Commit 5c425c6

authored

feat: implement HTTP allowed hosts/origins checking (#49)

1 parent e783ff1 commit 5c425c6Copy full SHA for 5c425c6

File tree

5 files changed

+976

-45

lines changed

README.md
cmd/server
- server.go
- server_test.go
lib/httpapi
- server.go
- server_test.go

5 files changed

+976

-45

lines changed

`‎README.md‎`

Lines changed: 51 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,6 @@ Control [Claude Code](https://github.com/anthropics/claude-code), [Goose](https:`
`4`	`4`
`5`	`5`	`![agentapi-chat](https://github.com/user-attachments/assets/57032c9f-4146-4b66-b219-09e38ab7690d)`
`6`	`6`
`7`		`-`
`8`	`7`	`You can use AgentAPI:`
`9`	`8`
`10`	`9`	`- to build a unified chat interface for coding agents`
`@@ -54,9 +53,6 @@ You can use AgentAPI:`
`54`	`53`
`55`	`54`	Run an HTTP server that lets you control an agent. If you'd like to start an agent with additional arguments, pass the full agent command after the `--` flag.
`56`	`55`
`57`		`-> [!NOTE]`
`58`		-> When using Codex, always specify the agent type explicitly (`agentapi server --type=codex -- codex`), or message formatting may break.
`59`		`-`
`60`	`56`	```bash
`61`	`57`	`agentapi server -- claude --allowedTools "Bash(git*) Edit Replace"`
`62`	`58`	```
`@@ -68,6 +64,9 @@ agentapi server -- aider --model sonnet --api-key anthropic=sk-ant-apio3-XXX`
`68`	`64`	`agentapi server -- goose`
`69`	`65`	```
`70`	`66`
	`67`	`+> [!NOTE]`
	`68`	+> When using Codex, always specify the agent type explicitly (`agentapi server --type=codex -- codex`), or message formatting may break.
	`69`	`+`
`71`	`70`	`An OpenAPI schema is available in [openapi.json](openapi.json).`
`72`	`71`
`73`	`72`	`By default, the server runs on port 3284. Additionally, the server exposes the same OpenAPI schema at http://localhost:3284/openapi.json and the available endpoints in a documentation UI at http://localhost:3284/docs.`
`@@ -79,6 +78,54 @@ There are 4 endpoints:`
`79`	`78`	- GET `/status` - returns the current status of the agent, either "stable" or "running"
`80`	`79`	- GET `/events` - an SSE stream of events from the agent: message and status updates
`81`	`80`
	`81`	`+#### Allowed hosts`
	`82`	`+`
	`83`	+By default, the server only allows requests with the host header set to `localhost`. If you'd like to host AgentAPI elsewhere, you can change this by using the `AGENTAPI_ALLOWED_HOSTS` environment variable or the `--allowed-hosts` flag. Hosts must be hostnames only (no ports); the server ignores the port portion of incoming requests when authorizing.
	`84`	`+`
	`85`	+To allow requests from any host, use `*` as the allowed host.
	`86`	`+`
	`87`	+```bash
	`88`	`+agentapi server --allowed-hosts '*' -- claude`
	`89`	+```
	`90`	`+`
	`91`	`+To allow a specific host, use:`
	`92`	`+`
	`93`	+```bash
	`94`	`+agentapi server --allowed-hosts 'example.com' -- claude`
	`95`	+```
	`96`	`+`
	`97`	+To specify multiple hosts, use a comma-separated list when using the `--allowed-hosts` flag, or a space-separated list when using the `AGENTAPI_ALLOWED_HOSTS` environment variable.
	`98`	`+`
	`99`	+```bash
	`100`	`+agentapi server --allowed-hosts 'example.com,example.org' -- claude`
	`101`	`+# or`
	`102`	`+AGENTAPI_ALLOWED_HOSTS='example.com example.org' agentapi server -- claude`
	`103`	+```
	`104`	`+`
	`105`	`+#### Allowed origins`
	`106`	`+`
	`107`	+By default, the server allows CORS requests from `http://localhost:3284`, `http://localhost:3000`, and `http://localhost:3001`. If you'd like to change which origins can make cross-origin requests to AgentAPI, you can change this by using the `AGENTAPI_ALLOWED_ORIGINS` environment variable or the `--allowed-origins` flag.
	`108`	`+`
	`109`	+To allow requests from any origin, use `*` as the allowed origin:
	`110`	`+`
	`111`	+```bash
	`112`	`+agentapi server --allowed-origins '*' -- claude`
	`113`	+```
	`114`	`+`
	`115`	`+To allow a specific origin, use:`
	`116`	`+`
	`117`	+```bash
	`118`	`+agentapi server --allowed-origins 'https://example.com' -- claude`
	`119`	+```
	`120`	`+`
	`121`	+To specify multiple origins, use a comma-separated list when using the `--allowed-origins` flag, or a space-separated list when using the `AGENTAPI_ALLOWED_ORIGINS` environment variable. Origins must include the protocol (`http://` or `https://`) and support wildcards (e.g., `https://*.example.com`):
	`122`	`+`
	`123`	+```bash
	`124`	`+agentapi server --allowed-origins 'https://example.com,http://localhost:3000' -- claude`
	`125`	`+# or`
	`126`	`+AGENTAPI_ALLOWED_ORIGINS='https://example.com http://localhost:3000' agentapi server -- claude`
	`127`	+```
	`128`	`+`
`82`	`129`	### `agentapi attach`
`83`	`130`
`84`	`131`	`Attach to a running agent's terminal session.`

`‎cmd/server/server.go‎`

Lines changed: 37 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -95,12 +95,17 @@ func runServer(ctx context.Context, logger *slog.Logger, argsToPass []string) er`
`95`	`95`	`}`
`96`	`96`	`}`
`97`	`97`	`port := viper.GetInt(FlagPort)`
`98`		`- srv := httpapi.NewServer(ctx, httpapi.ServerConfig{`
`99`		`- AgentType: agentType,`
`100`		`- Process: process,`
`101`		`- Port: port,`
`102`		`- ChatBasePath: viper.GetString(FlagChatBasePath),`
	`98`	`+ srv, err := httpapi.NewServer(ctx, httpapi.ServerConfig{`
	`99`	`+ AgentType: agentType,`
	`100`	`+ Process: process,`
	`101`	`+ Port: port,`
	`102`	`+ ChatBasePath: viper.GetString(FlagChatBasePath),`
	`103`	`+ AllowedHosts: viper.GetStringSlice(FlagAllowedHosts),`
	`104`	`+ AllowedOrigins: viper.GetStringSlice(FlagAllowedOrigins),`
`103`	`105`	`})`
	`106`	`+ if err != nil {`
	`107`	`+ return xerrors.Errorf("failed to create server: %w", err)`
	`108`	`+ }`
`104`	`109`	`if printOpenAPI {`
`105`	`110`	`fmt.Println(srv.GetOpenAPI())`
`106`	`111`	`return nil`
`@@ -150,12 +155,15 @@ type flagSpec struct {`
`150`	`155`	`}`
`151`	`156`
`152`	`157`	`const (`
`153`		`- FlagType = "type"`
`154`		`- FlagPort = "port"`
`155`		`- FlagPrintOpenAPI = "print-openapi"`
`156`		`- FlagChatBasePath = "chat-base-path"`
`157`		`- FlagTermWidth = "term-width"`
`158`		`- FlagTermHeight = "term-height"`
	`158`	`+ FlagType = "type"`
	`159`	`+ FlagPort = "port"`
	`160`	`+ FlagPrintOpenAPI = "print-openapi"`
	`161`	`+ FlagChatBasePath = "chat-base-path"`
	`162`	`+ FlagTermWidth = "term-width"`
	`163`	`+ FlagTermHeight = "term-height"`
	`164`	`+ FlagAllowedHosts = "allowed-hosts"`
	`165`	`+ FlagAllowedOrigins = "allowed-origins"`
	`166`	`+ FlagExit = "exit"`
`159`	`167`	`)`
`160`	`168`
`161`	`169`	`func CreateServerCmd() *cobra.Command {`
`@@ -165,6 +173,10 @@ func CreateServerCmd() *cobra.Command {`
`165`	`173`	`Long: fmt.Sprintf("Run the server with the specified agent (one of: %s)", strings.Join(agentNames, ", ")),`
`166`	`174`	`Args: cobra.MinimumNArgs(1),`
`167`	`175`	`Run: func(cmd *cobra.Command, args []string) {`
	`176`	`+ // The --exit flag is used for testing validation of flags in the test suite`
	`177`	`+ if viper.GetBool(FlagExit) {`
	`178`	`+ return`
	`179`	`+ }`
`168`	`180`	`logger := slog.New(slog.NewTextHandler(os.Stdout, nil))`
`169`	`181`	`ctx := logctx.WithLogger(context.Background(), logger)`
`170`	`182`	`if err := runServer(ctx, logger, cmd.Flags().Args()); err != nil {`
`@@ -181,6 +193,10 @@ func CreateServerCmd() *cobra.Command {`
`181`	`193`	`{FlagChatBasePath, "c", "/chat", "Base path for assets and routes used in the static files of the chat interface", "string"},`
`182`	`194`	`{FlagTermWidth, "W", uint16(80), "Width of the emulated terminal", "uint16"},`
`183`	`195`	`{FlagTermHeight, "H", uint16(1000), "Height of the emulated terminal", "uint16"},`
	`196`	`+ // localhost is the default host for the server. Port is ignored during matching.`
	`197`	`+ {FlagAllowedHosts, "a", []string{"localhost", "127.0.0.1", "[::1]"}, "HTTP allowed hosts (hostnames only, no ports). Use '*' for all, comma-separated list via flag, space-separated list via AGENTAPI_ALLOWED_HOSTS env var", "stringSlice"},`
	`198`	`+ // localhost:3284 is the default origin when you open the chat interface in your browser. localhost:3000 and 3001 are used during development.`
	`199`	`+ {FlagAllowedOrigins, "o", []string{"http://localhost:3284", "http://localhost:3000", "http://localhost:3001"}, "HTTP allowed origins. Use '*' for all, comma-separated list via flag, space-separated list via AGENTAPI_ALLOWED_ORIGINS env var", "stringSlice"},`
`184`	`200`	`}`
`185`	`201`
`186`	`202`	`for _, spec := range flagSpecs {`
`@@ -193,6 +209,8 @@ func CreateServerCmd() *cobra.Command {`
`193`	`209`	`serverCmd.Flags().BoolP(spec.name, spec.shorthand, spec.defaultValue.(bool), spec.usage)`
`194`	`210`	`case "uint16":`
`195`	`211`	`serverCmd.Flags().Uint16P(spec.name, spec.shorthand, spec.defaultValue.(uint16), spec.usage)`
	`212`	`+ case "stringSlice":`
	`213`	`+ serverCmd.Flags().StringSliceP(spec.name, spec.shorthand, spec.defaultValue.([]string), spec.usage)`
`196`	`214`	`default:`
`197`	`215`	`panic(fmt.Sprintf("unknown flag type: %s", spec.flagType))`
`198`	`216`	`}`
`@@ -201,6 +219,14 @@ func CreateServerCmd() *cobra.Command {`
`201`	`219`	`}`
`202`	`220`	`}`
`203`	`221`
	`222`	`+ serverCmd.Flags().Bool(FlagExit, false, "Exit immediately after parsing arguments")`
	`223`	`+ if err := serverCmd.Flags().MarkHidden(FlagExit); err != nil {`
	`224`	`+ panic(fmt.Sprintf("failed to mark flag %s as hidden: %v", FlagExit, err))`
	`225`	`+ }`
	`226`	`+ if err := viper.BindPFlag(FlagExit, serverCmd.Flags().Lookup(FlagExit)); err != nil {`
	`227`	`+ panic(fmt.Sprintf("failed to bind flag %s: %v", FlagExit, err))`
	`228`	`+ }`
	`229`	`+`
`204`	`230`	`viper.SetEnvPrefix("AGENTAPI")`
`205`	`231`	`viper.AutomaticEnv()`
`206`	`232`	`viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 5c425c6

File tree

5 files changed

5 files changed

`‎README.md‎`

`‎cmd/server/server.go‎`

0 commit comments