The impact on middleware of expanding APIs with Go's interface smuggling
Recently, the Go blog had Keeping your Modules Compatible which is about doing exactly that as you add features and want to expand your module's API. When the module's API involves interfaces, one of the approaches they suggested is what I've called interface smuggling and what other people have called interface upgrades. Let me quote the article:
When you run into a case where you want to add a method to an existing interface, you may be able to follow this strategy. Start by creating a new interface with your new method, or identify an existing interface with the new method. Next, identify the relevant functions that need to support it, type check for the second interface, and add code that uses it.
This is a quite popular approach, one used by many packages in Go's standard library and third party packages. However, it has a dark side, and that is its unfortunate effects on middleware.
The problem for middleware is best illustrated by the most common
sort of middleware, which is things that interpose in the chain of
HTTP handlers to modify the results. Much middleware wants to look
at or act on some aspect of the HTTP reply, for example to gather
metrics based on the result code, which
means that it must modify and proxy the
http.ResponseWriter passed to child
http package has
acquired a whole collection of smuggled interfaces on ResponseWriters,
http.CloseNotifier (which is deprecated),
http.Pusher. In the
future there will probably be more.
(In addition, the ResponseWriter may or may not support
If you're a piece of middleware, the ResponseWriter you're passed
may support some, many, or all of these additional APIs. However,
Go provides you no good way to pass this support through your proxy
ResponseWriter that you're going to pass to children Handlers. The
Prometheus people try hard to do it anyway, and the result is
and involves a combinatorial explosion of the possible combinations
of APIs. As the case of io.ReaderFrom shows, these additional APIs
don't even necessarily come from the
http package. A smuggled
interface from anywhere may need to be supported.
One answer to this is that you just don't support these additional APIs in your middleware, or you only support a few of them. The problem with this is that the ResponseWriter and the client code that people are trying to use your middleware with well have been developed, tested, and normally used in an environment where these expanded APIs are used, not cut off. As we all know, if you don't test it it doesn't work. Your middleware may be the first code to try to pass the next hop a ResponseWriter with a genuinely narrow API, because such narrow APIs may mostly come from middleware. And of course if there are any bugs in the result, people will blame your middleware.
None of this is insurmountable. But beyond the problems and the hassles, it means that expanding your API with interface smuggling is decidedly not transparent if people use middleware with it. And as a practical matter, some amount of the time your new API will not be usable until middleware is expanded to cope with it (if it ever is).
Another problem is that this expansion of middleware to cope with your new API can't happen until your new API itself is pervasive. Go currently provides no support for conditional building based on the version of other packages or the state of their API, so middleware can't include any use of your new API interfaces until it doesn't have to build against versions of your package that predate them.
(People can work around this for HTTP middleware because they can make files build only on specific minimum versions of Go. Your package doesn't have this magical power; it's something available only for new APIs in the Go standard library.)
Because nothing is new under the sun, this problem was noticed back in 2014's Interface Upgrades in Go, which is one of the earliest places to call this pattern an 'interface upgrade'. The article notes the proxy problem and ends with a call to use interface upgrades sparingly. This is good advice in my opinion, but is very much at odds with the idea of routinely using interface upgrades to expand your API.