This repository has been archived by the owner on Feb 12, 2024. It is now read-only.
ipfs-http-client: files.write loses all headers after util/multipart header merge #3017
Labels
kind/bug
A bug in existing code (including security flaws)
Version:
ipfs 0.43.1
ipfs-http-client: 44.0.1
Platform:
5.3.0-51-generic ID impl + tests (core+api+cli) #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Chrome Version 81.0.4044.122 (Official Build) (64-bit)
Subsystem:
ipfs-http-client
Severity:
High
Description:
What I did
wanted to create a file using ipfs using
the ipfs daemon's api is connected via https on a remote machine behind an nginx/ssl proxy. API access is restricted via simple basic auth. Daemon is configured to send CORS headers. Nginx repeats CORS headers. Other commands besides write, e.g. stat, cat, work fine.
What happened
Server refuses request with
What I expect
the file shouldve been created ;)
Steps to reproduce the error:
connect to api on a remote ipfs daemon behind ssl / Basic Auth. Set Authorization headers on connection. send a stat -> works. send a write -> breaks.
My debug results so far
This error does not appear when using ipfs-http-client 43.0.1.
I'm pretty sure that this commit has introduced the issue: ipfs/js-ipfs-utils@070a456#diff-31b367d1856df8608494b65123d57acdR11. There, the headers are replaced with node-fetch.Headers.
Note, that the multipart util as used by
files.write
is still using a plain array for headers: https://github.com/ipfs/js-ipfs/blob/master/packages/ipfs-http-client/src/lib/multipart-request.js#L58 .When the http client is invoked, the deep merge of options here: https://github.com/ipfs/js-ipfs-utils/blob/070a45618ae0bc5b137974b7594d17fcf158b2c9/src/http.js#L179 overwrites the new
Headers
with the 2nd argument's plain array headers (original code in packagemerge-options
: https://github.com/schnittstabil/merge-options/blob/master/index.js#L158) . Therefore the authorization header (and all other headers) are lost. If you send that to a plain daemon you might not notice.The text was updated successfully, but these errors were encountered: