Comments (8)
@RokLenarcic Hi Rok, can you please clarify if you're talking here about http-kit client or server? It might be helpful for you to provide an example snippet.
Cheers!
from http-kit.
http-kit server.
The example is very simple. Run an http-kit server and use an http client such as clj-http to request an URL with a user and password in url.
(clj-http.client/get "http://user:pass@localhost:4000")
The request map in the handler, constructed by http-kit server, has no information about the supplied user
and pass
data.
from http-kit.
And to clarify- you'd expect the user
and pass
data to be automatically extracted from the request URI and placed in the Ring request map?
Is there a precedent for that with other Ring servers?
from http-kit.
Yes. I haven't really tested other Ring servers, but I am working with several products that use that feature, implemented in a variety of languages. It seems wrong for that information to just get lost.
from http-kit.
It seems wrong for that information to just get lost.
Unless I'm missing something, I'm not sure that this characterization is accurate though- you seem to be implying that the information is present then being stripped/lost. But you of course still have access to the full URI in the Ring request map, it just hasn't been automatically parsed to extract the username and password.
Trying to automatically parse something like this at the server-level for all requests wouldn't make sense since you'd be imposing a non-trivial cost on all requests.
Instead, I'd expect one of the following to make more sense:
- Manually extract the info in handlers that need it.
- Use an appropriate Ring middleware.
- Use an appropriate route-matching destructuring.
Relatedly, I'd note that providing credentials in URIs like this is rarely a good idea. I'd expect credentials to more commonly be provided via request params.
from http-kit.
It is being stripped/lost. We do not have access to full URI in ring request map.
Here's the code:
(defn rrr [req] (clojure.pprint/pprint req))
(server/run-server #'rrr {:port 3003})
And this is what is printed when I do:
(clj-http.client/get "http://R:L@localhost:3003")
Here's the printout:
{:remote-addr "127.0.0.1",
:headers
{"accept-encoding" "gzip, deflate",
"authorization" "Basic UjpM",
"connection" "close",
"host" "localhost:3003",
"user-agent" "Apache-HttpClient/4.5.13 (Java/14.0.2)"},
:async-channel
#object[org.httpkit.server.AsyncChannel 0x69b91012 "/127.0.0.1:3003<->/127.0.0.1:57266"],
:server-port 3003,
:content-length 0,
:websocket? false,
:content-type nil,
:character-encoding "utf8",
:uri "/",
:server-name "localhost",
:query-string nil,
:body nil,
:scheme :http,
:request-method :get}
This doesn't contain full URL or anything, the data is just gone. It's the same with fragments such as:
(clj-http.client/get "http://R:L@localhost:3003?a=1#frag")
That ending #frag
is just gone.
{:remote-addr "127.0.0.1",
:headers
{"accept-encoding" "gzip, deflate",
"authorization" "Basic UjpM",
"connection" "close",
"host" "localhost:3003",
"user-agent" "Apache-HttpClient/4.5.13 (Java/14.0.2)"},
:async-channel
#object[org.httpkit.server.AsyncChannel 0x5d15fc6c "/127.0.0.1:3003<->/127.0.0.1:57384"],
:server-port 3003,
:content-length 0,
:websocket? false,
:content-type nil,
:character-encoding "utf8",
:uri "/",
:server-name "localhost",
:query-string "a=1",
:body nil,
:scheme :http,
:request-method :get}
from http-kit.
Thanks for providing an example, that's helpful 👍
We do not have access to full URI in ring request map.
I see, didn't realise that.
So it looks like credentials in URLs like this are typically stripped from the URL and instead used to populate the "authorization" header you're seeing (encoded) in your printouts.
I suspect this might be for security reasons. Not sure off-hand where the stripping actually occurs, but seems plausible that it may actually be the http client doing the stripping.
Anyway the http-kit server behaviour here seems to be consistent with the standard Ring Jetty server.
So it seems your choices would be either to decode the "authorization" header value, or to provide the credentials via a query string or (ideally) params.
It's the same with fragments such as: (clj-http.client/get "http://R:L@localhost:3003?a=1#frag")
Are fragment ids typically transmitted to web servers? I was under the impression that fragment ids are intended only for client-side use - so would expect clients to strip these.
Anyway the http-kit server seems to again be consistent here with the standard Ring Jetty server.
from http-kit.
Alright I can work with the header.
from http-kit.
Related Issues (20)
- Race condition in TimerService.scheduleTask HOT 2
- Ring websocket API support HOT 4
- Problem in native-image and HttpUtils when using virtual threads HOT 11
- 2.8.0-beta2 has CIDER dependencies HOT 3
- CURL and finagle failing to parse :set-cookies with '\n' HOT 13
- Unix socket benchmark HOT 1
- It will turn headers into camel format HOT 2
- logger-warn gets rebound HOT 1
- logger-warn and error-warn are passed in wrong order to HttpServer constructor HOT 1
- Requests which throw java.net.ConnectException may actually succeed HOT 3
- http-kit v2.8.0-RC1 HOT 1
- http-kit v2.8.0 final HOT 1
- Consider adding `Content-Type: text/plain` to HTTP 500 response in `org.httpkit.server.HttpHandler#run` HOT 6
- v2.7.0 SNI change broke connections to plain IP addresses with SSLHandshakeException "Hostname or IP address is undefined." HOT 8
- Add options for encoding nested form and query params a la clj-http HOT 7
- WebTransport support HOT 2
- NoSuchMethodError on projects AOT'd on java 21 but run on earlier java versions HOT 13
- [Proposal][Client] Consider more idiomatic bridges with JVM async paradigms HOT 5
- "Unmasked client to server frame" causes 502s HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from http-kit.