Nicolas Cantu
cfa1f435cb
Initial state: - HTTP proxy utilities (Bearer parsing, hop-by-hop headers, body limits, safe path validation) were duplicated between smart-ide-sso-gateway and smart-ide-global-api. - IA_DEV_ROOT auto-resolution order differed between bash (ensure-ia-dev-project-link.sh) and TypeScript (ia-dev-gateway getIaDevRoot), and could fall back to non-existing paths. Motivation: - Reduce duplication and drift across proxy layers. - Enforce consistent, explicit IA_DEV_ROOT behavior across scripts and services. Resolution: - Add package @4nk/smart-ide-http-utils and reuse it from smart-ide-sso-gateway and smart-ide-global-api. - Align IA_DEV_ROOT resolution to prefer ./services/ia_dev then ./ia_dev; fail fast when missing/misconfigured. Root cause: - Cross-service utilities were implemented ad-hoc in each service. - Historical layout transitions (ia_dev gitlink vs vendored services/ia_dev) left multiple resolvers with different priorities. Impacted features: - HTTP proxy chain (SSO gateway -> global API -> upstream services). - ia-dev-gateway startup/operation when IA_DEV_ROOT is missing or invalid. Code modified: - packages/smart-ide-http-utils/** - services/smart-ide-global-api/src/server.ts - services/smart-ide-sso-gateway/src/server.ts - services/ia-dev-gateway/src/paths.ts - scripts/ensure-ia-dev-project-link.sh Documentation modified: - docs/system-architecture.md - docs/ia_dev-module.md - docs/repo/README.md Configurations modified: - services/smart-ide-global-api/package.json - services/smart-ide-sso-gateway/package.json Files in deploy modified: - None Files in logs impacted: - None (runtime logs only) Databases and other sources modified: - None Off-project modifications: - None Files in .smartIde modified: - None Files in .secrets modified: - None New patch version in VERSION: - 0.0.6 CHANGELOG.md updated: - yes
83 lines
2.1 KiB
JavaScript
83 lines
2.1 KiB
JavaScript
export const REQUEST_HOP_BY_HOP_HEADERS = new Set([
|
|
"connection",
|
|
"keep-alive",
|
|
"proxy-authenticate",
|
|
"proxy-authorization",
|
|
"te",
|
|
"trailers",
|
|
"transfer-encoding",
|
|
"upgrade",
|
|
"host",
|
|
]);
|
|
export const RESPONSE_HOP_BY_HOP_HEADERS = new Set([
|
|
"connection",
|
|
"keep-alive",
|
|
"transfer-encoding",
|
|
"content-encoding",
|
|
]);
|
|
export const readBearer = (req) => {
|
|
const raw = req.headers.authorization ?? "";
|
|
const m = /^Bearer\s+(.+)$/i.exec(raw);
|
|
return m?.[1]?.trim() ?? null;
|
|
};
|
|
export const readBodyBuffer = async (req, maxBytes) => {
|
|
const chunks = [];
|
|
let total = 0;
|
|
for await (const chunk of req) {
|
|
const b = typeof chunk === "string" ? Buffer.from(chunk) : chunk;
|
|
total += b.length;
|
|
if (total > maxBytes) {
|
|
throw new Error(`Request body exceeds ${maxBytes} bytes`);
|
|
}
|
|
chunks.push(b);
|
|
}
|
|
return Buffer.concat(chunks);
|
|
};
|
|
export const copyHeadersForProxy = (req, opts) => {
|
|
const out = new Headers();
|
|
for (const [k, v] of Object.entries(req.headers)) {
|
|
if (!v) {
|
|
continue;
|
|
}
|
|
const lk = k.toLowerCase();
|
|
if (REQUEST_HOP_BY_HOP_HEADERS.has(lk)) {
|
|
continue;
|
|
}
|
|
if (lk === "authorization") {
|
|
continue;
|
|
}
|
|
if (opts?.skipLowercase?.has(lk)) {
|
|
continue;
|
|
}
|
|
out.set(k, Array.isArray(v) ? v.join(", ") : v);
|
|
}
|
|
return out;
|
|
};
|
|
export const isSafeProxyPath = (p) => {
|
|
if (!p.startsWith("/")) {
|
|
return false;
|
|
}
|
|
for (const rawSeg of p.split("/")) {
|
|
if (rawSeg.length === 0) {
|
|
continue;
|
|
}
|
|
if (rawSeg === "." || rawSeg === "..") {
|
|
return false;
|
|
}
|
|
let seg;
|
|
try {
|
|
seg = decodeURIComponent(rawSeg);
|
|
}
|
|
catch {
|
|
return false;
|
|
}
|
|
if (seg === "." || seg === "..") {
|
|
return false;
|
|
}
|
|
if (seg.includes("/") || seg.includes("\\")) {
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
};
|