ipfs-http-client: files.write loses all headers after util/multipart header merge

[elmariachi111]

• Version:
  ipfs 0.43.1
  ipfs-http-client: 44.0.1

• Platform:
  5.3.0-51-generic ID impl + tests (core+api+cli) #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  Chrome Version 81.0.4044.122 (Official Build) (64-bit)

• Subsystem:
  ipfs-http-client

Severity:

High

Description:

What I did

wanted to create a file using ipfs using

ipfs.files.write(`/path/file`, content: string, {
    create: true,
    parents: true,
  });

the ipfs daemon's api is connected via https on a remote machine behind an nginx/ssl proxy. API access is restricted via simple basic auth. Daemon is configured to send CORS headers. Nginx repeats CORS headers. Other commands besides write, e.g. stat, cat, work fine.

What happened

Server refuses request with

Access to fetch at 'https://my.ipfs.server:5001/api/v0/files/write?stream-channels=true&create=true&parents=true&arg=%.....file' from origin 'http://localhost:8100' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
http.js:147 POST https://my.ipfs.server:5001/api/v0/files/write?stream-channels=true&create=true&parents=true&arg=%,..... file net::ERR_FAILED
fetch @ http.js:147
Client.fetch @ core.js:148
post @ http.js:191
(anonymous) @ write.js:11
async function (async)
(anonymous) @ write.js:20
(anonymous) @ createRecord.ts:21

What I expect

the file shouldve been created ;)

Steps to reproduce the error:

connect to api on a remote ipfs daemon behind ssl / Basic Auth. Set Authorization headers on connection. send a stat -> works. send a write -> breaks.

My debug results so far

This error does not appear when using ipfs-http-client 43.0.1.

I'm pretty sure that this commit has introduced the issue: ipfs/js-ipfs-utils@070a456#diff-31b367d1856df8608494b65123d57acdR11. There, the headers are replaced with node-fetch.Headers.

Note, that the multipart util as used by files.write is still using a plain array for headers: https://github.com/ipfs/js-ipfs/blob/master/packages/ipfs-http-client/src/lib/multipart-request.js#L58 .

When the http client is invoked, the deep merge of options here: https://github.com/ipfs/js-ipfs-utils/blob/070a45618ae0bc5b137974b7594d17fcf158b2c9/src/http.js#L179 overwrites the new Headers with the 2nd argument's plain array headers (original code in package merge-options : https://github.com/schnittstabil/merge-options/blob/master/index.js#L158) . Therefore the authorization header (and all other headers) are lost. If you send that to a plain daemon you might not notice.

[achingbrain]

Thanks for the detailed investigation! It runs a little deeper because the README says you can send extra headers with every request which I don't think you can in the current release. It should be fixed by #3018.

[achingbrain]

This should be fixed in [email protected] - could you please try using this version and re-open this issue if the problem persists?