The concept of "post" parameters makes more sense once you realize their name is a reference to $_POST, not POST bodies in general. So in that sense extending them to JSON fields would actually be more confusing.

Given that form data handling is not that useful in the REST API in general, maybe just deprecate post parameters for that API entirely?

In T362850#9745259, @Tgr wrote:

The concept of "post" parameters makes more sense once you realize their name is a reference to $_POST, not POST bodies in general. So in that sense extending them to JSON fields would actually be more confusing.

Given that form data handling is not that useful in the REST API in general, maybe just deprecate post parameters for that API entirely?

That's what I did initially, and ended up causeing a train blocker: T362817: PHP Deprecated: The "post" source is deprecated, use "body" instead [Called from MediaWiki\Rest\Validator\ParamValidatorCallbacks::getValue]. This is my attempt of being more careful and retainign backwards compatibility.

I agree that form data processing isn't what you'd typicalyl use a REST API for, but apparently people are indeed doing it: https://codesearch.wmcloud.org/things/?q=SOURCE%20%3D%3E%20%27post%27. A prominent use case seems to be OAuth, though I haven't investigated how or why.

Change #1024459 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[mediawiki/core@master] REST: introduce getBodyParamSettings

https://gerrit.wikimedia.org/r/1024459

I'd deprecate "post", and pass "body" parameters to the BodyValidator (which is based on the mime type and could be a FormDataBodyValidator, so form data support is easy to preserve although old code would have to be updated).

The OAuth 2 spec does make use of application/x-www-form-urlencoded for some endpoints, no form data though I think.

In T362850#9746323, @Tgr wrote:

I'd deprecate "post", and pass "body" parameters to the BodyValidator (which is based on the mime type and could be a FormDataBodyValidator, so form data support is easy to preserve although old code would have to be updated).

The OAuth 2 spec does make use of application/x-www-form-urlencoded for some endpoints, no form data though I think.

The "body" source already supports taking info from $_POST, because PSR-7 wants $_POST to be available through RequestInterface::getParsedBody(). So that would be automatic.

But the handler would have to use getValidatedBody instead of getValidatedParams().

It's doable. The conceptual question is, I think, wether we want to deprecate the idea of form data as "parameters", and make handlers think of it as "request body" instead. The former is the traditional approach in PHP, the latter is technically more correct and mroe in line with OAS.

I was originally going in that direction. I filed this ticket to explore the alternative approach, allowing both perspectives on form data ($_POST) requests.

As @Tgr points out, the term "post" is confusing because it could be taken to mean either the HTTP POST method or $_POST.

Would it help, as part of the solution, to deprecate (and then quickly stop supporting) the "post" naming and change it to "form" instead? That'd be a one-to-one switch that we could easily make in affected code. If we then need to support it perpetually, its meaning is hopefully more obvious.

At this point I think we should just go ahead and kill "post". We just need to be a bit more careful than I was initially.

Change #1024459 merged by jenkins-bot:

[mediawiki/core@master] REST: introduce getBodyParamSettings

https://gerrit.wikimedia.org/r/1024459

Change #1028884 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[mediawiki/core@master] REST: introduce getSupportedRequestTypes()

https://gerrit.wikimedia.org/r/1028884

Change #1028885 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[mediawiki/core@master] DNM: REST: Deprecate using "post" as the parameter source

https://gerrit.wikimedia.org/r/1028885