I'm working with the 8.3 OpenAPI schema, and it seems that the signature field on a GET for a resource is not "required", and therefore is optional. However, submitting changes to the data for a schema seems to require a valid signature value. Is the OpenAPI schema correct, and we need to handle the case where a signature is not provided but data is, or should signature never be undefined, or am I missing something?
A signature should not be required for a GET, because it's highly unlikely you would know about the signature of a resource before querying for it. A signature is required on update of a resource because there's the possibility that the resource you are interacting with has been updated since your original query for that resource; the signature is a way to tell the back-end "this is the point-in-time I queried the resource. Please don't accept my request to update the resource if it has been updated since that point-in-time."
Oh, I guess I didn't include all the details: it's the GET response that has an optional signature field, while the PUT request requires the signature. In other words, the GET doesn't seem to guarantee that it provides a signature to be used when writing back via the PUT.
All resources should include a signature field as part of their GET response. Can you show me where you're seeing that the signature field is optional?
It's in any of the schemas for a resource GET (List Foo Resources):
@Andrew_Gilbert I think we just haven't annotated the properties in that schema as required or not required, but AFAICT the signature will always be there.
Agreed. The only time that field might not exist is if a user manually modifies the JSON file through the file system. Even API attempts to remove the field would result in the field being re-added as part of our write process.