search

GoogleCloudPlatform / avocano

Avocano is a sample dropship/fake product website, built with Firebase Hosting, Cloud Run, Cloud SQL and Cloud Build
https://avocano.web.app
Apache License 2.0
65 stars 28 forks source link

🐞 [Bug Report] - deterministic urls update #493

Open glasnt opened 1 day ago

glasnt commented 1 day ago

Describe the bug

With the release of Deterministic URLs, Cloud Run services now have two default urls: 

SERVICE-PROJECTNUM.REGION.run.app
SERVICE-HASH-REGIONCODE.a.run.app

Avocano uses self-csrf to build the hash-regioncode variation of it's own URL, but not the new version.

This causes issues when trying to use the web-interface for the server, specifically when using the default presented URL in the Google Cloud Console or Service URL in the output of a gcloud run deploy (both report the projectnum variation)

Additional context

internal b/367711357

glasnt commented 1 day ago

A possible way to do this, replacing most of the logic in _service_url

# pip install google-api-python-client

from googleapiclient.discovery import build

run = build("run", "v1")
fqname = f"projects/{project}/locations/{region}/services/{service}"
service = run.projects().locations().services().get(name=fqname).execute()
urls = service['metadata']['annotations']['run.googleapis.com/urls']

May no longer need google-cloud-run, instead google-api-python-client (or both).

Also need to update the ALLOWED_HOSTS to support a list, possibly similar to the Codelabs update https://codelabs.developers.google.com/codelabs/cloud-run-django#5:

# If defined, add service URLs to Django security settings
CLOUDRUN_SERVICE_URLS = env("CLOUDRUN_SERVICE_URLS", default=None)
if CLOUDRUN_SERVICE_URLS:
    CSRF_TRUSTED_ORIGINS = env("CLOUDRUN_SERVICE_URLS").split(",")
    # Remove the scheme from URLs for ALLOWED_HOSTS
    ALLOWED_HOSTS = [urlparse(url).netloc for url in CSRF_TRUSTED_ORIGINS]
else:
    ALLOWED_HOSTS = ["*"]