
To Do List for neon                                      -*- text -*-
-------------------

Please submit feature requests to <mailto:neon@webdav.org>

1. Support for HTTP-extended authoring methods ala WebRFM etc; using
   New-URI header etc.  Also support the BROWSE and INDEX methods.  The
   protocol is documented at:
   http://www.ics.uci.edu/pub/ietf/webdav/ns_dav.html
   DON'T do this inside dav_basic.c, do it separately in
   http_authoring.c or something. 

2. Add proper domain support to authentication code. (requires full
   URI parsing support). Need to tell the auth layer the server
   details.

4. Better cnonce generation for authentication: use /dev/{u}random or
   whatever like mod_auth_digest.

6. PUT/GET with ranges... http_get_range

9. DeltaV support (http://www.webdav.org/deltav/). See also the
   subversion project (http://subversion.tigris.org/) who might build
   a versioning system over DAV.

10. ACL support (http://www.webdav.org/acl/)

11. DASL support (http://www.webdav.org/dasl/). Xythos have server
    support for this (www.sharemation.com). The UI is probably the
    hardest problem here.

14. Improved request-header manipulation... some kind of indexed table
    (a la Apache, libghttp, so we're sure we don't add the same header
    to the request twice.  Better control over adding Cache-Control
    headers would be good too.

17. Should we really be i18n'izing the low-level error messages in
    http_request.c, dav_207.c ? It seems nice and clever to, so the
    user REALLY know what is going wrong with the server (probably),
    but it is maybe a bit frightening.

20. Add decent and proper URI parser + handling. Or stop pretending we
    are doing "URI" parsing, and just handle HTTP URL's.

21. Storing multiple authentication "sessions" within an actual
    http_auth_session, so I log into e.g. /foo/ and /bar/ (which are
    not in the same authentication domain) and switch between them
    without having to re-enter passwords all the time.

23. Mechanism for aborting a request mid-response; e.g., when a GET
    fails due to out of disk space, abort the download.

27. Use a FQDN in the Host: header.  This is tricky, since the record
    returned by gethostbyname lists the real name not the cname, so
    we can't use that.

28. Support response caching.

31. Make it threadsafe:
    socket.c: gethostbyname -> gethostbyname_r.
    socket.c: getservbyname -> getservbyname_r.

33. Cookie support. Relevant specs:
     - RFC2109
     - http://home.netscape.com/newsref/std/cookie_spec.html
     - draft-ietf-http-state-man-mec-12 (obsoletes 2109)
     - draft-iesg-http-cookies (privacy considerations)
    Probably, for first-hack, do not let cookies persist beyond a
    single http_session lifetime (an excellent application for hooks).
    This should cover privacy requirements adequately.

34. Perhaps, make a proper 'read http header' function which combines
    sock_readline and read_message_header and folds continuation lines
    properly.

35. Allow i18n'ization if building a shared library, iff gettext
    support is on the system (and hence add -lintl or whatever to
    NEON_LIBS). If system has no gettext support, then it's probably
    impossible to support i18n in the library (although *applications*
    can support it by bundling gettext themselves). Take a look at how
    other libraries handle this.

36. The high-level interface (http_get etc) isn't easily modified,
    e.g. if I want to add a header "X-Foo: bar" to GET requests, I
    have to re-write the GET handler from scratch. Okay for simple
    methods, but bad for things like PROPFIND. A better use case, 
    is if I want to modify GET to retrieve the value of the Etag
    header, or Last-Modified, as well as perform the actual GET
    mechanism.  Counter-argument is that it's so easy to write your
    own methods, don't bother.

37. SSL certificate verification: Tommi Komulainen
    <Tommi.Komulainen@iki.fi> has donated his SSL cert verification
    from the mutt IMAP/SSL code under the LGPL... it needs
    de-muttifying and plugging in.

38. Remove pair_string + split_string, write parameter-modifying
    versions instead (i.e., like strsep/strtok).

40. XML body acceptance callback should check Content-Type. Should
    also pass encoding to expat if one is given (how about libxml?).
    Recent mod_dav's return XML bodies in 424 responses which need
    displaying properly.

43. SOCKS support.

44. Finer-grained connection status feedback, i.e., "Sent Request",
    "Got response status-line"... "Reading response body"

46. Asynchronous request-dispatching? Makes integration into GUI loop
    easy... any other reasons?  Must leave existing request_dispatch
    interface intact.

47. Indexed table-based response-header access? Might simplify things
    like response body acceptance callbacks (i.e., can get access to
    Content-Type header for XML).

48. Possibly, store the time of last interaction over the TCP socket,
    call it 't'.  If the next request is made after t+20, presume the
    persistent connection is dead, so re-connect automatically.  If we
    don't do this, then we have two wasted write() calls making the
    request, then failing, then re-connecting.  It's really only worth
    doing this if this actually saves any packets on the wire, which
    it probably doesn't. strace / tcpdump might help here.

49. Configurable socket timeouts. (separate read/write?)

50. opendir/readdir/closedir-esque interface for PROPFIND depth 1, 
    a la EZDAV. (cadaver has it already)

52. Useful redirect support. Needs to set URI for request properly.
    Currently, this breaks digest-auth, proxies.

53. "http_session" concept is hazy.  Abstract out a "connection"
    concept too, and allow >1 connection per-session in multi-threaded
    use, somehow.

54. Locks support: need to store hostname / absoluteURI.

57. Add function to map of status-code values to i18n-ized reason
    phrase.

58. 2616 is quite strict about when to retry non-idempotent requests
    and when not to.  We are not compliant here.

59. Should we use snprintf if it is not in libc?? Probably... yes.

60. Might be nice to rip the options out of libtool (using --config?)
    to determine how to add the prefix/lib directory to the runtime
    dynamic link library path, and add these to neon-config --libs
    output.

61. Make everything namespace-safe:
       md5.c   uses md5_*... bad. Move to ne_md5_*
       string_utils.c is a hotch-potch.

62. Something is broken in SSL, it is way slow.
