20 July 2017

Preparing for the Plumber v0.4.0 Release

Plumber is a package which allows you to create web APIs from your R code. If you're new to Plumber, you can take a look at www.rplumber.io to learn more about how to use the package to create your APIs.

Over the years, we've noticed a handful of things that we wished we'd done differently in the development of Plumber. In particular, there were some decisions that prioritized convenience over security which we wanted to roll back. We've decided to bite the bullet and make these changes before more users start using Plumber. The v0.4.0 release of Plumber includes a handful of breaking changes that mitigate these issues all at once. Our hope in getting all of these out of the way at once is to ensure that users building on Plumber moving forward have confidence that any breaking change under consideration has already been made and that we shouldn't have this kind of churn again anytime soon.

If you're already using Plumber, we strongly encourage you to read the v0.4.0 migration guide below. As you'll see, most of these changes affect the hosting or low-level interactions in Plumber. The dominant mode in which people use Plumber (adding comments to their existing R functions) has not changed; there are no breaking changes in how those files are interpreted.

v0.4.0 of Plumber will be deployed to CRAN in the coming days. We strongly encourage you to try out the v0.4.0 version of Plumber ahead of time to make sure that you've migrated your APIs correctly.

devtools::install_github("trestletech/plumber")

Alternatively, you can continue using the last release of Plumber which didn't include any of these breaking changes (v0.3.3) until you're ready to upgrade by using the following command:

devtools::install_github("trestletech/plumber", ref="v0.3.3")

You can see the full release notes for v0.4.0 here.

Plumber v0.4.0 Migration Guide

There are a number of changes that users should consider when preparing to upgrade to plumber v0.4.0.

  1. Plumber no longer accepts external connections by default. The host parameter for the run() method now defaults to 127.0.0.1, meaning that Plumber will only listen for incoming requests from the local machine on which it's running -- not from any other machine on the network. This is done for security reasons so that you don't accidentally expose a Plumber API that you're developing to your entire network. To restore the old behavior in which Plumber listened for connections from any machine on the network, use $run(host="0.0.0.0"). Note that if you're deploying to an environment that includes an HTTP proxy (such as the DigitalOcean servers which use nginx), having Plumber listen only on 127.0.0.1 is likely the right default, as your proxy -- not Plumber -- is the one receiving external connections.
  2. Plumber no longer sets the Access-Control-Allow-Origin HTTP header to *. This was previously done for convenience but given the security implications we're reversing this decision. The previous behavior would have allowed web browsers to make requests of your API from other domains using JavaScript if the request used only standard HTTP headers and were a GET, HEAD, or POST request. These requests will no longer work by default. If you wish to allow an endpoint to be accessible from other origins in a web browser, you can use res$setHeader("Access-Control-Allow-Origin", "*") in an endpoint or filter.
  3. Rather than setting the default port to 8000, the port is now randomly selected. This ensures that a shared server (like RStudio Server) will be able to support multiple people developing Plumber APIs concurrently without them having to manually identify an available port. This can be controlled by specifying the port parameter in the run() method or by setting the plumber.port option.
  4. The object-oriented model for Plumber routers has changed. If you're calling any of the following methods on your Plumber router, you will need to modify your code to use the newer alternatives: addFilter, addEndpoint, addGlobalProcessor, and addAssets. The code around these functions has undergone a major rewrite and some breaking changes have been introduced. These four functions are still supported with a deprecation warning in 0.4.0, but support is only best-effort. Certain parameters on these methods are no longer supported, so you should thoroughly test any Plumber API that leverages any of these methods before deploying version 0.4.0. Updated documentation for using Plumber programmatically is now available.