Skip to content

Commit

Permalink
Tighten up CORS validation
Browse files Browse the repository at this point in the history
  • Loading branch information
@anbsky
anbsky committed Mar 11, 2021
1 parent f34a96f commit fd98b32
Show file tree
Hide file tree
Showing 9 changed files with 300 additions and 256 deletions.
25 changes: 19 additions & 6 deletions api/routes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,44 +5,49 @@ import (
"strings"
"time"

"github.com/gorilla/mux"
"github.com/lbryio/lbrytv-player/pkg/paid"
"github.com/lbryio/lbrytv/app/auth"
"github.com/lbryio/lbrytv/app/proxy"
"github.com/lbryio/lbrytv/app/publish"
"github.com/lbryio/lbrytv/app/query/cache"
"github.com/lbryio/lbrytv/app/sdkrouter"
"github.com/lbryio/lbrytv/app/wallet"
"github.com/lbryio/lbrytv/apps/lbrytv/config"
"github.com/lbryio/lbrytv/internal/ip"
"github.com/lbryio/lbrytv/internal/metrics"
"github.com/lbryio/lbrytv/internal/middleware"
"github.com/lbryio/lbrytv/internal/monitor"
"github.com/lbryio/lbrytv/internal/status"

"github.com/gorilla/mux"
"github.com/prometheus/client_golang/prometheus/promhttp"
"github.com/rs/cors"
)

var logger = monitor.NewModuleLogger("api")

// emptyHandler can be used when you just need to let middlewares do their job and no actual response is needed.
func emptyHandler(_ http.ResponseWriter, _ *http.Request) {}

// InstallRoutes sets up global API handlers
func InstallRoutes(r *mux.Router, sdkRouter *sdkrouter.Router) {
upHandler := &publish.Handler{UploadPath: config.GetPublishSourceDir()}

r.Use(methodTimer)

r.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
w.Write([]byte("lbrytv api"))
})
r.HandleFunc("", proxy.HandleCORS)
r.HandleFunc("", emptyHandler)

v1Router := r.PathPrefix("/api/v1").Subrouter()
v1Router.Use(defaultMiddlewares(sdkRouter, config.GetInternalAPIHost()))

v1Router.HandleFunc("/proxy", upHandler.Handle).MatcherFunc(upHandler.CanHandle)
v1Router.HandleFunc("/proxy", proxy.Handle).Methods(http.MethodPost)
v1Router.HandleFunc("/proxy", proxy.HandleCORS).Methods(http.MethodOptions)
v1Router.HandleFunc("/proxy", emptyHandler).Methods(http.MethodOptions)

v1Router.HandleFunc("/metric/ui", metrics.TrackUIMetric).Methods(http.MethodPost)
v1Router.HandleFunc("/metric/ui", proxy.HandleCORS).Methods(http.MethodOptions)
v1Router.HandleFunc("/metric/ui", emptyHandler).Methods(http.MethodOptions)

v1Router.HandleFunc("/status", status.GetStatus).Methods(http.MethodGet)
v1Router.HandleFunc("/paid/pubkey", paid.HandlePublicKeyRequest).Methods(http.MethodGet)
Expand All @@ -53,14 +58,22 @@ func InstallRoutes(r *mux.Router, sdkRouter *sdkrouter.Router) {
v2Router := r.PathPrefix("/api/v2").Subrouter()
v2Router.Use(defaultMiddlewares(sdkRouter, config.GetInternalAPIHost()))
v2Router.HandleFunc("/status", status.GetStatusV2).Methods(http.MethodGet)
v2Router.HandleFunc("/status", proxy.HandleCORS).Methods(http.MethodOptions)
v2Router.HandleFunc("/status", emptyHandler).Methods(http.MethodOptions)
}

func defaultMiddlewares(rt *sdkrouter.Router, internalAPIHost string) mux.MiddlewareFunc {
authProvider := auth.NewIAPIProvider(rt, internalAPIHost)
memCache := cache.NewMemoryCache()
c := cors.New(cors.Options{
AllowedOrigins: config.GetCORSDomains(),
AllowCredentials: true,
AllowedHeaders: []string{wallet.TokenHeader, "X-Requested-With", "Content-Type", "Accept"},
})
logger.Log().Infof("added CORS domains: %v", config.GetCORSDomains())

return middleware.Chain(
metrics.MeasureMiddleware(),
c.Handler,
ip.Middleware,
sdkrouter.Middleware(rt),
auth.Middleware(authProvider),
Expand Down
57 changes: 40 additions & 17 deletions api/routes_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,28 +48,51 @@ func TestRoutesPublish(t *testing.T) {
assert.Contains(t, rr.Body.String(), `"code": -32084`)
}

func TestRoutesOptions(t *testing.T) {
func TestCORS(t *testing.T) {
r := mux.NewRouter()
rt := sdkrouter.New(config.GetLbrynetServers())

allowedDomains := []string{
"https://odysee.com",
"https://somedomain.com",
}
config.Override("CORSDomains", allowedDomains)

InstallRoutes(r, rt)

cases := map[string]string{
"https://odysee.com": "https://odysee.com",
"https://somedomain.com": "https://somedomain.com",
"https://someotherdomain.com": "",
"https://lbry.tv": "",
}

for _, url := range []string{"/api/v1/proxy", "/api/v2/status"} {
t.Run(url, func(t *testing.T) {
req, err := http.NewRequest("OPTIONS", url, nil)
require.NoError(t, err)
rr := httptest.NewRecorder()

r.ServeHTTP(rr, req)
h := rr.Result().Header
assert.Equal(t, http.StatusOK, rr.Code)
assert.Equal(t, "7200", h.Get("Access-Control-Max-Age"))
assert.Equal(t, "*", h.Get("Access-Control-Allow-Origin"))
assert.Equal(
t,
"X-Lbry-Auth-Token, Origin, X-Requested-With, Content-Type, Accept",
h.Get("Access-Control-Allow-Headers"),
)
})
for orig, chost := range cases {
t.Run(fmt.Sprintf("%v @ %v", url, orig), func(t *testing.T) {
req, err := http.NewRequest(http.MethodOptions, url, nil)
require.NoError(t, err)

req.Header.Set("origin", orig)
req.Header.Set("Access-Control-Request-Headers", "content-type,x-lbry-auth-token")
req.Header.Set("Access-Control-Request-Method", http.MethodPost)

rr := httptest.NewRecorder()

r.ServeHTTP(rr, req)
h := rr.Result().Header
require.Equal(t, http.StatusOK, rr.Code)

assert.Equal(t, chost, h.Get("Access-Control-Allow-Origin"))
if chost != "" {
assert.Equal(
t,
"Content-Type, X-Lbry-Auth-Token",
h.Get("Access-Control-Allow-Headers"),
)
}
})
}
}
}

Expand Down
14 changes: 2 additions & 12 deletions app/proxy/proxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ import (
"github.com/lbryio/lbrytv/app/query/cache"
"github.com/lbryio/lbrytv/app/rpcerrors"
"github.com/lbryio/lbrytv/app/sdkrouter"
"github.com/lbryio/lbrytv/app/wallet"
"github.com/lbryio/lbrytv/internal/audit"
"github.com/lbryio/lbrytv/internal/errors"
"github.com/lbryio/lbrytv/internal/ip"
Expand Down Expand Up @@ -62,7 +61,7 @@ func writeResponse(w http.ResponseWriter, b []byte) {
// Handle forwards client JSON-RPC request to proxy.
func Handle(w http.ResponseWriter, r *http.Request) {
responses.AddJSONContentType(w)
origin := getOrigin(r)
origin := getDevice(r)

if r.Body == nil {
w.WriteHeader(http.StatusBadRequest)
Expand Down Expand Up @@ -183,15 +182,6 @@ func Handle(w http.ResponseWriter, r *http.Request) {
writeResponse(w, serialized)
}

// HandleCORS returns necessary CORS headers for pre-flight requests to proxy API
func HandleCORS(w http.ResponseWriter, r *http.Request) {
hs := w.Header()
hs.Set("Access-Control-Max-Age", "7200")
hs.Set("Access-Control-Allow-Origin", "*")
hs.Set("Access-Control-Allow-Headers", wallet.TokenHeader+", Origin, X-Requested-With, Content-Type, Accept")
w.WriteHeader(http.StatusOK)
}

func GetAuthError(user *models.User, err error) error {
if err == nil && user != nil {
return nil
Expand All @@ -208,7 +198,7 @@ func GetAuthError(user *models.User, err error) error {
return errors.Err("unknown auth error")
}

func getOrigin(r *http.Request) string {
func getDevice(r *http.Request) string {
rf := r.Header.Get("referer")
ua := r.Header.Get("user-agent")
if strings.HasSuffix(rf, "odysee.com/") {
Expand Down
21 changes: 5 additions & 16 deletions app/proxy/proxy_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,6 @@ import (
"github.com/ybbus/jsonrpc"
)

func TestProxyOptions(t *testing.T) {
r, err := http.NewRequest("OPTIONS", "/api/proxy", nil)
require.NoError(t, err)

rr := httptest.NewRecorder()
HandleCORS(rr, r)

response := rr.Result()
assert.Equal(t, http.StatusOK, response.StatusCode)
}

func TestProxyNilQuery(t *testing.T) {
r, err := http.NewRequest("POST", "", nil)
require.NoError(t, err)
Expand Down Expand Up @@ -90,22 +79,22 @@ func TestProxyDontAuthRelaxedMethods(t *testing.T) {
assert.Equal(t, 0, apiCalls)
}

func Test_getOrigin(t *testing.T) {
func Test_getDevice(t *testing.T) {
var r *http.Request

r, _ = http.NewRequest(http.MethodGet, "", nil)
r.Header.Add("Referer", "https://odysee.com/")
assert.Equal(t, orgOdysee, getOrigin(r))
assert.Equal(t, orgOdysee, getDevice(r))

r, _ = http.NewRequest(http.MethodGet, "", nil)
r.Header.Add("Referer", "https://lbry.tv/")
assert.Equal(t, orgLbrytv, getOrigin(r))
assert.Equal(t, orgLbrytv, getDevice(r))

r, _ = http.NewRequest(http.MethodGet, "", nil)
r.Header.Add("User-Agent", "okhttp/3.12.1")
assert.Equal(t, orgAndroid, getOrigin(r))
assert.Equal(t, orgAndroid, getDevice(r))

r, _ = http.NewRequest(http.MethodGet, "", nil)
r.Header.Add("User-Agent", "Odysee")
assert.Equal(t, orgiOS, getOrigin(r))
assert.Equal(t, orgiOS, getDevice(r))
}
4 changes: 4 additions & 0 deletions apps/lbrytv/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,3 +150,7 @@ func GetLbrynetXPercentage() int {
func GetTokenCacheTimeout() time.Duration {
return Config.Viper.GetDuration("TokenCacheTimeout") * time.Second
}

func GetCORSDomains() []string {
return Config.Viper.GetStringSlice("CORSDomains")
}
16 changes: 11 additions & 5 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,12 @@ module github.com/lbryio/lbrytv
go 1.15

require (
github.com/getkin/kin-openapi v0.15.0
github.com/getkin/kin-openapi v0.33.0
github.com/getsentry/sentry-go v0.6.1
github.com/gobuffalo/packr/v2 v2.8.0
github.com/gobuffalo/logger v1.0.3 // indirect
github.com/gobuffalo/packd v1.0.0 // indirect
github.com/gobuffalo/packr/v2 v2.7.1
github.com/google/go-cmp v0.5.4 // indirect
github.com/gorilla/mux v1.7.4
github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a
github.com/jinzhu/gorm v1.9.9
Expand All @@ -23,8 +26,9 @@ require (
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.7.1
github.com/prometheus/client_model v0.2.0
github.com/rogpeppe/go-internal v1.6.2 // indirect
github.com/rs/cors v1.7.0
github.com/rubenv/sql-migrate v0.0.0-20200429072036-ae26b214fa43
github.com/sergi/go-diff v1.1.0 // indirect
github.com/sirupsen/logrus v1.6.0
github.com/spf13/afero v1.5.1 // indirect
github.com/spf13/cast v1.3.1
Expand All @@ -36,8 +40,10 @@ require (
github.com/volatiletech/null v8.0.0+incompatible
github.com/volatiletech/sqlboiler v3.4.0+incompatible
github.com/ybbus/jsonrpc v2.1.2+incompatible
golang.org/x/sys v0.0.0-20201223074533-0d417f636930 // indirect
golang.org/x/text v0.3.4 // indirect
goa.design/goa/v3 v3.2.6
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
golang.org/x/sys v0.0.0-20210309074719-68d13333faf2 // indirect
golang.org/x/text v0.3.5 // indirect
gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 // indirect
gopkg.in/ini.v1 v1.62.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
Expand Down
Loading

0 comments on commit fd98b32

Please sign in to comment.