#3233 Fixed change incorrect GET endpoints to POST

[Patrykb0802]

Updated REST endpoints for state-changing operations and moved auth credentials into JSON body, then aligned frontend callers, security rules, and docs to match the new methods and paths.

• Backend mappings switched to POST/PUT where needed and auth/logout paths simplified in src/org/scada_lts/web/mvc/api/AuthenticationAPI.java, src/org/scada_lts/web/mvc/api/DataSourceAPI.java, src/org/scada_lts/web/mvc/api/ PointValueAPI.java, src/org/scada_lts/web/mvc/api/ReportsAPI.java, src/org/scada_lts/web/mvc/api/SystemSettingsAPI.java, src/org/scada_lts/web/mvc/api/ResourcesAPI.java, src/org/scada_lts/web/mvc/api/ViewHierarchyAPI.java
• Report endpoint method guards updated in WebContent/WEB-INF/spring-security.xml
• Vuex/JSP/Cypress callers updated for new methods and auth body in scadalts-ui/src/store/dataSource/index.js, scadalts-ui/src/store/reports/index.js, scadalts-ui/src/store/systemSettings/index.js, WebContent/WEB-INF/jsp/ systemSettings.jsp, scadalts-ui/cypress/support/commands.js, scadalts-ui/cypress/integration/ScadaLTS_Views/modern_charts.cy.js, WebContent/resources/vue-mixins/shared/mixins-export-import.js
• OpenAPI and migration notes updated in doc/RESTAPI/ScadaLTS_API_OAS3.yaml and doc/RESTAPI/ENDPOINT_MIGRATION.md, plus a small README tweak in scadalts-ui/README.md

Summary by CodeRabbit

• Refactor

  • Standardized API endpoints to use appropriate HTTP methods: state-changing operations now use POST/PUT instead of GET for better REST compliance.
  • Updated authentication endpoint to accept credentials via request body instead of URL path for improved security.

• Documentation

  • Updated API documentation to reflect HTTP method changes and new authentication request schema.

• Tests

  • Updated test suite to align with new authentication and endpoint changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

📝 Walkthrough

Walkthrough

This pull request systematically converts multiple API endpoints from GET to POST/PUT methods, restructures authentication to accept credentials via request body instead of URL path parameters, and updates corresponding client-side implementations, tests, and API documentation to align with the new HTTP semantics.

Changes

Cohort / File(s)	Summary
Authentication API Restructuring src/org/scada_lts/web/mvc/api/AuthenticationAPI.java, WebContent/WEB-INF/spring-security.xml	Reworked /api/auth/{username}/{password} (GET with path params) to /api/auth (POST with AuthenticationRequest body). Added new AuthenticationRequest class with username and password fields. Updated /api/auth/logout/{username} to /api/auth/logout (POST, derives username from session).
Frontend Authentication Updates scadalts-ui/cypress/support/commands.js, scadalts-ui/cypress/integration/ScadaLTS_Views/modern_charts.cy.js, WebContent/resources/vue-mixins/shared/mixins-export-import.js, scadalts-ui/README.md	Updated test and client code to use POST /api/auth with JSON body {username, password} instead of GET path-based authentication.
Data Operations API HTTP Method Changes src/org/scada_lts/web/mvc/api/DataSourceAPI.java, src/org/scada_lts/web/mvc/api/PointValueAPI.java	Changed /api/datasource/toggle from GET to POST. Changed /api/datasource/datapoints/enable from GET to PUT. Changed point value endpoints (setValue, updateMetaDataPoint variants) from GET to PUT.
System & Report API HTTP Method Changes src/org/scada_lts/web/mvc/api/SystemSettingsAPI.java, src/org/scada_lts/web/mvc/api/ReportsAPI.java, src/org/scada_lts/web/mvc/api/ResourcesAPI.java, src/org/scada_lts/web/mvc/api/ViewHierarchyAPI.java	Updated purge operations and image refresh to POST. Changed report run from GET to POST and report purge prevention from GET to PUT. Changed view hierarchy folder creation from GET to POST.
Frontend Store Updates scadalts-ui/src/store/dataSource/index.js, scadalts-ui/src/store/reports/index.js, scadalts-ui/src/store/systemSettings/index.js	Updated Vuex store actions to dispatch POST/PUT requests with explicit body (data: null) replacing previous GET dispatches.
API Documentation doc/RESTAPI/ScadaLTS_API_OAS3.yaml	Updated OpenAPI spec to reflect HTTP method changes across all modified endpoints. Added AuthenticationRequest schema. Restructured auth endpoints to use request body instead of path parameters.
JSP Template WebContent/WEB-INF/jsp/systemSettings.jsp	Changed AJAX request from GET to POST for /api/resources/imagesRefresh.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 From GET paths came a clearer way,
POST bodies now guide the day,
Credentials safe in JSON dressed,
RESTful semantics pass the test! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 15.38% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '#3233 Fixed change incorrect GET endpoints to POST' clearly describes the main change: converting GET endpoints to POST/PUT methods for state-changing operations, which is the core focus of the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Java Script Mocha Unit Test Results

268 tests  ±0   268 ✅ ±0   3s ⏱️ ±0s
 70 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 3839154. ± Comparison against base commit 4943a13.

♻️ This comment has been updated with latest results.

[Patrykb0802]

@coderabbitai review

[github-actions]

Java JUnit Test Results

3 440 tests  ±0   3 440 ✅ ±0   53s ⏱️ -1s
  134 suites ±0       0 💤 ±0 
  134 files   ±0       0 ❌ ±0 

Results for commit 3839154. ± Comparison against base commit 4943a13.

♻️ This comment has been updated with latest results.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

WebContent/resources/vue-mixins/shared/mixins-export-import.js (2)

14-24: Critical: Hardcoded credentials and localhost URL in client-side code.

This code has multiple serious issues:

1. Security vulnerability: Hardcoded admin/admin credentials in client-side JavaScript are visible to anyone and should never be committed.
2. Hardcoded localhost URL: http://localhost:8080/ScadaBR/api/auth will fail in any non-local environment. Use a relative URL (e.g., /ScadaBR/api/auth) or a configurable base URL.
3. Debug artifacts: Multiple alert() calls should be removed before merging.

Proposed fix

             try {
                 axios({
                     method: 'post',
-                    url: 'http://localhost:8080/ScadaBR/api/auth',
-                    data: {
-                        username: 'admin',
-                        password: 'admin',
-                    },
+                    url: '/ScadaBR/api/auth',
+                    // TODO: Replace with actual user credentials from auth context
+                    data: {
+                        username: this.username,
+                        password: this.password,
+                    },
                 }).then(function (response) {
-                    alert(response.data);
-                    alert(response.status);
-                    alert(response.statusText);
-                    alert(response.headers);
-                    alert(response.config);
+                    console.log('Auth successful:', response.status);
+                }).catch(function (error) {
+                    console.error('Auth failed:', error);
                 });

---

26-28: Ineffective error handling for async operation.

The synchronous try-catch won't catch axios promise rejections. Add .catch() to the promise chain:

Proposed fix

-            try {
                 axios({
                     method: 'post',
                     url: '/ScadaBR/api/auth',
                     data: {
                         username: 'admin',
                         password: 'admin',
                     },
                 }).then(function (response) {
                     // handle success
+                }).catch(function (error) {
+                    console.error('Auth request failed:', error);
                 });
-            } catch( err ) {
-                alert( err );
-            }

doc/RESTAPI/ScadaLTS_API_OAS3.yaml (1)

6-8: Bump API version to 3.0.0 to signal breaking changes per semantic versioning.

The project follows Semantic Versioning Guidelines (as stated in README.md). Since this PR introduces breaking changes (HTTP method changes, credential location changes), the API version must be bumped from 2.6.0 to 3.0.0 (major version) per semver rules, not a minor increment.

🤖 Fix all issues with AI agents

In @scadalts-ui/README.md:
- Line 27: Fix the typo in the README sentence: replace "propably" with
"probably" in the sentence that instructs pasting the cookie into your DevServer
(the line that currently reads "Because you were propably prompted to input a
auth cookie there").

🧹 Nitpick comments (7)

src/org/scada_lts/web/mvc/api/ViewHierarchyAPI.java (4)

122-147: Inconsistency: editFolder should use PUT, not GET.

This endpoint modifies an existing resource, which is a state-changing operation. Per the PR's objective of fixing incorrect GET endpoints, this should use RequestMethod.PUT (or PATCH) for consistency with REST semantics.

♻️ Suggested fix

-	@RequestMapping(value = "/api/view_hierarchy/editFolder/{name}/{key}", method = RequestMethod.GET)
+	@RequestMapping(value = "/api/view_hierarchy/editFolder/{name}/{key}", method = RequestMethod.PUT)

---

149-172: Inconsistency: deleteFolder should use DELETE, not GET.

This endpoint deletes a resource, which is a state-changing operation. It should use RequestMethod.DELETE for proper REST semantics.

♻️ Suggested fix

-	@RequestMapping(value = "/api/view_hierarchy/deleteFolder/{id}", method = RequestMethod.GET)
+	@RequestMapping(value = "/api/view_hierarchy/deleteFolder/{id}", method = RequestMethod.DELETE)

---

174-197: Inconsistency: deleteView should use DELETE, not GET.

Same issue as deleteFolder - this is a destructive operation that should use RequestMethod.DELETE.

♻️ Suggested fix

-	@RequestMapping(value = "/api/view_hierarchy/deleteView/{id}", method = RequestMethod.GET)
+	@RequestMapping(value = "/api/view_hierarchy/deleteView/{id}", method = RequestMethod.DELETE)

---

199-247: Inconsistency: moveFolder and moveView should use PUT or POST, not GET.

Both endpoints perform state-changing operations (relocating resources). Consider using PUT (idempotent move) or POST for consistency with the PR's objective.

♻️ Suggested fix

-	@RequestMapping(value = "/api/view_hierarchy/moveFolder/{id}/{newParentId}", method = RequestMethod.GET)
+	@RequestMapping(value = "/api/view_hierarchy/moveFolder/{id}/{newParentId}", method = RequestMethod.PUT)
	public ResponseEntity<String> moveFolder(@PathVariable("id") int id, @PathVariable("newParentId") int newParentId, HttpServletRequest request) {
		...
	}
	
-	@RequestMapping(value = "/api/view_hierarchy/moveView/{id}/{newParentId}", method = RequestMethod.GET)
+	@RequestMapping(value = "/api/view_hierarchy/moveView/{id}/{newParentId}", method = RequestMethod.PUT)
	public ResponseEntity<String> moveView(@PathVariable("id") int id, @PathVariable("newParentId") int newParentId, HttpServletRequest request) {

src/org/scada_lts/web/mvc/api/PointValueAPI.java (1)

501-506: Misleading method name after HTTP method change.

The method is named setValueGet but now uses @PutMapping. Consider renaming to setValuePut or simply setValue to avoid confusion for future maintainers.

♻️ Suggested rename

 @PutMapping(value = "/api/point_value/setValue/{xid}/{type}/{value}")
-public ResponseEntity<String> setValueGet(
+public ResponseEntity<String> setValuePut(
         @PathVariable("xid") String xid,
         @PathVariable("type") int type,
         @PathVariable("value") String value,
         HttpServletRequest request) {

src/org/scada_lts/web/mvc/api/ReportsAPI.java (1)

42-68: Pre-existing: Inconsistent log messages vs HTTP methods.

Several log messages don't match their actual HTTP methods:

• Line 44: Logs GET:: but uses @PostMapping
• Line 68: Logs GET:: but uses @PostMapping
• Line 115: Logs GET:: but uses @DeleteMapping

Consider fixing these for consistency with the updated endpoints.

src/org/scada_lts/web/mvc/api/AuthenticationAPI.java (1)

65-77: Consider validating empty strings in addition to null checks.

The null checks are good, but empty strings ("") would pass validation and proceed to authentication. While the authentication logic might handle this, it's better to fail fast with a clear 400 response.

♻️ Suggested improvement

-		if (authRequest == null || authRequest.getUsername() == null || authRequest.getPassword() == null) {
+		if (authRequest == null 
+				|| authRequest.getUsername() == null || authRequest.getUsername().isEmpty()
+				|| authRequest.getPassword() == null || authRequest.getPassword().isEmpty()) {
 			return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
 		}

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4943a13 and 3cf22a5.

📒 Files selected for processing (17)

• WebContent/WEB-INF/jsp/systemSettings.jsp
• WebContent/WEB-INF/spring-security.xml
• WebContent/resources/vue-mixins/shared/mixins-export-import.js
• doc/RESTAPI/ScadaLTS_API_OAS3.yaml
• scadalts-ui/README.md
• scadalts-ui/cypress/integration/ScadaLTS_Views/modern_charts.cy.js
• scadalts-ui/cypress/support/commands.js
• scadalts-ui/src/store/dataSource/index.js
• scadalts-ui/src/store/reports/index.js
• scadalts-ui/src/store/systemSettings/index.js
• src/org/scada_lts/web/mvc/api/AuthenticationAPI.java
• src/org/scada_lts/web/mvc/api/DataSourceAPI.java
• src/org/scada_lts/web/mvc/api/PointValueAPI.java
• src/org/scada_lts/web/mvc/api/ReportsAPI.java
• src/org/scada_lts/web/mvc/api/ResourcesAPI.java
• src/org/scada_lts/web/mvc/api/SystemSettingsAPI.java
• src/org/scada_lts/web/mvc/api/ViewHierarchyAPI.java

🧰 Additional context used

🧬 Code graph analysis (1)

src/org/scada_lts/web/mvc/api/AuthenticationAPI.java (1)

src/com/serotonin/mango/Common.java (1)

• Common (69-584)

🪛 LanguageTool

scadalts-ui/README.md

[grammar] ~27-~27: Ensure spelling is correct
Context: ... inside your DevServer because you were propably prompted to input a auth cookie there. ...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build WAR archive

🔇 Additional comments (26)

WebContent/WEB-INF/jsp/systemSettings.jsp (1)

499-509: LGTM! POST is the correct HTTP method for this state-changing operation.

The switch from GET to POST for the imagesRefresh endpoint is appropriate since this operation modifies server-side state (refreshes the image cache).

scadalts-ui/src/store/systemSettings/index.js (1)

286-309: LGTM! POST is the correct HTTP method for purge operations.

Both purgeData and purgeNow are state-changing operations that modify server data, making POST the appropriate HTTP verb. The implementation correctly matches the backend API changes.

WebContent/WEB-INF/spring-security.xml (1)

367-369: LGTM! Security rules correctly updated to match new HTTP methods.

• PUT for preventPurge is appropriate as it's an idempotent state update
• POST for run is appropriate as it triggers a new report execution (non-idempotent)

The access control expressions remain correctly configured with the guard permission checks.

src/org/scada_lts/web/mvc/api/ViewHierarchyAPI.java (1)

85-86: LGTM! POST is correct for creating a new folder resource.

scadalts-ui/cypress/integration/ScadaLTS_Views/modern_charts.cy.js (1)

13-13: LGTM - Authentication request correctly updated to POST.

The change aligns with the new /api/auth endpoint that accepts credentials via JSON body instead of URL path parameters.

Note: This REST login call appears after the UI-based login in the before() hook (lines 3-8). If this is intentional for session refresh purposes, consider adding a brief comment explaining why both authentication methods are used.

src/org/scada_lts/web/mvc/api/DataSourceAPI.java (2)

67-75: LGTM - Correct use of POST for state-changing toggle operation.

Changing from GET to POST for the /api/datasource/toggle endpoint correctly follows REST semantics, as this operation modifies server state.

---

88-96: LGTM - Correct use of PUT for idempotent enable operation.

The PUT method is appropriate here since enabling all data points is an idempotent operation (calling it multiple times yields the same result).

scadalts-ui/src/store/reports/index.js (2)

52-58: LGTM - Correctly updated to use PUT for preventPurge toggle.

The change from GET to PUT aligns with REST semantics for this idempotent state modification, and matches the backend endpoint change.

---

72-74: LGTM - Correctly updated to use POST for running reports.

The change from GET to POST is appropriate since running a report is a non-idempotent operation that triggers server-side processing.

scadalts-ui/cypress/support/commands.js (1)

52-62: LGTM - Authentication request correctly updated to POST with JSON body.

This change improves security by moving credentials from the URL path to the request body. Credentials in URL paths can be inadvertently logged in server access logs, browser history, and network proxies.

scadalts-ui/src/store/dataSource/index.js (2)

341-354: LGTM - Correctly updated to use PUT for enabling data points.

The change aligns with the backend @PutMapping annotation on /api/datasource/datapoints/enable and follows REST semantics for idempotent operations.

---

357-370: LGTM - Correctly updated to use POST for toggling data source.

The change aligns with the backend @PostMapping annotation on /api/datasource/toggle and follows REST semantics for state-changing operations.

src/org/scada_lts/web/mvc/api/PointValueAPI.java (1)

683-746: LGTM! HTTP method changes align with REST semantics.

Changing these metadata update endpoints from GET to PUT correctly reflects their state-modifying behavior. PUT is appropriate since these operations are idempotent updates.

src/org/scada_lts/web/mvc/api/ResourcesAPI.java (1)

46-61: LGTM! Correct HTTP method for state-changing operation.

Changing imagesRefresh from GET to POST is appropriate since this endpoint triggers a refresh operation with side effects rather than simply retrieving data.

src/org/scada_lts/web/mvc/api/SystemSettingsAPI.java (2)

305-323: LGTM! Critical fix for destructive operation.

Changing purgeNow from GET to POST is essential. GET requests for data-destructive operations are a security risk (can be triggered by link prefetching, crawlers, or accidental URL sharing).

---

487-505: LGTM! Correct HTTP method for purge operation.

The purgeData endpoint correctly uses POST now, preventing accidental data deletion via GET requests.

src/org/scada_lts/web/mvc/api/ReportsAPI.java (2)

87-92: LGTM! Correct HTTP method for action endpoint.

Running a report is a state-changing operation that triggers processing, so POST is the appropriate method.

---

120-125: LGTM! PUT is appropriate for updating a resource property.

Setting preventPurge is an idempotent update operation, making PUT the correct choice.

doc/RESTAPI/ScadaLTS_API_OAS3.yaml (6)

17-43: LGTM! Authentication endpoints properly documented.

The /auth endpoint now correctly uses POST with a JSON request body containing credentials, which is more secure than passing credentials in URL path parameters.

---

2516-2525: LGTM! AuthenticationRequest schema is well-defined.

The schema correctly marks both username and password as required fields.

---

793-816: LGTM! PUT operation documented for setValue endpoint.

The PUT method is correctly added alongside the existing (deprecated) POST method, providing a proper idempotent update operation.

---

948-979: LGTM! Metadata update endpoints correctly use PUT.

All three updateMetaDataPoint* endpoints are properly documented with PUT method.

---

980-1010: LGTM! Reports endpoints correctly documented.

• /reports/run/{id} uses POST (action/trigger)
• /reports/instances/{id}/preventPurge/{preventPurge} uses PUT (idempotent update)

---

2313-2340: LGTM! Purge endpoints correctly use POST.

Both /systemSettings/purgeData and /systemSettings/purgeNow are now documented as POST operations, aligning with the backend changes and REST best practices for destructive operations.

src/org/scada_lts/web/mvc/api/AuthenticationAPI.java (2)

44-63: LGTM - Clean DTO for authentication credentials.

The inner class properly encapsulates authentication credentials. Moving credentials from URL path parameters to a request body is a security improvement as it prevents credentials from being logged in server access logs and browser history.

---

101-111: Good security improvement - logout now uses session context.

Deriving the user from Common.getUser(request) instead of a path variable prevents a potential security issue where an attacker could attempt to log out other users by specifying their username. The POST method is also appropriate for this state-changing operation.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix typo: "propably" → "probably"

📝 Suggested fix

-When you receive the `xhr response` with RequestURL `*/api/auth` from server open that request details and find the **Response Headers** section. Then find a "set-cookie" header and copy that value. Then paste that cookie inside your DevServer because you were propably prompted to input a auth cookie there. If everything is ok you should see the  
+When you receive the `xhr response` with RequestURL `*/api/auth` from server open that request details and find the **Response Headers** section. Then find a "set-cookie" header and copy that value. Then paste that cookie inside your DevServer because you were probably prompted to input a auth cookie there. If everything is ok you should see the  

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	When you receive the `xhr response` with RequestURL `*/api/auth` from server open that request details and find the **Response Headers** section. Then find a "set-cookie" header and copy that value. Then paste that cookie inside your DevServer because you were propably prompted to input a auth cookie there. If everything is ok you should see the
	When you receive the `xhr response` with RequestURL `*/api/auth` from server open that request details and find the **Response Headers** section. Then find a "set-cookie" header and copy that value. Then paste that cookie inside your DevServer because you were probably prompted to input a auth cookie there. If everything is ok you should see the

🧰 Tools

🪛 LanguageTool

[grammar] ~27-~27: Ensure spelling is correct
Context: ... inside your DevServer because you were propably prompted to input a auth cookie there. ...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents

In @scadalts-ui/README.md at line 27, Fix the typo in the README sentence:
replace "propably" with "probably" in the sentence that instructs pasting the
cookie into your DevServer (the line that currently reads "Because you were
propably prompted to input a auth cookie there").