Important! API calls security update has major impact - please read this

This morning, I found out the hard way that Knack has changed how the PUT API call operates in tables. If you don’t have the Inline Edit set as enabled, it wil fail with error code 400 (Bad Request).

So I had to rush all over my app to find all the tables that were affected. Since I don’t want the users to be able to use Inline Edit, I had to enable the feature for the table, but also disable it for each field individually. What a job!!! I just hope i haven’t missed any.

I sure hope this won’t happen again. Knack should notify us several weeks ahead of time before implementing such critical changes in the future, as this had major impact on my client’s production line. Not to mention the operator’s perception of a failed system they can’t trust so much anymore. Next, I have to figure out each record that missed the API call’s change and manually fix them.

FYI, the problem started on August 25th 2021, at about 17:00 (UTC).

Norm D.

Hi Norm - thank you for posting here and for reaching out directly to our support team for help when you noticed this!

Knack is committed to the security of our customer’s data. As such, we’ve recently made some changes to our API to align with our Dev Docs and improve security.

We’re sorry to hear this created issues for you, and appreciate your feedback on this. We’re reviewing our process for how these updates are handled going forward.

2 Likes

A post was split to a new topic: Invalid request error inline editing

Did Knack also recently change how the PUT API call operates in forms? I am getting a 400 (Bad Request) as a response to a PUT call to a form. The POST call works, but the PUT fails (with the same headers). Our code was working previously, the bug was just reported to us last week by a client.

Thanks in advance

Hi Chia,

It is possible, but I can’t say for sure. I will have to try it.

Note that it may be due to your form’s action. Does it add a new record or does it modify an existing one? Remember that POST is to add and PUT is to modify.

Maybe until recently, PUT could add a new record even though it shouldn’t have been able to do it - and they fixed that (which is a good thing).

BTW, did you know that you can avoid using API calls in a form? Indeed, I often use Javascript to fill the fields’ values and simulate a click on the Submit button. Then, if the data is critical or the transaction needs to be validated, you have two ways of confirming that all went well: 1) wait for that brief confirmation message called a “toast”, and/or refresh a table in that same page containing that new data and compare against what you sent.

Hope this helps,
Norm

1 Like

@Chia - It’s hard to tell from what you describe here if this is related to that change. Would you please email support@knack.com or message our support team from your Builder? It would help to learn more about the issue you are facing within context of your specific app, in order to assist. Thanks!

@NormandDefayette_CortexRD appreciate your reply as well!

2 Likes

Hi to all. I just want to take a moment to say a big Thank You to Knack’s development and documentation teams for listening and considering my special request.

In fact, when I started using their API, I discovered by pure coincidence that it was possible to perform PUT operations in table and search views, even though the documentation stated that only forms should be used. Now recently, as they were improving their security, this stopped working and led to my “panicky” original post here. Also by luck and random trials, I discovered that I could make it work again by enabling the Inline editing feature for each affected table/search. I was a bit relieved but also stressed that they might remove that PUT capability altogether one day. The thing is that I rely on this “feature” for tons of code, and in my KTL also, to implement really powerful features.

So, I begged them to consider leaving this capabilty in place, and simply update the documentation accordingly. Others will certainly also benefit from this cool “new-old” feature.

In conclusion, all this to say that a few minutes ago, I want back and read to documentation… and saw this updated paragraph:


Views that can accept a PUT request to update a record include the following:

  • Edit Forms
  • Tables (with inline editing turned on)
  • Searches (with inline editing turned on)

That really made my day, I can relax now and continue dreaming of all those future crazy things I’ll be able to do.

Thanks Knack for listening to your customers!
Normand D.