search

georchestra / georchestra-gateway

GNU General Public License v3.0
0 stars 5 forks source link

Commit 37ff94b9ebf668f3fbeb99a18baaa75ebb2d5acf modify the response by the application #128

Open edevosc2c opened 1 month ago

edevosc2c commented 1 month ago

Since https://github.com/georchestra/georchestra-gateway/commit/37ff94b9ebf668f3fbeb99a18baaa75ebb2d5acf, when you do a POST request and this request returns a 403 forbidden error.

You lose all the headers sent by the application and all the headers like X-Frame-Options are not set. Most importantly, XSRF-TOKEN is lost and we have a client that do a request like this in the below example.

Before commit 37ff94b9ebf668f3fbeb99a18baaa75ebb2d5acf

$ curl -v 'http://localhost:8082/geonetwork/srv/eng/info?type=me' -u edevos -i -XPOST -H'Accept: application/json'
Enter host password for user 'edevos':
*   Trying 127.0.0.1:8082...
* Connected to localhost (127.0.0.1) port 8082 (#0)
* Server auth using Basic with user 'edevos'
> POST /geonetwork/srv/eng/info?type=me HTTP/1.1
> Host: localhost:8082
> Authorization: Basic xxxx
> User-Agent: curl/7.81.0
> Accept: application/json
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Vary: Origin
Vary: Origin
< Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
Vary: Access-Control-Request-Headers
< Set-Cookie: XSRF-TOKEN=f74d008d-612b-48cf-b14b-fb372daa8c82; Path=/geonetwork; Secure
Set-Cookie: XSRF-TOKEN=f74d008d-612b-48cf-b14b-fb372daa8c82; Path=/geonetwork; Secure
< Cache-Control: must-revalidate,no-cache,no-store
Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 95
Content-Length: 95
< X-Xss-Protection: 0
X-Xss-Protection: 0
< Strict-Transport-Security: max-age=631138519
Strict-Transport-Security: max-age=631138519
< X-Frame-Options: ALLOW-FROM *.inrae.fr
X-Frame-Options: ALLOW-FROM *.inrae.fr
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
Referrer-Policy: same-origin
< X-Download-Options: noopen
X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: XSRF-TOKEN=f74d008d-612b-48cf-b14b-fb372daa8c82; Path=/datahub; Secure
Set-Cookie: XSRF-TOKEN=f74d008d-612b-48cf-b14b-fb372daa8c82; Path=/datahub; Secure

< 
{
"servlet":"spring",
"message":"Forbidden",
"url":"/geonetwork/srv/eng/info",
"status":"403"
* Connection #0 to host localhost left intact
}

After commit 37ff94b9ebf668f3fbeb99a18baaa75ebb2d5acf

$ curl -v 'http://localhost:8082/geonetwork/srv/eng/info?type=me' -u edevos -i -XPOST -H'Accept: application/json'
Enter host password for user 'edevos':
*   Trying 127.0.0.1:8082...
* Connected to localhost (127.0.0.1) port 8082 (#0)
* Server auth using Basic with user 'edevos'
> POST /geonetwork/srv/eng/info?type=me HTTP/1.1
> Host: localhost:8082
> Authorization: Basic xxx
> User-Agent: curl/7.81.0
> Accept: application/json
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Vary: Origin
Vary: Origin
< Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
Vary: Access-Control-Request-Headers
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 152
Content-Length: 152
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
Pragma: no-cache
< Expires: 0
Expires: 0
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
X-Frame-Options: DENY
< X-XSS-Protection: 1 ; mode=block
X-XSS-Protection: 1 ; mode=block
< Referrer-Policy: no-referrer
Referrer-Policy: no-referrer

{"timestamp":"2024-06-13T10:06:06.959+00:00","path":"/geonetwork/srv/eng/info","status":403,"error":"Forbidden","message":null,"requestId":"7abc0867-5"}

What should we do? My understanding is that we shouldn't modify the response by the application.

edevosc2c commented 1 month ago

Note for later: It would be great to have some kind of CHANGELOG or an announcement when things related to modifying the response are altered in the gateway.

Because I literally spent 6 hours trying to diagnose this bug.