serverUrl not using https

e-Spirit / fsxa-nuxt-module

Apache License 2.0

1 stars 6 forks source link

serverUrl not using https #75

Closed tmountjr closed 2 years ago

tmountjr commented 2 years ago

I'm working on this module as part of a larger effort with a prospective client of ours and I noticed that the plugin is not using https for the serverUrl when setting up the proxy config:

const proxyApiConfig = {
  clientUrl: path,
  serverUrl: `http://${nuxtHost}:${nuxtPort}${path}`,
  logLevel: "<%= options.logLevel %>",
  contentMode: runtimeConfig.FSXA_MODE,
};

Shouldn't the serverUrl use https in all cases except localhost? eg.

const serverProtocol = nuxtHost === 'localhost' ? 'http' : 'https'
const proxyApiConfig = {
  clientUrl: path,
  serverUrl: `${serverProtocol}://${nuxtHost}:${nuxtPort}${path}`,
  logLevel: "<%= options.logLevel %>",
  contentMode: runtimeConfig.FSXA_MODE,
};

nico-mcalley commented 2 years ago

Hi @tmountjr Mhh, I'm not sure if this is really a problem. In general you are right, but for all the deployments I know, the fsxa-api and the nuxt host are running on the same machine and when the connection is not routed through the internet I suppose there is no problem.

I think we will write this into our documentation as well, since it is really unsafe to let different hosts communicate via http. Do you know of any usage where those two hosts are not running on the same machine?

tmountjr commented 2 years ago

Could be I'm just making an incorrect assumption about the request flow. Is the middleware calling another route also served by the same middleware? or is it calling the CMS directly? See #76 for a broader context to this question.

nico-mcalley commented 2 years ago

hey @tmountjr I will close this issue and we will continue with the discussion on #76 .

tmountjr commented 2 years ago

@henczi-espirit wanted to reopen this with a "I would use HTTPS when..." scenario. :) Part of the troubleshooting i've been doing on #76 led me to run just the fsxa-api module independently on our platform. We do automatically redirect http to https but it doesn't seem like the fetch methods are following that redirect. So in a scenario where someone specifies a non-localhost NUXT_HOST value, and/or an explicit NUXT_PORT=443, shouldn't there be at least an option to switch to https?

tmountjr commented 2 years ago

I guess the other thing is, it feels inconsistent to allow a non-localhost host/port combination but then assume that everyone will be using localhost and therefore default to http without any way to change it short of hacking the module source in node_modules.