fix: make http api only accept POST requests

[achingbrain]

This is to prevent people maliciously controlling your local node by injecting images into webpages with URLs of API endpoints.

BREAKING CHANGE:

Where we used to accept all and any HTTP methods, now only POST is accepted. The API client will now only send POST requests too.

[vasco-santos]

This looks good to me! 👍

[jacobheun]

There are still several calls to api.ndjson that don't include method: 'POST'. Hopefully the new tests will show those failures.

[achingbrain]

http.ndjson calls http.iterator which calls http.fetch which is overridden to only send POST requests so it should be handled.

[jacobheun]

http.ndjson calls http.iterator which calls http.fetch which is overridden to only send POST requests so it should be handled.

I think it would be helpful to just remove the method specification in the existing calls then to clean things up. Having most of them with the declaration and some without is confusing, and if it's already doing a post we should just remove the extraneous code.

[achingbrain]

I agree, sort of - I'd much rather have something like:

const res = await api.post(...)

for await (const thing of res.ndjson()) {
  ...
}

Though we've already got a lot of code in the http client that's not being used.

I've suggested having a non-general-purpose http client for this sort of thing here: ipfs/js-ipfs-utils#32

[achingbrain]

@jacobheun: ipfs/js-ipfs-utils#35

[lidel]

cc #2971

This is not interop test, but for what its worth, go-ipfs 0.5.0-rc1 returns 405:

$ curl -I -X GET http://127.0.0.1:5001/api/v0/id
HTTP/1.1 405 Method Not Allowed
Allow: HEAD
Allow: OPTIONS
Allow: POST
Content-Type: text/plain; charset=utf-8
Vary: Origin
X-Content-Type-Options: nosniff
Date: Thu, 09 Apr 2020 23:48:22 GMT
Content-Length: 25

[achingbrain]

That's the correct code but Hapi does not make this easy:

hapijs/hapi#1534
hapijs/hapi#3238