Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Allow redirects to repos #1028

Open
christhekeele opened this issue May 21, 2024 · 4 comments
Open

Proposal: Allow redirects to repos #1028

christhekeele opened this issue May 21, 2024 · 4 comments

Comments

@christhekeele
Copy link

Usecase

  • I have a self-hosted repository in Fly Tigris object storage like: https://fly.storage.tigris.dev/my-hex-registry
  • I have a 302 redirect set up to it like https://hex.example.com to hide the storage implementation details
  • I would like mix hex.repo add my-hex https://hex.example.com to work instead of requiring the precise bucket location

Current Behaviour

Today I just get an error after about 30 seconds of what I assume is retrying in Mix.install:

Error 
** (Mix.Error) No package with name my-package (from: mix.exs) in registry
    (mix 1.15.7) lib/mix.ex:577: Mix.raise/2
    (hex 2.0.6) lib/hex/remote_converger.ex:317: Hex.RemoteConverger.verify_package_req/4
    (elixir 1.15.7) lib/enum.ex:984: Enum."-each/2-lists^foreach/1-0-"/2
    (hex 2.0.6) lib/hex/remote_converger.ex:306: Hex.RemoteConverger.verify_input/2
    (hex 2.0.6) lib/hex/remote_converger.ex:52: Hex.RemoteConverger.converge/2
    (mix 1.15.7) lib/mix/dep/converger.ex:133: Mix.Dep.Converger.all/4
    (mix 1.15.7) lib/mix/dep/converger.ex:89: Mix.Dep.Converger.converge/4
    #cell:setup:13: (file)

Providing the full storage location works fine.

I believe this could be fixed in Hex.HTTP by giving :httpc the autoredirect: true option; it is given false today.

Proposal

I assume it is enforced off today for security and trust reasons I am not fluent in. I think it would be nice to make this opt-in configurable, unless doing so has implications lost on me that would compromise hex's general trust model.

I would propose parameterizing it, defaulting to false, via env vars similar to HEX_UNSAFE_REGISTRY=1. Perhaps something like HEX_FOLLOW_REDIRECTS=1?
@wojtekmach
Copy link
Member

I think autoredirect: true by default would be fine given all repository resources are signed. Otherwise, adding an option to enable is fine by me too. Let's wait for some more feedback but I believe a PR would be welcome!

@ericmj
Copy link
Member

ericmj commented May 22, 2024
edited

We should be handling redirects:

hex/lib/hex/http.ex

Line 113 in 0a5c49f

defp redirect(request, http_opts, times, fun) do
Is it not working?

@christhekeele
Copy link
Author

christhekeele commented May 30, 2024
edited

I'm still seeing the error reported above; but perhaps it is not in fact related to redirects. I will try to set up a repro this week.

@ericmj
Copy link
Member

ericmj commented Jun 18, 2024

@christhekeele Did you learn anything more about this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wojtekmach @ericmj @christhekeele