From 5e7a7916af727d63d8fe67790a3821fcf8fe0664 Mon Sep 17 00:00:00 2001 From: Andrei Fleiser Date: Wed, 29 Oct 2025 16:27:15 +0100 Subject: [PATCH 1/3] restrict to station domain only --- api/middleware.go | 28 ++++++++++++++++++++ api/restapi/configure_node_manager_plugin.go | 3 ++- go.mod | 4 ++- go.sum | 4 +-- manifest.json | 2 +- 5 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 api/middleware.go diff --git a/api/middleware.go b/api/middleware.go new file mode 100644 index 0000000..727e415 --- /dev/null +++ b/api/middleware.go @@ -0,0 +1,28 @@ +package api + +import ( + "net/http" + + stationHttpUtils "github.com/massalabs/station/pkg/http" + "github.com/massalabs/station/pkg/logger" +) + +func OriginRestrictMiddleware(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + origin := stationHttpUtils.GetRequestOrigin(r) + hostname := stationHttpUtils.ExtractHostname(origin) + + for _, allowedDomain := range allowedDomains() { + if hostname == allowedDomain { + next.ServeHTTP(w, r) + return + } + } + logger.Warnf("Origin %s not allowed", origin) + http.Error(w, "Origin not allowed", http.StatusForbidden) + }) +} + +func allowedDomains() []string { + return []string{"station.massa", "localhost", "127.0.0.1"} +} diff --git a/api/restapi/configure_node_manager_plugin.go b/api/restapi/configure_node_manager_plugin.go index 9e0a1b5..50001ea 100644 --- a/api/restapi/configure_node_manager_plugin.go +++ b/api/restapi/configure_node_manager_plugin.go @@ -10,6 +10,7 @@ import ( "github.com/go-openapi/errors" "github.com/go-openapi/runtime" "github.com/go-openapi/runtime/middleware" + "github.com/massalabs/node-manager-plugin/api" "github.com/massalabs/node-manager-plugin/api/restapi/operations" ) @@ -104,5 +105,5 @@ func setupMiddlewares(handler http.Handler) http.Handler { // The middleware configuration happens before anything, this middleware also applies to serving the swagger.json document. // So this is a good place to plug in a panic handling middleware, logging and metrics. func setupGlobalMiddleware(handler http.Handler) http.Handler { - return handler + return api.OriginRestrictMiddleware(handler) } diff --git a/go.mod b/go.mod index a85c9e5..549f2bf 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/go-openapi/swag v0.23.1 github.com/go-openapi/validate v0.24.0 github.com/jessevdk/go-flags v1.5.0 - github.com/massalabs/station v0.6.9 + github.com/massalabs/station v0.8.2 github.com/massalabs/station-massa-wallet v0.5.1 github.com/massalabs/station/plugin-kit v0.1.1 github.com/ncruces/go-sqlite3 v0.27.1 @@ -54,3 +54,5 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect lukechampine.com/blake3 v1.1.7 // indirect ) + +//replace github.com/massalabs/station => /home/andrei/Projects/station-ecosystem/station diff --git a/go.sum b/go.sum index 79f8020..8394aa5 100644 --- a/go.sum +++ b/go.sum @@ -65,8 +65,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= -github.com/massalabs/station v0.6.9 h1:eampc2dndCq8BHUydRlcMSy1i1dBhxqI5tKWKGMMj+4= -github.com/massalabs/station v0.6.9/go.mod h1:fvIMuIS8v1/tu5e4FPvvqEJEcLsZN+wUD5OMSHD/rO8= +github.com/massalabs/station v0.8.2 h1:hmGejQvr7FJBjxH1ot/iQRY+MKAjayaCQBOeePvvtwM= +github.com/massalabs/station v0.8.2/go.mod h1:fvIMuIS8v1/tu5e4FPvvqEJEcLsZN+wUD5OMSHD/rO8= github.com/massalabs/station-massa-wallet v0.5.1 h1:tF4sX7Qt3mcFyLqlqbBj6uUqQgDMYa+3/uQkHF3j/1I= github.com/massalabs/station-massa-wallet v0.5.1/go.mod h1:36O0NV1arEDy8NXPGj+vtlTftAgJ/QgG+keIOatZOnw= github.com/massalabs/station/plugin-kit v0.1.1 h1:KIzEjQX1ukgSSmmnD3EVADN9N7h3kTbFzHI3lal9+Po= diff --git a/manifest.json b/manifest.json index d2f2b2c..373b3a5 100644 --- a/manifest.json +++ b/manifest.json @@ -4,6 +4,6 @@ "description": "Massa blockchain official node manager", "logo": "favicon.svg", "home": "", - "version": "0.4.2", + "version": "0.4.3", "apispec": "" } \ No newline at end of file From abc21687979925d7c3399b8d0088e6071336489a Mon Sep 17 00:00:00 2001 From: Andrei <34773578+fleandrei@users.noreply.github.com> Date: Wed, 29 Oct 2025 16:34:45 +0100 Subject: [PATCH 2/3] Update go.mod Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- go.mod | 1 - 1 file changed, 1 deletion(-) diff --git a/go.mod b/go.mod index 549f2bf..1667c45 100644 --- a/go.mod +++ b/go.mod @@ -55,4 +55,3 @@ require ( lukechampine.com/blake3 v1.1.7 // indirect ) -//replace github.com/massalabs/station => /home/andrei/Projects/station-ecosystem/station From ae284757d6cc98b87036b4a6ef9c89e713ca845b Mon Sep 17 00:00:00 2001 From: Andrei Fleiser Date: Thu, 30 Oct 2025 12:00:26 +0100 Subject: [PATCH 3/3] fix middleware not overrided --- int/api/api.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/int/api/api.go b/int/api/api.go index a59a8e9..f317c88 100644 --- a/int/api/api.go +++ b/int/api/api.go @@ -126,8 +126,6 @@ func (a *API) Start() { a.registerHandlers() a.apiServer.ConfigureAPI() - a.apiServer.SetHandler(a.api.Serve(nil)) - logger.Infof("Starting node manager plugin API on port %d", a.apiServer.Port) // launch the plugin API