Open stravid87 opened 8 months ago
Currently this is now:
backendURL := fmt.Sprintf(os.Getenv("VITE_BACKEND")+"%s", r.URL)
// backendURL := fmt.Sprintf("https://%s%s", r.Header.Get("X-Forwarded-Host"), r.URL)
in server/handlers/tunnel.go
The path needs to be encrypted.
Note, Marc has requested to have access to params. To solve this issue can be a challenge but should very much be possible. The URL path and query params should be scrapped from the URL by the interceptor as well as the query params. These should then be encrypted and transited through the proxy for decryption and attachment in the middleware such that the service provider receives them like normal and the proxy is ignorant to them.
Nice work. Done & done.
July 16 - 22
Can we make the "/media" call on Line 644 in 'interceptro.go' dynamic?
Line 55 of server.go
should be configurable to any string and still work if configured correctly in the frontend.
Description
Line 107 of the interceptor: is writing the path in the proxy URL like this a privacy breech?
r, err := http.NewRequest("POST", c.proxyURL+parsedURL.Path, bytes.NewBuffer(data))
This parsedURL.Path should really only be accessible to the S.P. This information is carried to line 160 of server/tunnel.goRequirements:
Acceptance Criteria
When a frontend user creates a
get
,post
, or other request type, this information should be fully hidden from the proxy and transmitted as part of the encrypted body only. The Service Provider should be able to access this information within the node.js backend by invoking the properties:Reference: https://expressjs.com/en/api.html#req.path https://expressjs.com/en/api.html#req.path