Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

ipfs-http-client: files.write loses all headers after util/multipart header merge #3017

Closed
elmariachi111 opened this issue May 1, 2020 · 2 comments · Fixed by #3018
Closed
Labels
kind/bug A bug in existing code (including security flaws)

Comments

@elmariachi111
Copy link

  • Version:
    ipfs 0.43.1
    ipfs-http-client: 44.0.1

  • Platform:
    5.3.0-51-generic ID impl + tests (core+api+cli) #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
    Chrome Version 81.0.4044.122 (Official Build) (64-bit)

  • Subsystem:
    ipfs-http-client

Severity:

High

Description:

What I did

wanted to create a file using ipfs using

ipfs.files.write(`/path/file`, content: string, {
    create: true,
    parents: true,
  });

the ipfs daemon's api is connected via https on a remote machine behind an nginx/ssl proxy. API access is restricted via simple basic auth. Daemon is configured to send CORS headers. Nginx repeats CORS headers. Other commands besides write, e.g. stat, cat, work fine.

What happened

Server refuses request with

Access to fetch at 'https://my.ipfs.server:5001/api/v0/files/write?stream-channels=true&create=true&parents=true&arg=%.....file' from origin 'http://localhost:8100' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
http.js:147 POST https://my.ipfs.server:5001/api/v0/files/write?stream-channels=true&create=true&parents=true&arg=%,..... file net::ERR_FAILED
fetch @ http.js:147
Client.fetch @ core.js:148
post @ http.js:191
(anonymous) @ write.js:11
async function (async)
(anonymous) @ write.js:20
(anonymous) @ createRecord.ts:21
What I expect

the file shouldve been created ;)

Steps to reproduce the error:

connect to api on a remote ipfs daemon behind ssl / Basic Auth. Set Authorization headers on connection. send a stat -> works. send a write -> breaks.

My debug results so far

This error does not appear when using ipfs-http-client 43.0.1.

I'm pretty sure that this commit has introduced the issue: ipfs/js-ipfs-utils@070a456#diff-31b367d1856df8608494b65123d57acdR11. There, the headers are replaced with node-fetch.Headers.

Note, that the multipart util as used by files.write is still using a plain array for headers: https://github.com/ipfs/js-ipfs/blob/master/packages/ipfs-http-client/src/lib/multipart-request.js#L58 .

When the http client is invoked, the deep merge of options here: https://github.com/ipfs/js-ipfs-utils/blob/070a45618ae0bc5b137974b7594d17fcf158b2c9/src/http.js#L179 overwrites the new Headers with the 2nd argument's plain array headers (original code in package merge-options : https://github.com/schnittstabil/merge-options/blob/master/index.js#L158) . Therefore the authorization header (and all other headers) are lost. If you send that to a plain daemon you might not notice.

@elmariachi111 elmariachi111 added the need/triage Needs initial labeling and prioritization label May 1, 2020
@achingbrain achingbrain added kind/bug A bug in existing code (including security flaws) and removed need/triage Needs initial labeling and prioritization labels May 2, 2020
achingbrain added a commit that referenced this issue May 2, 2020
Somewhere along the line we stopped passing headers to the underlying
request library which means people can't use http auth etc to try to
secure their API servers.

Fixes #3017

Depends on:

- [ ] ipfs/js-ipfs-utils#41
@achingbrain
Copy link
Member

Thanks for the detailed investigation! It runs a little deeper because the README says you can send extra headers with every request which I don't think you can in the current release. It should be fixed by #3018.

achingbrain added a commit that referenced this issue May 5, 2020
Somewhere along the line we stopped passing headers to the underlying
request library which means people can't use http auth etc to try to
secure their API servers.

Fixes #3017
@achingbrain
Copy link
Member

This should be fixed in [email protected] - could you please try using this version and re-open this issue if the problem persists?

SgtPooki referenced this issue in ipfs/js-kubo-rpc-client Aug 18, 2022
Somewhere along the line we stopped passing headers to the underlying
request library which means people can't use http auth etc to try to
secure their API servers.

Fixes #3017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug A bug in existing code (including security flaws)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants