Use commit from PR #6855 to enable --unsafe-cors early

[ethanfrey]

update to 0.39.1 when ready

for now, this let's cosmjs tests pass

• Targeted PR against correct branch (see CONTRIBUTING.md)

• Linked to Github issue with discussion and accepted design OR link to spec that describes this work.

• Wrote tests

• Updated relevant documentation (docs/)

• Added relevant godoc comments.

• Added a relevant changelog entry to the Unreleased section in CHANGELOG.md

• Re-reviewed Files changed in the Github PR explorer

---

For admin use:

• Added appropriate labels to PR (ex. WIP, R4R, docs, etc)
• Reviewers assigned
• Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)

[codecov]

Codecov Report

Merging #224 into master will decrease coverage by 0.07%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master     #224      +/-   ##
==========================================
- Coverage   72.41%   72.34%   -0.08%     
==========================================
  Files          27       27              
  Lines        2632     2632              
==========================================
- Hits         1906     1904       -2     
- Misses        614      616       +2     
  Partials      112      112              

Impacted Files	Coverage Δ
lcd_test/helpers.go	75.00% <0.00%> (-0.72%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 826ca87...a03db81. Read the comment docs.

[ethanfrey]

cosmos/cosmos-sdk#6853 was merged.

Now pin to that commit (on upstream repo), somewhere between v0.39.0 and v0.39.1

[webmaster128]

This does not seem to be working.

Demonet settings okay

This sends a preflight request as browsers do

# curl -vsS -X OPTIONS --header 'Access-Control-Request-Method: POST' --header 'Access-Control-Request-Headers: content-type' --header 'Origin: http://localhost:1317' https://lcd.demo-09.cosmwasm.com/txs/encode 
*   Trying 142.93.236.132...
* TCP_NODELAY set
* Connected to lcd.demo-09.cosmwasm.com (142.93.236.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=lcd.demo-09.cosmwasm.com
*  start date: Jul  1 12:09:09 2020 GMT
*  expire date: Sep 29 12:09:09 2020 GMT
*  subjectAltName: host "lcd.demo-09.cosmwasm.com" matched cert's "lcd.demo-09.cosmwasm.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> OPTIONS /txs/encode HTTP/1.1
> Host: lcd.demo-09.cosmwasm.com
> User-Agent: curl/7.64.1
> Accept: */*
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: content-type
> Origin: http://localhost:1317
> 
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Mon, 27 Jul 2020 12:02:48 GMT
< Content-Length: 0
< Connection: keep-alive
< Access-Control-Allow-Headers: Content-Type
< Access-Control-Allow-Origin: *
< X-Server-Time: 1595851368
< 
* Connection #0 to host lcd.demo-09.cosmwasm.com left intact
* Closing connection 0

Same command against this patch

$ curl -vsS -X OPTIONS --header 'Access-Control-Request-Method: POST' --header 'Access-Control-Request-Headers: content-type' --header 'Origin: http://localhost:1317' http://localhost:1317/txs/encode 
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 1317 (#0)
> OPTIONS /txs/encode HTTP/1.1
> Host: localhost:1317
> User-Agent: curl/7.64.1
> Accept: */*
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: content-type
> Origin: http://localhost:1317
> 
< HTTP/1.1 403 Forbidden
< X-Server-Time: 1595851518
< Date: Mon, 27 Jul 2020 12:05:18 GMT
< Content-Length: 0
< 
* Connection #0 to host localhost left intact
* Closing connection 0

[ethanfrey]

Rrr.... time for manual testing

[ethanfrey]

@webmaster128 what was the command-line you used for the rest-server?

[webmaster128]

what was the command-line you used for the rest-server?

docker exec "$CONTAINER_NAME" \
  wasmcli rest-server \
  --node tcp://localhost:26657 \
  --trust-node \
  --unsafe-cors \
  --laddr "tcp://0.0.0.0:$REST_PORT_GUEST" \
  > "$REST_SERVER_LOGFILE" &

I wonder if after the Cosmos SDK patch, the OPTIONS verb is still disallowed. The 403 is a bit strange and smells like verb whitelisting.

[ethanfrey]

I can reproduce, with the simple case - no node even, just checking the rest api:

Run this: wasmcli rest-server --unsafe-cors --trust-node

curl -vsS -X OPTIONS --header 'Access-Control-Request-Method: POST' --header 'Access-Control-Request-Headers: content-type' --header 'Origin: http://localhost:1317' http://localhost:1317/txs/encode

Returns 403 FORBIDDEN as you describe

curl -vsS -X POST http://localhost:1317/txs/encode

Returns 400: {"error":"UnmarshalJSON cannot decode empty bytes"} showing that there is a POST endpoint functioning there

[webmaster128]

I don't see any relevant difference between your --cors patch and the --unsafe-cors patch of the SDK :/

[ethanfrey]

You can look at the code and the defaults here: https://github.com/gorilla/handlers/blob/v1.4.2/cors.go#L169-L173

I made a patch here to explicitly allow all origins: cosmos/cosmos-sdk#6855 but that still didn't help (local tests in wasmd)

[ethanfrey]

Do those defaults look right? https://github.com/gorilla/handlers/blob/v1.4.2/cors.go#L28-L33

Something I need to adjust?

[webmaster128]

You can look at the code and the defaults here: https://github.com/gorilla/handlers/blob/v1.4.2/cors.go#L169-L173

Acording to https://github.com/gorilla/handlers/blob/v1.4.2/cors.go#L119-L120, an empty list represent no restrictions

[ethanfrey]

Ah... this is it:

without --header 'Access-Control-Request-Headers: content-type' the query passes:

curl -vsS -X OPTIONS --header 'Access-Control-Request-Method: GET' --header 'Access-Control-Request-Headers: content-type' --header 'Origin: http://localhost:1317' http://localhost:1317/txs => 403

curl -vsS -X OPTIONS --header 'Access-Control-Request-Method: GET' --header 'Origin: http://localhost:1317' http://localhost:1317/txs => 200

[ethanfrey]

See: https://github.com/gorilla/handlers/blob/v1.4.2/cors.go#L191-L192

I will make this adjustment to allow Content-Type

[webmaster128]

Do those defaults look right? https://github.com/gorilla/handlers/blob/v1.4.2/cors.go#L28-L33

Something I need to adjust?

Ah, nice one. Content-Type is missing in that list. With content-language it works:

curl -vsS -X OPTIONS --header 'Access-Control-Request-Method: POST' --header 'Access-Control-Request-Headers: content-language' --header 'Origin: http://localhost:1317' http://localhost:1317/txs/encode

We can also try if an empty list works as all headers

[alpe]

Changes look good. untested 👍

[webmaster128]

I tested 67b9203 and it works

[ethanfrey]

I cancelled this (CircleCI has a backlog). I will merge after cleaning up go.mod

[ethanfrey]

Okay, my PR got into the launchpad branch. Pointed to that and cleaned up go.mod.

Then time to merge and tag a release.