Chapter 4 Rendering Output

4.1 The Response Object

// TODO

4.2 Serializers

In order to send a response from R to an API client, the object must be “serialized” into some format that the client can understand. JavaScript Object Notation (JSON) is one standard which is commonly used by web APIs. JSON serialization translates R objects like list(a=123, b="hi!") to JSON text resembling {a: 123, b: "hi!"}.

JSON is not appropriate for every situation, however. If you want your API to render an HTML page that might be viewed in a browser, for instance, you will need a different serializer. Likewise, if you want to return an image rendered in R, you likely want to use a standard image format like PNG or JPEG rather than JSON.

By default, Plumber serializes objects into JSON via the jsonlite R package. However, there are a variety of other serializers that are built in to the package.

Annotation Content Type Description/References
@json application/json jsonlite::toJSON()
@html text/html; charset=utf-8 Passes response through without any additional serialization
@jpeg image/jpeg jpeg()
@png image/png png()
@htmlwidget text/html; charset=utf-8 htmlwidgets::saveWidget()
@unboxedJSON application/json jsonlite::toJSON(unboxed=TRUE)

4.2.1 Bypassing Serialization

In some instances it may be desirable to return a value directly from R without serialization. You can bypass serialization by returning the response object from an endpoint. For example, consider the following API.

#' Endpoint that bypasses serialization
#' @get /
function(res){
  res$body <- "Literal text here!"

  res
}

The response that is returned from this endpoint would contain the body Literal text here! with no Content-Type header and without any additional serialization.

Similarly, you can leverage the @serializer contentType annotation which does no serialization of the response but specifies the contentType header. You can use this annotation when you want more control over the response that you send.

#* @serializer contentType list(type="application/pdf")
#* @get /pdf
function(){
  tmp <- tempfile()
  pdf(tmp)
  plot(1:10, type="b")
  text(4, 8, "PDF from plumber!")
  text(6, 2, paste("The time is", Sys.time()))
  dev.off()

  readBin(tmp, "raw", n=file.info(tmp)$size)
}

Running this API and visiting http://localhost:8000/pdf will download the PDF generated from R (or display the PDF natively, if your client supports it).

4.2.2 Boxed vs Unboxed JSON

You may have noticed that API responses generated from Plumber render singular values (or “scalars”) as arrays. For instance:

jsonlite::toJSON(list(a=5))
## {"a":[5]}

The value of the a element, though it’s singular, is still rendered as an array. This may surprise you initially, but this is done to keep the output consistent. While JSON differentiates scalar from vector objects, R does not. This creates ambiguity when serializing an R object to JSON since it is unclear whether a particular element should be rendered as an atomic value or a JSON array.

Consider the following API which returns all the letters lexicographically “higher” than the given letter.

#' Get letters after a given letter
#' @get /boxed
function(letter="A"){
  LETTERS[LETTERS > letter]
}

#' Get letters after a given letter
#' @serializer unboxedJSON
#' @get /unboxed
function(letter="A"){
  LETTERS[LETTERS > letter]
}

This is an example of an API that, in some instance, produces a scalar, and in other instances produces a vector.

Visiting http://localhost:8000/boxed?letter=U or http://localhost:8000/unboxed?letter=U will return identical responses:

["V", "W", "X", "Y", "Z"]

However, http://localhost:8000/boxed?letter=Y will produce:

["Z"]

while http://localhost:8000/unboxed?letter=Y will produce:

"Z"

The /boxed endpoint, as the name implies, produces “boxed” JSON output in which length-1 vectors are still rendered as an array. Conversely, the /unboxed endpoint sets auto_unbox=TRUE in its call to jsonlite::toJSON, causing length-1 R vectors to be rendered as JSON scalars.

While R doesn’t distinguish between scalars and vectors, API clients may respond very differently when encountering a JSON array versus an atomic value. You may find that your API clients will not respond gracefully when an object that they expected to be a vector becomes a scalar in one call.

For this reason, Plumber inherits the jsonlite::toJSON default of setting auto_unbox=FALSE which will result in all length-1 vectors still being rendered as JSON arrays. You can configure an endpoint to use the unboxedJSON serializer (as shown above) if you want to alter this behavior for a particular endpoint.

There are a couple of functions to be aware of around this feature set. If using boxed JSON serialization, jsonlite::unbox() can be used to force a length-1 object in R to be presented in JSON as a scalar. If using unboxed JSON serialization, I() will cause a length-1 R object to present as a JSON array.

4.3 Error Handling

Plumber wraps each endpoint invocation so that it can gracefully capture errors.

#' Example of throwing an error
#' @get /simple
function(){
  stop("I'm an error!")
}

#' Generate a friendly error
#' @get /friendly
function(res){
  msg <- "Your request did not include a required parameter."
  res$status <- 400 # Bad request
  list(error=jsonlite::unbox(msg))
}

If you run this API and visit http://localhost:8000/simple, you’ll notice two things:

  1. An HTTP response with a status code of 500 (“internal server error”) is sent to the client. You should see an error message resembling: {"error":["500 - Internal server error"],"message":["Error in (function () : I'm an error!\n"]}
  2. A similar error is printed in the terminal where you’re running your Plumber API.

This means that it is possible for you to intentionally stop() in an endpoint or a filter as a way to communicate a problem to your user. However, it may be preferable to render errors from your API in a consistent format with more helpful error messages.

{
  "error": "Your request did not include a required parameter."
}

// TODO: example of setErrorHandler on router.

4.4 Custom Serializers

// TODO

4.5 Setting Cookies

As part of fulfilling a request, a Plumber API can choose to set HTTP cookies on the client. HTTP APIs don’t implicitly contain a notion of a “session.” Without some additional information, Plumber has no way of ascertaining whether or not two HTTP requests that come in are associated with the same user. Cookies offer a way to commission the client to store some state on your behalf so that selected data can outlive a single HTTP request; the full implications of using cookies to track state in your API are discussed here. The two forms of Plumber cookies – plain-text and encrypted – are discussed in the following sections.

Before you make cookies an important part of your API’s security model, be sure to understand the section on the security considerations when working with cookies.

4.5.1 Setting Unencrypted Cookies

Plumber can both set and receive plaint-text cookies. The API endpoint below will return a random letter, but it remembers your preferences on whether you like capitalized or lower-case letters.

#' @put /preferences
function(res, capital){
  if (missing(capital)){
    stop("You must specify a value for the 'capital' preference.")
  }
  res$setCookie("capitalize", capital)
}

#' @get /letter
function(req) {
  capitalize <- req$cookies$capitalize

  # Default to lower-case unless user preference is capitalized
  alphabet <- letters

  # The capitalize cookie will initially be empty (NULL)
  if (!is.null(capitalize) && capitalize == "1"){
    alphabet <- LETTERS
  }

  list(
    letter = sample(alphabet, 1)
  )
}

Since this API is using a PUT request to test this API, we’ll use curl on the command line to test it. (There’s nothing about cookies that necessitates PUT requests; you could just as easily modify this API to use a GET request.) We can start by visiting the /letter endpoint and we’ll see that the API defaults to a lower-case alphabet. curl http://localhost:8000/letter

{
  "letter": ["h"]
}

If we send a PUT request and specify the capital parameter, a cookie will be set on the client which will allow the server to accommodate our preference in future requests. In curl, you need to specify a file in which you want to save these cookies using the -c option. This is a good reminder that clients handle cookies differently – some won’t support them at all – so be sure that the clients you intend to support with your API play nicely with cookies if you want to use them.

To send a PUT request, setting the parameter capital to 1, we could invoke: curl -c cookies.txt -X PUT --data 'capital=1' "http://localhost:8000/preferences". If you print out the cookies.txt file, you should now see that it contains a single cookie called capitalize with a value of 1.

We can make another GET request to /letter to see if it accommodates our preferences. But we’ll need to tell curl to use the cookies file we just created when sending this request using the -b switch: curl -b cookies.txt http://localhost:8000/letter. You should now see that the API is returning a random capitalized letter.

This is a simple example showing how to persist user preferences across HTTP requests using cookies. But be aware that the client has the ability to modify or fabricate the cookies that they send to your API. So storing preferences that the user themselves provided in a cookie is not a concern. Storing something with security implications like the level of permissions this client has on your API, however, would be; a malicious user would just need to modify the role saved in their cookie in order to trick your API into giving them more permissions than it should.

There are two common work-arounds to this concern. You can simply store a long (cryptographically) random identifier in the user’s cookie, and have some mapping on the server that allows you to lookup the session associated with that random ID. Alternatively, you could use signed/encrypted cookies, as detailed in the next section.

4.5.2 Setting Encrypted Cookies

In addition to storing plain-text cookies, Plumber also supports handling cookies that are encrypted. Encrypted cookies prevent your users from seeing what is stored inside of them and also sign their contents so that users can’t modify what is stored.

To use this feature, you must explicitly add it to your router after constructing it. For example, you could run the following sequence of commands to create a router that supports encrypted session cookies.

pr <- plumb("myfile.R")
pr$registerHooks(sessionCookie("mySecretHere", "cookieName"))
pr$run()

You’ll notice the above example is using the sessionCookie hooks that come with Plumber. By adding registering these hooks on your router, you’ll ensure that the req$session object is made available on incoming requests and is persisted to the cookie named cookieName when the response is ready to be sent to the user. In this example, the key used to encrypt the data is "mySecretHere", which is obviously a very weak secret key.

Unlike res$setHeader(), the values attached to req$session are serialized via jsonlite; so you’re free to use more complex data structures like lists in your session. Also unlike res$setHeaders(), req$session encrypts the data using the secret key you provide as the first argument to the sessionCookie() function.

As an example, we’ll store an encrypted cookie that counts how many times this client has visited a particular endpoint:

#* @get /sessionCounter
function(req){
  count <- 0
  if (!is.null(req$session$counter)){
    count <- as.numeric(req$session$counter)
  }
  req$session$counter <- count + 1
  return(paste0("This is visit #", count))
}

Again, you would need to register the sessionCookie() hooks on your router before this code would work.

If you inspect the cookie being set in your browser, you’ll find that its value is encrypted by the time it gets to the client. But by the time it arrives in Plumber, your cookie is available as a regular R list and can be read or modified.