ADR-0012: HTTP Methods for SPIKE API

• Status: accepted
• Date: 2024-11-04
• Tags: API, TLS, Semantics, Network, Operations

Context

SPIKE is a secrets management system that provides an HTTP API for CRUD operations. The system integrates with SPIFFE/SPIRE for identity management and authentication.

When designing the API, we needed to determine how to handle HTTP methods for different operations while maintaining security and preventing unwanted caching of sensitive data.

Key considerations:

• Prevention of URL caching for security purposes
• Desire for consistent request structure
• Need to maintain semantic clarity of operations
• Integration with proxy servers and security infrastructure
• Auditability and debugging capabilities

Decision

We will:

1. Use HTTP POST method for all API operations (Create, Read, Update, Delete)
2. Encode the operation type in the URL query parameter using action=
3. Include all operation parameters in the request body

Example URLs:

https://host:port/v1/secrets?action=read
https://host:port/v1/secrets?action=delete
https://host:port/v1/secrets?action=write

Consequences

Positive

• Prevents sensitive data from being cached in URLs
• Avoids sensitive data appearing in server logs
• Provides consistent request structure for all operations
• Simplifies client implementations by using uniform HTTP method
• Makes operation type visible in URL for auditing without exposing sensitive data
• Works well with proxies that might restrict certain HTTP methods
• Maintains clear operation semantics through URL parameters

Negative

• Deviates from REST architectural principles
• May surprise developers expecting traditional REST endpoints
• Could complicate integration with some REST-focused tools
• URL routing slightly more complex due to query parameter handling

Neutral

• Operation type moved to query parameter instead of HTTP method
• Need to handle invalid/missing action parameters

Alternatives Considered

Traditional REST approach with different HTTP methods

• Rejected due to caching concerns and desire for consistency

Using path parameters instead of query parameters

/v1/secrets/read
/v1/secrets/delete

• Rejected to maintain existing implementation pattern

GraphQL-style single endpoint

• Rejected as overly complex for current needs

Compliance

This decision maintains compliance with security best practices while providing a usable API interface. It aligns with the security-first approach required for a secrets management system.

References

• SPIFFE
• SPIRE
• HTTP Method Definitions

• ADR-0021: SPIKE Keeper as a Stateless Shard Holder
• ADR-0020: Switch to Zola for Documentation System
• ADR-0019: Plugin-Based Storage Backend Architecture
• ADR-0018: Administrative Access to SPIKE
• ADR-0017: Synchronous Persistence for SPIKE Secrets Store
• ADR-0016: Memory-First Secrets Store
• ADR-0015: Use Singular Form for File and Package Naming
• ADR-0014: Maintaining SQLite as SPIKE’s Primary Storage Backend
• ADR-0013: S3-Compatible Storage as SPIKE’s Backing Store
• ADR-0012: HTTP Methods for SPIKE API
• ADR-0011: PostgreSQL as SPIKE’s Backing Store
• ADR-0010: Session Token Storage Strategy for SPIKE Nexus
• ADR-0009: Multi-Administrator Support System
• ADR-0008: Administrative Access Control System
• ADR-0007: Root Key Lifecycle and Management Strategy
• ADR-0006: Trust Boundary Definition and Security Assumptions
• ADR-0005: Use SPIFFE mTLS for Inter-Component Authentication and Communication
• ADR-0004: SPIKE Keeper Minimalist Design Approach
• ADR-0003: Root Key Management and Storage Strategy
• ADR-0002: Use Docsify for Documentation System
• ADR-0001: Display Secrets in Plain Text in SPIKE Pilot Admin CLI

• SPIKE System Overview
• SPIKE Security Model
• SPIKE Architectural Decision Records