restrict to station domain only

api/middleware.go

@@ -0,0 +1,28 @@
+package api
+
+import (
+	"net/http"
+
+	stationHttpUtils "github.com/massalabs/station/pkg/http"
+	"github.com/massalabs/station/pkg/logger"
+)
+
+func OriginRestrictMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		origin := stationHttpUtils.GetRequestOrigin(r)
+		hostname := stationHttpUtils.ExtractHostname(origin)
+
+		for _, allowedDomain := range allowedDomains() {
+			if hostname == allowedDomain {
+				next.ServeHTTP(w, r)
+				return
+			}
+		}
+		logger.Warnf("Origin %s not allowed", origin)
+		http.Error(w, "Origin not allowed", http.StatusForbidden)
+	})
+}
+
+func allowedDomains() []string {
+	return []string{"station.massa", "localhost", "127.0.0.1"}
+}

api/restapi/configure_node_manager_plugin.go

@@ -10,6 +10,7 @@ import (
 	"github.com/go-openapi/errors"
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/runtime/middleware"
+	"github.com/massalabs/node-manager-plugin/api"
 	"github.com/massalabs/node-manager-plugin/api/restapi/operations"
 )
 
@@ -104,5 +105,5 @@ func setupMiddlewares(handler http.Handler) http.Handler {
 // The middleware configuration happens before anything, this middleware also applies to serving the swagger.json document.
 // So this is a good place to plug in a panic handling middleware, logging and metrics.
 func setupGlobalMiddleware(handler http.Handler) http.Handler {
-	return handler
+	return api.OriginRestrictMiddleware(handler)
 }

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/go-openapi/swag v0.23.1
 	github.com/go-openapi/validate v0.24.0
 	github.com/jessevdk/go-flags v1.5.0
-	github.com/massalabs/station v0.6.9
+	github.com/massalabs/station v0.8.2
 	github.com/massalabs/station-massa-wallet v0.5.1
 	github.com/massalabs/station/plugin-kit v0.1.1
 	github.com/ncruces/go-sqlite3 v0.27.1
@@ -54,3 +54,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.1.7 // indirect
 )
+

go.sum

@@ -65,8 +65,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
 github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
-github.com/massalabs/station v0.6.9 h1:eampc2dndCq8BHUydRlcMSy1i1dBhxqI5tKWKGMMj+4=
-github.com/massalabs/station v0.6.9/go.mod h1:fvIMuIS8v1/tu5e4FPvvqEJEcLsZN+wUD5OMSHD/rO8=
+github.com/massalabs/station v0.8.2 h1:hmGejQvr7FJBjxH1ot/iQRY+MKAjayaCQBOeePvvtwM=
+github.com/massalabs/station v0.8.2/go.mod h1:fvIMuIS8v1/tu5e4FPvvqEJEcLsZN+wUD5OMSHD/rO8=
 github.com/massalabs/station-massa-wallet v0.5.1 h1:tF4sX7Qt3mcFyLqlqbBj6uUqQgDMYa+3/uQkHF3j/1I=
 github.com/massalabs/station-massa-wallet v0.5.1/go.mod h1:36O0NV1arEDy8NXPGj+vtlTftAgJ/QgG+keIOatZOnw=
 github.com/massalabs/station/plugin-kit v0.1.1 h1:KIzEjQX1ukgSSmmnD3EVADN9N7h3kTbFzHI3lal9+Po=

int/api/api.go

@@ -126,8 +126,6 @@ func (a *API) Start() {
 	a.registerHandlers()
 	a.apiServer.ConfigureAPI()
 
-	a.apiServer.SetHandler(a.api.Serve(nil))
-
 	logger.Infof("Starting node manager plugin API on port %d", a.apiServer.Port)
 
 	// launch the plugin API

manifest.json

@@ -4,6 +4,6 @@
     "description": "Massa blockchain official node manager",
     "logo": "favicon.svg",
     "home": "",
-    "version": "0.4.2",
+    "version": "0.4.3",
     "apispec": ""
   }