search

lanthaler / HydraConsole

HydraConsole is an implementation of a generic API client for Hydra-based Web APIs in the form of a single-page application.
http://www.markus-lanthaler.com/hydra/
MIT License
103 stars 17 forks source link

Restrict allowed proxy requests #14

Open rp-eric opened 10 years ago

rp-eric commented 10 years ago

Hydra Console includes what amounts to a proxy server. Here is an example. To prevent abuse, you should be able to restrict the URIs the proxy server will accept. Typically you would restrict the domain to your service's server.

I suggest that URIs be restricted by a whitelist composed of regular expressions. This is a sketch of how the URI restriction would work.


// allows requests for domains myapi.mydomain.com
// and sandbox.myapi.mydomain.com

$uriFilter = array(
    '!^myapi\.mydomain\.com($|/)!',
    '!^sandbox\.myapi\.mydomain\.com($|/)!'
);

function isUriAllowed(array $uriFilter, $uri) {
    return \array_reduce(
        \array_map(
            function ($pat) use ($uri) {
                return \preg_match($pat, $uri);
            }
        ),
        function ($carry, $item) {
            return $carry || $item;
        },
        false
    );
}

The $uriFilter must be configurable. For simplicity, this variable can be defined as a PHP array in a separate config file. The config file can be included in a non-global scope. This is a sketch of how that would be done.

function getUriFilter() {
    $configFile = 'proxy.config.php';
    include $configFile;
    if (isset($uriFilter) && \is_array($uriFilter)) {
        return $uriFilter;
    }
    else {
        throw new \Exception('Must define array $uriFilter in ' . $configFile);
    }
}

This configuration file can be reused for other configuration options particular to the proxy server.

lanthaler commented 10 years ago

Good idea. I think supporting regexes here is a bit of an overkill. What about simply declaring with what string a valid URL has to begin? So, for instance putting http://example.com/apis/ would allow http://example.com/apis/something but not http://example.org/whatever.

Do you have time to create a PR? I’m pretty packed at the moment.

rp-eric commented 10 years ago

I have started work on this feature on the issue_14 branch on my fork. Let me know what you think.

lanthaler commented 10 years ago

Looks a bit more complicated than it would need to IMHO. I would simply (try to) load the config file directly in isUrlAllowed() instead of factoring that out, loading it globally and then passing it to isUrlAllowed(). I would also suggest to simply allow all URLs if no config file has been found instead of throwing an exception. Finally, I think a simple text file (allowed-hosts.conf) would be simpler than requiring this to be PHP.

Thoughts?

derhuerst commented 4 years ago

I would also like to have the option to bypass the proxy entirely. I'm running a CORS-enabled hydra endpoint on localhost, and I cannot use the console.