-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: secure Lassie server using authorization #273
Conversation
Configure Lassie HTTP server to require authorization with the configured access token. This change does not affect Zinnia modules with one exception: `fetch('ipfs://`) requests are not allowed to send an `Authorization` header now. Signed-off-by: Miroslav Bajtoš <oss@bajtos.net>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is difficult to test in an automated way 🤔
cli/main.rs
Outdated
@@ -57,6 +58,7 @@ async fn main_impl() -> Result<()> { | |||
temp_dir: None, | |||
// Listen on an ephemeral port selected by the operating system | |||
port: 0, | |||
access_token: Some(generate_lassie_access_token()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this change manually by adding console.log
to runtime/js/fetch.js
, running zinnia-dev run runtime/tests/js/ipfs_retrieval_tests.js
and observing output.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we test this by reproducing the exact case that this feature is preventing? So we get the port somehow, and try to make a direct HTTP request to lassie (doesn't matter whether that's from within Zinnia or not)
This is the difficult part! Let me think about it some more 🤔 |
Idea: Only run the test on linux, and use https://stackoverflow.com/questions/942824/how-to-find-ports-opened-by-process-id-in-linux to get the port |
Signed-off-by: Miroslav Bajtoš <oss@bajtos.net>
See 515893a |
Signed-off-by: Miroslav Bajtoš <oss@bajtos.net>
That would work too 👍🏻 |
Signed-off-by: Miroslav Bajtoš <oss@bajtos.net>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great!
.expect("cannot read the first line of the HTTP response") | ||
.expect("server returned at least one line"); | ||
|
||
assert_eq!(status, "HTTP/1.1 401 Unauthorized") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice!
Configure Lassie HTTP server to require authorization with the configured access token.
This change does not affect Zinnia modules with one exception:
fetch('ipfs://
) requests are not allowed to send anAuthorization
header now.Also upgrade Lassie from v0.4.0 to v0.5.1. Release notes: