search

galaxyproject / galaxy

Data intensive science for everyone.
https://galaxyproject.org
Other
1.36k stars 989 forks source link

Self host swagger JS dependencies #18081

Open mira-miracoli opened 3 months ago

mira-miracoli commented 3 months ago

We should provide self-hosted JS libraries for OpenAPI docs

@app.get("/docs", include_in_schema=False)
async def custom_swagger_ui_html():
    return get_swagger_ui_html(
        swagger_js_url=f"https://{ourselves}/swagger-ui-dist@5.9.0/swagger-ui-bundle.js",
        swagger_css_url=f"https://{ourselves}/swagger-ui-dist@5.9.0/swagger-ui.css",
    )

Describe the bug usegalaxy.*/api/docs is not loading for me: image

The issue is an invalid certificate for a Cloudflare CDN server, it seems to be expired in 2020. After googleing it, I found this: https://community.cloudflare.com/t/jsdelivr-expired-certificate-may-2024/650543 and https://github.com/jsdelivr/jsdelivr/issues/18565

It could be a bigger issue. Sure we can not do anything about it and CDNs should always work, but in this case I was wondering if it is really needed or if we could serve this with our own servers?

Galaxy Version and/or server at which you observed the bug Galaxy Version: 24.0 all 3 usegalaxy.* servers

Browser and Operating System Operating System: Linux, macOS Browser: Firefox, Chrome-based, Safari

Firefox 125.2 (fedora linux 39) Chromium 124.0.6367.91 (fedora linux 39) Safari on iPadOS 17.4.1

To Reproduce Steps to reproduce the behavior: Maybe it is location dependent, but otherwise the steps are quite obivous

Expected behavior swagger api docs should load

hexylena commented 3 months ago

Seconding this, it also won't work for TREs and similar air-gapped environments and leaks information about our visitors. We should self host this like we do for the rest of the JS.

I'm glad there was a certificate issue, might not have noticed otherwise that the JS comes from a third party domain.

(And especially JS that might have access to user API keys, even if it's a trustworthy party like jsdeliver, since we aren't using SRI hashes to ensure the validity of that file at all, just a plain script tag)

mvdbeek commented 3 months ago

Do you want to open that issue at FastAPI ? I don't think there's anything we can do. It also works for me on all devices.

hexylena commented 3 months ago

@mvdbeek fastapi is generating this?

mvdbeek commented 3 months ago

yes

hexylena commented 3 months ago

oof. i'd expect at least SRI hashes then, yikes.

hexylena commented 3 months ago

Someone reports a similar issue (different flavour of firewall) and the suggested answer is an additional requirement. https://github.com/tiangolo/fastapi/issues/4924#issuecomment-1336275570

every similar question seems to receive that as an answer, the discussion moved to 'discussions' and the underlying issue never fixed or closed as 'wontfix'.

hexylena commented 3 months ago

Aha, it sounds like we can implement this ourselves, by passing static_directory https://github.com/tiangolo/fastapi/pull/112

https://github.com/tiangolo/fastapi/pull/112/files#diff-a7194c5009e170b25568f7cf38b4eb8b7caabd87249b4bf6c0cd1710119a0200R8

mira-miracoli commented 3 months ago

update:

Unfortunately this issue affected the users hitting the Cloudflare CDN. Currently its fixed by redirecting all traffic to Fastly.

At this moment its unknown why they decided to start serving an expired SSL certificate as it's service is supposed to be fully automated and managed by them.

I will be working with them to understand the problem and when its safe to bring back Cloudflare.

hexylena commented 3 months ago

I suspect CF will fix that long before we could patch galaxy.

misunderstood, we are agreed, should be self hosted.