Note caveats about the RPC framework

I don't want to give the impression that this is the best example to build on. Hypcast has a whole thing in the README about not exposing it to the Internet, and how it's a personal project, so it should be well understood that design decisions here and elsewhere reflect that.
ahamlinman · Aug 28, 2024 · bdc5e14 · bdc5e14
1 parent c876c52
commit bdc5e14
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/internal/api/rpc/rpc.go b/internal/api/rpc/rpc.go
@@ -9,6 +9,10 @@
 // do not require parameters. The maximum size of RPC request bodies may be
 // limited to conserve server resources. Requests with parameters must include a
 // Content-Type header with the value "application/json".
+//
+// This framework is not considered acceptable for Internet-facing production
+// use. For example, the Content-Type enforcement described above is the only
+// mitigation against cross-site request forgery attacks.
 package rpc
 
 import (
@@ -49,10 +53,8 @@ func (handler HandlerFunc[T]) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	var (
-		code int
-		body any
-	)
+	var code int
+	var body any
 	if params, err := readRPCParams[T](r); err == nil {
 		code, body = handler(params)
 	} else {