feat: allow urls with authentication

[hacdias]

This should fix ipfs/ipfs-webui#836 by allowing to pass custom URLs.

I was not able to try it due to some CORS configuration with Basic Auth I couldn't manage to get working right now. Will try later. @lidel could you take a look at this to see if it looks OK or even try it if you've got time?

License: MIT
Signed-off-by: Henrique Dias hacdias@gmail.com

[lidel]

I will try to test this against real basic auth setup in a spare moment today/tomorrow, for now quick feedback below.

[hacdias]

Thanks @lidel!

[lidel]

Summary

So this PR works as expected 👍

Remaining work in this PR:

• src/js-ipfs-api/index.test.js needs tests for API specified as URL (with and without basic auth)

There are bugs in WebUI that need to be addressed upstream
(it does not support object, just string with multiaddr, details below)

HTTP Proxy for testing this

Ok, there are many moving pieces, including Origin validation at go-ipfs, so I've wrote a custom http proxy to make it easier to test:

#!/usr/bin/env node

const http = require('http')
const httpProxy = require('http-proxy')
const basicAuth = require('basic-auth')

// ============================================================
// CONFIG
// ============================================================
const port = 5403 // port on which we want to enable basic auth
const target = 'http://127.0.0.1:5001' // where  /api/v0/ lives
// basic auth:
const user = 'user'
const password = 'pass'
// ============================================================

const proxy = httpProxy.createProxyServer()

proxy.on('proxyReq', (proxyReq, req, res, options) => {
  // to make this poc easier, swap Origin so internal check of go-ipfs does get triggered (403 Forbidden on Origin mismatch)
  proxyReq.setHeader('Origin', target);
  proxyReq.setHeader('Referer', target);
  proxyReq.setHeader('Host', new URL(target).host);
})

http.createServer((req, res) => {
  console.log(`${req.method}\t\t${req.url}`)

  res.oldWriteHead = res.writeHead
  res.writeHead = function(statusCode, headers) {
    // hardcoded liberal CORS for easier testing
    res.setHeader('Access-Control-Allow-Origin', '*')
    // usual suspects + 'authorization' header
    res.setHeader('Access-Control-Allow-Headers', 'X-Stream-Output, X-Chunked-Output, X-Content-Length, authorization')
    res.oldWriteHead(statusCode)
  }

  const auth = basicAuth(req)

  const preflight = req.method === 'OPTIONS' // need preflight working
  if (!preflight && !(auth && auth.name === user && auth.pass === password)) {
    res.writeHead(401, {
      'WWW-Authenticate': 'Basic realm="IPFS API"'
    })
    res.end('Access denied')
  } else {
    proxy.web(req, res, { target })
  }
}).listen(port)

TL;DR: You run it via node ./proxy.js, then confirm it works via curl http://user:pass@127.0.0.1:5403/api/v0/id

It should save us a TON of time with setting CORS headers.

Testing WebUI with this PR

connect-deps makes it easy to test webui with this PR: (in your local webui repo) connect-deps link ../ipfs-redux-bundle/, then connect-deps connect -w

Test result

Clicking on "Submit" in WebUI did nothing:

So instead I set ipfsApi hint for WebUI via console:

localStorage.setItem('ipfsApi','http://user:pass@127.0.0.1:5403')

Reloaded WebUI and ipfs-redux-bundle from this PR picked URL up correctly:

I was able to open http://127.0.0.1:3000/#/files and browse files using HTTP API over Basic Auth.

Bugs in WebUI

Found some bugs in WebUI tho (writing them down below, but need to be addressed upstream):

1. I was unable to set URL via http://localhost:3000/#/welcome, Submit button does nothing, I had to set it via console like described above.

2. When set via console, the Connection screen at http://localhost:3000/#/welcome displays broken value for URL (looks like invalid string serialization): fixed in latest version of this PR
   

3. Status page at http://127.0.0.1:3000/#/files crash because it expects multiaddr:
   

[hacdias]

@lidel I moved the checks and conversion of the api address to the js-ipfs-api directory in order to keep the apiAddress as a string all the times which might be easier for editing and submitting through the web ui. In addition, I added two tests.

Thanks for that proxy!!!!!!

[lidel]

LGTM! Just address small ask below and ok to ship it.

FYSA this fixed WebUI Bug (2) (URL set via console now looks ok), remaining bugs need to be addressed upstream, in against WebUI which switches to new ipfs-redux-bundle

[lidel]

sneaked in during refactoring, can be removed, try/catch below is enough

[hacdias]

This is on isMultiaddr and not on isUrl. Our multiaddr does not throw with undefined nor null. I'll leave this check, but the one on isUrl was removed.

[lidel]

Reintroducing this in ipfs/ipfs-webui#1613