-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SvelteKit live dev with dynamic routing fails #591
Comments
Upon further investigation I've found the root cause, and it seems like this is a limitation within Java itself. The 400 status is set here: https://github.com/quarkusio/quarkus/blob/7cf3e4e8f484aefed9ea97b08ebb2164093baa4e/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/VertxHttpRecorder.java#L122 if (!uriValid(httpServerRequest)) {
httpServerRequest.response().setStatusCode(400).end();
return;
} The private boolean uriValid(HttpServerRequest httpServerRequest) {
if (DISABLE_URI_VALIDATION) {
return true;
}
try {
// we simply need to know if the URI is valid
new URI(httpServerRequest.uri());
return true;
} catch (URISyntaxException e) {
return false;
}
} This can be disabled by setting the Having said that, I'll do some more tests to see if the production build requires this kind of path - if not, a workaround could be to disable URI validation in dev only. |
Agreed this is not a good long term solution let's see what @ia3andy says. |
This is a tricky one 🤪, my take on this is:
As a workaround this could maybe be set as a |
cc @vietj |
It's Vertx that is failing, it's a Quarkus specific check that utilizes the code pasted in OP. If there is some Vertx utility to check the validity of a URI, let's by all means use that. |
Ok, the URL is not valid in the RFC: So... the best solution would be to allow it in dev only, or through QUinoa, I wonder if I can set this for the request. |
I think we should use a quarkus configuration instead of a system property in Quarkus: This would solve the issue as we could enable this only in dev mode. Also we could keep backward compat on this with the system props: disabled if @geoand agreed? |
That was really meant to be a hidden flag, but I guess since we now have a valid use case, we can make it a real configuration option |
I'll create an issue on Quarkus.. @devpikachu so this means:
|
Super, thanks for the quick investigation @ia3andy . FYI, I've also opened an issue on Quarkus' side, more-so for the decoding failing silently rather than throwing to output: quarkusio/quarkus#37789 |
Here is the underlying issue: quarkusio/quarkus#37804 |
I'll take a look |
@all-contributors add @devpikachu for bug |
I've put up a pull request to add @devpikachu! 🎉 |
From Quarkus Team "disableURIValidation is not exposed for a reason: you want to validate URI. It's an attack vector." |
I guess this should then be documented on how to get around it in dev, as it is only a concern there. |
@treo is this ticket safe to close now that there are documented workarounds? |
At the moment this is only documented in this particular issue. #640 was for an unrelated problem. I'm not sure where exactly this particular flag needs to be documented, as I think it isn't necessarily a SvelteKit only thing. |
The Quarkus Team has decided not to take action on this as its considered too risky from a security perspective. |
Describe the bug
Having added a SvelteKit 2 app (running with Vite 5) and then a dynamic route to it (
routes/activate/[activationToken]/+page.svelte
) results in a 500 error being displayed in browser.Inspecting the Network tab, it seems like there's 400 errors being thrown when Svelte tries to load the code for the dynamic route:
Looking at the CLI output of Quarkus, it seems like Quinoa is not intercepting these 2 calls at all, which leads me to believe it is Quinoa returning these 400 responses. As a note, I set the logging level to TRACE and found no indication of these 2 calls being handled by the server.
Having tried running Vite directly (
pnpm run dev
), the page can be accessed as normal and it works just fine.I've already did the config change as per #574 .
Calling Quarkus:
Calling Vite directly:
Currently the only workaround to this is setting
quarkus.quinoa.dev-server
tofalse
and running Vite separately, which defeats the purpose of Quinoa's DX during development.Quinoa version
2.2.1
Quarkus version
3.6.3
Build / Runtime
Vite
Package Manager
PNPM
Steps to reproduce the behavior
routes/[slug]/+page.svelte
)http://localhost:8080/test-slug
)Expected behavior
The page is loaded as normal
The text was updated successfully, but these errors were encountered: