Mailer templates cannot be fetched from private IPs

[edwardcwang]

- Do you want to request a feature or report a bug? Bug

- What is the current behavior? Mailer template URLs such as the one in GOTRUE_MAILER_TEMPLATES_CONFIRMATION or GOTRUE_MAILER_TEMPLATES_RECOVERY cannot be fetched from private URLs.

- If the current behavior is a bug, please provide the steps to reproduce.

1. Spin up GoTrue in a docker-compose environment and point mailer template URLs e.g. GOTRUE_MAILER_TEMPLATES_RECOVERY at another container.
2. Attempt to initiate e.g. a password recovery e-mail.
3. Template not fetched and used; default template loaded instead. Error messages in console:

{"component":"api","level":"info","method":"POST","msg":"request started","path":"/recover","referer":"","remote_addr":"172.19.0.4:47086","timestamp":"2022-08-04T17:45:35Z"}
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
2022/08/04 17:45:35 Error loading template from http://anothercontainer:8080/recovery.txt: Get "http://anothercontainer:8080/recovery.txt": context canceled

- What is the expected behavior? Mailer templates should be able to be fetched from private IPs, particularly in a Docker setting. Or at least provide the option to whitelist certain IP ranges.

- Please mention your Go version, and operating system version.

https://hub.docker.com/layers/gotrue/supabase/gotrue/v2.10.3/images/sha256-fdb56c9d06f84cf7a61186927b8f2501bd39a671b90fae99277682cc867af9cb?context=explore

[jojomatik]

I also ran into this issue using supabase and email templates that I wan't to retrieve from another container locally (even over https).

Are there any plans fixing this issue by adding an environment variable or config option to disable this or are there any security concerns preventing this from ever happening?

[github-actions]

This issue has been automatically marked as stale because it has not had activity in 1 year. It will be closed in 7 days if no further activity occurs. Thanks!

[github-actions]

This issue was closed because it had no activity for over 1 year.

[edwardcwang]

This is still an issue?