array    */     public function list($  products = NULL);  } 

I’ve added logs and I see that my method list executing. But in response I’m getting 500 error. In exception.log I see the error:

Message: Class “array” does not exist. Please note that namespace must be specified.

I want to get the following response:

array (size=2) 0 =>  array (size=4)   'product_id' => string '3708' (length=4)   'sku' => string 'W3L2221LDCB2' (length=12)   'qty' => string '228.0000' (length=8)   'is_in_stock' => string '1' (length=1) 1 =>  array (size=4)   'product_id' => string '3709' (length=4)   'sku' => string 'W7L1226E5C96' (length=12)   'qty' => string '23.0000' (length=7)   'is_in_stock' => string '1' (length=1) 

Can I get SOAP response as associative array somehow? Thanks,

OpenID Connect Web Message Response Mode and XSS

When using the web message response mode spec with OpenID Connect for silent authentication, what prevents an attacker leveraging an XSS attack from registering a “message” listener and intercepting authorization messages (a code or token, depending on the flow)?

In the spec, going off the Simple Mode, the Main Window creates an “Authorized Window” iframe and sets the source of that iframe to the authorization endpoint. If the user is authenticated, the Authorized Window uses the HTML5 messaging API to post a message to the Main Window. That message contains an authorization code in the code flow, or an id_token (and possibly an access token) in the implicit flow.

If an attacker successfully leverages an XSS attack, is there any way to prevent that attacker from listening to message events and intercepting a code/token?

As an aside, Auth0 support the web message response mode which is what got me thinking about this scenario. It can be used in a single-page application to refresh access tokens without reloading the page. Auth0 and the security community in general recommend against storing access tokens in local storage specifically because of XSS attacks. Does the web message response mode present another XSS attack vector?

  • Auth0’s Silent Auth: https://auth0.com/docs/api-auth/tutorials/silent-authentication
  • Web Response Mode Security benefits: What is the security benefit of using PostMessage instead of a callback URL in OAuth/OIDC?
  • Auth0 on storing tokens: https://auth0.com/docs/security/store-tokens#single-page-apps

remove BOM byte (“” /ufeff””) from response

so im using m2e pro extension on magento 2.3 suddenly the synchronizing stopped from working. thats because that m2e pro uses their own cron job and they sends curl calls to the server, but my server response with BOM byte. script for exemple:


$ ch = curl_init(); curl_setopt_array($ ch, array(

CURLOPT_URL => ‘http://my-sire-ip/index.php/M2ePro/cron/test/’,

CURLOPT_HTTPHEADER => array(‘Host: my-site-name.com’), CURLOPT_RETURNTRANSFER => 1 ));

var_dump(json_encode(curl_exec($ ch))); // return string(8) “”\ufeff””

// “\ufeff” – this is BOM byte it should not be in response.

the response is:

string(8) “”\ufeff””

this is what stopping from their cron to work on my server. how can i remove this BOM byte so it will work properly?

API logging: request, response, or both?

I’m designing a REST API and have reached the topic of logging. I’m going to store my logs in Elasticsearch.

Is it best practice to log both HTTP request and response, with some correlation id to match them in the logs? What are the advantages and challenges of doing it this way, as opposed to only logging requests or responses?

(I have some thoughts on this of my own: suspect it is best practice and see some advantages & challenges, but feel there’s a lack of an expert treatment of this subject online. Hoping this question will result in one.)


I’m NOT asking about whether to store in the logs the contents of every request and response. I’m asking whether to store some basic record for each request and response (e.g. timestamp, URL, IP, response code, some form of user id), or maybe just for requests, or maybe just for responses.

custom “sales_order_item” attribute to API response

I followed this guide to add a custom product attribute to quote and sales order item throughout the order process and this works fine.

My custom attribute is added to the sales_order_item table correctly but will not return in the order api call: /rest/V1/orders/X . The item in the order are present but the custom added attribute seems to be missing.

How do I add this sales_order_item attribute to the API output?

I tried it by adding a “extension_attributes.xml” to my custom module (that included the custom attribute: see earlier mentioned link) but that seems to have no effect:

<?xml version="1.0"?> <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"         xsi:noNamespaceSchemaLocation="urn:magento:framework:Api/etc/extension_attributes.xsd">     <extension_attributes for="Magento\Sales\Api\Data\OrderItemInterface">         <attribute code="deliverycode" type="string" />     </extension_attributes> </config> 

Thanks for the help!