Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: webui on ipv6 localhost #7731

Merged
merged 1 commit into from
Oct 26, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
fix: localhost API access via ipv6
This adds localhost ipv6 addresses to the allowlist for use in browser
context and fixes WebUI on ipv6-only deployments: http://[::1]:5001/webui

We were missing CORS/Origin tests for API port so I've added basic ones
and included localhost/127.0.0.1/::1 variants.
  • Loading branch information
lidel committed Oct 19, 2020
commit d1c20bdff75d96a72ee0fe004c01a606df933c23
2 changes: 2 additions & 0 deletions core/corehttp/commands.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ const APIPath = "/api/v0"
var defaultLocalhostOrigins = []string{
"http://127.0.0.1:<port>",
"https://127.0.0.1:<port>",
"http://[::1]:<port>",
"https://[::1]:<port>",
"http://localhost:<port>",
"https://localhost:<port>",
}
Expand Down
7 changes: 0 additions & 7 deletions test/sharness/t0112-gateway-cors.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,9 @@

test_description="Test HTTP Gateway CORS Support"

test_config_ipfs_cors_headers() {
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["*"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "GET", "POST"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Headers '["X-Requested-With"]'
}

. lib/test-lib.sh

test_init_ipfs
test_config_ipfs_cors_headers
test_launch_ipfs_daemon

thash='QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn'
Expand Down
69 changes: 69 additions & 0 deletions test/sharness/t0401-api-browser-security.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
#!/usr/bin/env bash
#
# Copyright (c) 2020 Protocol Labs
# MIT Licensed; see the LICENSE file in this repository.
#

test_description="Test API browser security"

. lib/test-lib.sh

test_init_ipfs

PEERID=$(ipfs config Identity.PeerID)

test_launch_ipfs_daemon

test_expect_success "browser is unable to access API without Origin" '
curl -sD - -X POST -A "Mozilla" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 403 Forbidden" curl_output
'

test_expect_success "browser is unable to access API with invalid Origin" '
curl -sD - -X POST -A "Mozilla" -H "Origin: https://invalid.example.com" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 403 Forbidden" curl_output
'

test_expect_success "browser is able to access API if Origin is the API port on localhost (ipv4)" '
curl -sD - -X POST -A "Mozilla" -H "Origin: http://127.0.0.1:$API_PORT" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'

test_expect_success "browser is able to access API if Origin is the API port on localhost (ipv6)" '
curl -sD - -X POST -A "Mozilla" -H "Origin: http://[::1]:$API_PORT" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'

test_expect_success "browser is able to access API if Origin is the API port on localhost (localhost name)" '
curl -sD - -X POST -A "Mozilla" -H "Origin: http://localhost:$API_PORT" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'

test_kill_ipfs_daemon

test_expect_success "setting CORS in API.HTTPHeaders works via CLI" "
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '[\"https://valid.example.com\"]' &&
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '[\"POST\"]' &&
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Headers '[\"X-Requested-With\"]'
"

test_launch_ipfs_daemon

# https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
test_expect_success "OPTIONS with preflight request to API with CORS allowlist succeeds" '
curl -svX OPTIONS -A "Mozilla" -H "Origin: https://valid.example.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: origin, x-requested-with" "http://127.0.0.1:$API_PORT/api/v0/id" 2>curl_output &&
cat curl_output
'

# OPTION Response from Gateway should contain CORS headers, otherwise JS won't work
test_expect_success "OPTIONS response for API with CORS allowslist looks good" '
grep "< Access-Control-Allow-Origin: https://valid.example.com" curl_output
'

test_expect_success "browser is able to access API with valid Origin matching CORS allowlist" '
curl -sD - -X POST -A "Mozilla" -H "Origin: https://valid.example.com" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'

test_kill_ipfs_daemon
test_done