Enforce HTTPS for back-ends

[m-mohr]

Once Open-EO/openeo-geopyspark-driver#4 is solved, we can drop HTTP support.

[christophfriedrich]

Thanks for opening a dedicated issue, I was also in the process of writing one but you beat me to it :D

For future reference: This discussion originated here: https://github.com/Open-EO/openeo-hub/commit/c4763b3a9d413c5ea7c05e32945c621253065e99#r38138886

[christophfriedrich]

What is meant are workarounds like this one: https://github.com/Open-EO/openeo-hub/blob/c4763b3a9d413c5ea7c05e32945c621253065e99/src/components/Backend.vue#L135-L139

I'm wondering whether this is the only snippet that needs changing or whether there are more :thinking:

A quick search for "http" through the codebase revealed a few links to our own websites that could be updated, like: https://github.com/Open-EO/openeo-hub/blob/c4763b3a9d413c5ea7c05e32945c621253065e99/README.md#L2

Can't think of any more at the moment.

[m-mohr]

I'd probably be quite strict and either not indexing any http back-ends in the well known document or mark them as insecure.

Linking to the https Web Editor with a http back-end url would result in a connection error anyway.

[christophfriedrich]

So should this issue be renamed "Enforce HTTPS support"? i.e. Should the Hub check before each crawl that all URLs listed in the config (and while crawling: each URL retrieved from the well-known doc) start with https and refuse to crawl those that don't?

[m-mohr]

If we want to go the strict way, yes. What do you think?

[m-mohr]

The Web Editor shows a warning for HTTP as of now: https://github.com/Open-EO/openeo-web-editor/issues/84

[christophfriedrich]

I'm unsure.

I had already written this paragraph and was about to post it: In general, we only want to list (and therefore promote) backends that are compliant to the API spec. And supporting HTTPS is part of that spec, so we should be strict here, too. After all, being strict is what will force backends to be compliant.

But then thought: All data the Hub requests is public anyway, so not having HTTPS isn't really an issue on the Hub's side. But it may be one on the user side once they found a suitable backend and work with it. Whether it actually is an issue for the individual user could be left to their decision.

The question is: Will there be backends that would be valuable to users but fail to provide HTTPS? If there's a reasonable chance for that, we shouldn't demand it.

On the other hand: Since Let's Encrypt, supporting it isn't that hard anymore, is it?

I'm inclined to being strict.

[m-mohr]

I pretty much agree with everything you said.

Will there be backends that would be valuable to users but fail to provide HTTPS? If there's a reasonable chance for that, we shouldn't demand it.

I don't think there is. I don't think there's any production-level back-end that implements no authentication and if' there's authentication it must implement HTTPS or it's highly insecure. We shouldn't promote any back-end that doesn't care for user credentials. There's probably some non HTTPS back-ends locally (and that's the reason the Web Editor still optionally works on HTTP), but local back-ends can't be accessed by the Hub.

So, yes, I'd also say, enforce HTTPS.

[christophfriedrich]

Note: The issue we're waiting for has been transferred so it's now no longer Open-EO/openeo-geopyspark-driver#4 but Open-EO/openeo-python-driver#30

[m-mohr]

The dependency is solved and this issue can be tackled now.

[christophfriedrich]

Implemented. Please comment/reopen if anything's missing.