Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

POST-only HTTP API #2971

Closed
2 tasks done
lidel opened this issue Apr 5, 2020 · 7 comments
Closed
2 tasks done

POST-only HTTP API #2971

lidel opened this issue Apr 5, 2020 · 7 comments
Assignees
Labels
P0 Critical: Tackled by core team ASAP

Comments

@lidel
Copy link
Member

lidel commented Apr 5, 2020

Problem

go-ipfs 0.5 will block GET commands on the API port (ipfs/kubo#7097), requiring every command to be sent as HTTP POST request (makes it a true RPC + solves some security issues).

🔍 Ensure ipfs-http-client works with API without GET

  • I think it does: interop tests run by go-ipfs CI passed,
    but would appreciate second pair of eyes to confirm I did not miss anything
  • We should have tests that fail if GET is accepted by /api/v0 on API port
    unsure where to add those, any ideas?

😅 Ship a patch release for old JS API?

Blocking GET broke Files screen in ipfs-webui as noted in ipfs/ipfs-webui#1429 (comment)

ipfs-webui is using older version of ipfs-http-client, one before huge refactor into async iterables, which means switching to the latest version won't be a quick task.

I suspect there are third party projects which use older version of ipfs-http-client but have no time to refactor entire codebase to work with the latest version. We could make it easier if we shipped a patch release with literally 7 line diff (ky.getky.post, as seen in seen in ipfs-http-client@39.0.2.patch)

I am unsure how to do this given we moved to monorepo recently.
I think v41.0.0 of ipfs-http-client was the last release before Async Await and Async Iterables.

@achingbrain is it possible to release something like ipfs-http-client@41.0.1?
Any way I can help?

Update: ipfs-http-client@41.0.1 is ok for use (if you are stuck at old API)

@lidel lidel added the P0 Critical: Tackled by core team ASAP label Apr 5, 2020
@bluelovers
Copy link
Contributor

@achingbrain
Copy link
Member

I am unsure how to do this given we moved to monorepo recently.

The history from merged repos has been maintained so it should just be a case of making a branch from the last ipfs-http-client release commit, making the changes, doing the release and pushing the updated branch back to the repo.

@lidel lidel self-assigned this Apr 6, 2020
@lidel
Copy link
Member Author

lidel commented Apr 6, 2020

Good news: turns out ipfs-http-client@41.0.1 exists – it was the last version which provided the old JS API, but on the backend was refactored to use new one, and in the process all ky.get calls were replaced to ky.post (I checked all 7 problematic ones).

This means we don't need to make any patch releases – ipfs-http-client@41.0.1 is POST-only already.


What remains to be done is to convert API exposed by js-ipfs to match behavior of go-ipfs more closely (POST-only, additional Origin/Referer check, load webui from API port instead of gateway).

@achingbrain my plan is to implement the above before I jump into #1877, if that is okay with you?

lidel added a commit to ipfs/ipfs-webui that referenced this issue Apr 7, 2020
Removes patching introduced in #1430 and uses ipfs-redux-bundle v7.0.0
to bring a compatible version of ipfs-http-client that is known to
support POST-only HTTP API while also exposing the old JS API.

Context: ipfs/js-ipfs#2971
@achingbrain
Copy link
Member

Sounds good, thanks @lidel

lidel added a commit to ipfs/ipfs-webui that referenced this issue Apr 14, 2020
Removes patching introduced in #1430 and uses ipfs-redux-bundle v7.0.0
to bring a compatible version of ipfs-http-client that is known to
support POST-only HTTP API while also exposing the old JS API.

Context: ipfs/js-ipfs#2971
@achingbrain
Copy link
Member

This has been fixed in js-ipfs by #2977

@achingbrain
Copy link
Member

..and released in js-ipfs@0.43.0 and js-ipfs-http-client@44.0.0

@lidel
Copy link
Member Author

lidel commented Apr 21, 2020

Thank you! Continued in:

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
P0 Critical: Tackled by core team ASAP
Projects
None yet
Development

No branches or pull requests

3 participants