Preparing for the Plumber v0.4.0 Release
Plumber is a package which allows you to create web APIs from your R code. If you're new to Plumber, you can take a look at www.rplumber.io to learn more about how to use the package to create your APIs.
Over the years, we've noticed a handful of things that we wished we'd done differently in the development of Plumber. In particular, there were some decisions that prioritized convenience over security which we wanted to roll back. We've decided to bite the bullet and make these changes before more users start using Plumber. The v0.4.0 release of Plumber includes a handful of breaking changes that mitigate these issues all at once. Our hope in getting all of these out of the way at once is to ensure that users building on Plumber moving forward have confidence that any breaking change under consideration has already been made and that we shouldn't have this kind of churn again anytime soon.
If you're already using Plumber, we strongly encourage you to read the v0.4.0 migration guide below. As you'll see, most of these changes affect the hosting or low-level interactions in Plumber. The dominant mode in which people use Plumber (adding comments to their existing R functions) has not changed; there are no breaking changes in how those files are interpreted.
v0.4.0 of Plumber will be deployed to CRAN in the coming days. We strongly encourage you to try out the v0.4.0 version of Plumber ahead of time to make sure that you've migrated your APIs correctly.
devtools::install_github("trestletech/plumber")
Alternatively, you can continue using the last release of Plumber which didn't include any of these breaking changes (v0.3.3) until you're ready to upgrade by using the following command:
devtools::install_github("trestletech/plumber", ref="v0.3.3")
You can see the full release notes for v0.4.0 here.
Plumber v0.4.0 Migration Guide
There are a number of changes that users should consider when preparing to upgrade to plumber
v0.4.0.
- Plumber no longer accepts external connections by default. The
host
parameter for therun()
method now defaults to127.0.0.1
, meaning that Plumber will only listen for incoming requests from the local machine on which it's running -- not from any other machine on the network. This is done for security reasons so that you don't accidentally expose a Plumber API that you're developing to your entire network. To restore the old behavior in which Plumber listened for connections from any machine on the network, use$run(host="0.0.0.0")
. Note that if you're deploying to an environment that includes an HTTP proxy (such as the DigitalOcean servers which use nginx), having Plumber listen only on127.0.0.1
is likely the right default, as your proxy -- not Plumber -- is the one receiving external connections. - Plumber no longer sets the
Access-Control-Allow-Origin
HTTP header to*
. This was previously done for convenience but given the security implications we're reversing this decision. The previous behavior would have allowed web browsers to make requests of your API from other domains using JavaScript if the request used only standard HTTP headers and were aGET
,HEAD
, orPOST
request. These requests will no longer work by default. If you wish to allow an endpoint to be accessible from other origins in a web browser, you can useres$setHeader("Access-Control-Allow-Origin", "*")
in an endpoint or filter. - Rather than setting the default port to
8000
, the port is now randomly selected. This ensures that a shared server (like RStudio Server) will be able to support multiple people developing Plumber APIs concurrently without them having to manually identify an available port. This can be controlled by specifying theport
parameter in therun()
method or by setting theplumber.port
option. - The object-oriented model for Plumber routers has changed. If you're calling any of the following methods on your Plumber router, you will need to modify your code to use the newer alternatives:
addFilter
,addEndpoint
,addGlobalProcessor
, andaddAssets
. The code around these functions has undergone a major rewrite and some breaking changes have been introduced. These four functions are still supported with a deprecation warning in 0.4.0, but support is only best-effort. Certain parameters on these methods are no longer supported, so you should thoroughly test any Plumber API that leverages any of these methods before deploying version 0.4.0. Updated documentation for using Plumber programmatically is now available.