opensource/kubo
1
0
Fork 0
mirror of https://github.com/ipfs/kubo.git synced 2025-08-06 11:31:54 +08:00
Code Issues Projects Releases Wiki Activity

fix: localhost API access via ipv6

Browse Source 
This adds localhost ipv6 addresses to the allowlist for use in browser
context and fixes WebUI on ipv6-only deployments: http://[::1]:5001/webui

We were missing CORS/Origin tests for API port so I've added basic ones
and included localhost/127.0.0.1/::1 variants.
This commit is contained in:
Marcin Rataj
2020-10-20 00:40:46 +02:00
parent af089dee35
commit d1c20bdff7
4 changed files with 71 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/corehttp/commands.go
View File

@ -40,6 +40,8 @@ const APIPath = "/api/v0"
var defaultLocalhostOrigins = []string{
"http://127.0.0.1:<port>",
"https://127.0.0.1:<port>",
"http://[::1]:<port>",
"https://[::1]:<port>",
"http://localhost:<port>",
"https://localhost:<port>",
}

7
test/sharness/t0112-gateway-cors.sh
View File

@ -6,16 +6,9 @@
test_description="Test HTTP Gateway CORS Support"
test_config_ipfs_cors_headers() {
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["*"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "GET", "POST"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Headers '["X-Requested-With"]'
}
. lib/test-lib.sh
test_init_ipfs
test_config_ipfs_cors_headers
test_launch_ipfs_daemon
thash='QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn'

0
test/sharness/t0400-api-security.sh → test/sharness/t0400-api-no-gateway.sh
View File

69
test/sharness/t0401-api-browser-security.sh Executable file
View File

@ -0,0 +1,69 @@
#!/usr/bin/env bash
#
# Copyright (c) 2020 Protocol Labs
# MIT Licensed; see the LICENSE file in this repository.
#
test_description="Test API browser security"
. lib/test-lib.sh
test_init_ipfs
PEERID=$(ipfs config Identity.PeerID)
test_launch_ipfs_daemon
test_expect_success "browser is unable to access API without Origin" '
curl -sD - -X POST -A "Mozilla" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 403 Forbidden" curl_output
'
test_expect_success "browser is unable to access API with invalid Origin" '
curl -sD - -X POST -A "Mozilla" -H "Origin: https://invalid.example.com" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 403 Forbidden" curl_output
'
test_expect_success "browser is able to access API if Origin is the API port on localhost (ipv4)" '
curl -sD - -X POST -A "Mozilla" -H "Origin: http://127.0.0.1:$API_PORT" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'
test_expect_success "browser is able to access API if Origin is the API port on localhost (ipv6)" '
curl -sD - -X POST -A "Mozilla" -H "Origin: http://[::1]:$API_PORT" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'
test_expect_success "browser is able to access API if Origin is the API port on localhost (localhost name)" '
curl -sD - -X POST -A "Mozilla" -H "Origin: http://localhost:$API_PORT" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'
test_kill_ipfs_daemon
test_expect_success "setting CORS in API.HTTPHeaders works via CLI" "
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '[\"https://valid.example.com\"]' &&
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '[\"POST\"]' &&
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Headers '[\"X-Requested-With\"]'
"
test_launch_ipfs_daemon
# https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
test_expect_success "OPTIONS with preflight request to API with CORS allowlist succeeds" '
curl -svX OPTIONS -A "Mozilla" -H "Origin: https://valid.example.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: origin, x-requested-with" "http://127.0.0.1:$API_PORT/api/v0/id" 2>curl_output &&
cat curl_output
'
# OPTION Response from Gateway should contain CORS headers, otherwise JS won't work
test_expect_success "OPTIONS response for API with CORS allowslist looks good" '
grep "< Access-Control-Allow-Origin: https://valid.example.com" curl_output
'
test_expect_success "browser is able to access API with valid Origin matching CORS allowlist" '
curl -sD - -X POST -A "Mozilla" -H "Origin: https://valid.example.com" "http://127.0.0.1:$API_PORT/api/v0/id" >curl_output &&
grep "HTTP/1.1 200 OK" curl_output && grep "$PEERID" curl_output
'
test_kill_ipfs_daemon
test_done