-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
feat(decap-server): Allow the server to be run securely #7579
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR adds security configuration options to the decap-server to allow it to be run more securely by introducing host binding and CORS origin restrictions. The changes enable developers to restrict server access to localhost only and limit API requests to specific origins.
- Added
BIND_HOSTenvironment variable to control which IP address the server binds to - Added
ORIGINenvironment variable to configure CORS origin restrictions instead of allowing all origins - Fixed type issue with port parsing to ensure it's always a number
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/decap-server/src/index.ts | Added host binding configuration and port parsing fix |
| packages/decap-server/src/middlewares/common/index.ts | Updated CORS configuration to use ORIGIN environment variable |
| packages/decap-server/README.md | Added documentation for new environment variables |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
@palant run npm run format to fix the formatting error
explain changes from decaporg/decap-cms#7579
@palant can you review the docs update about this PR? Is all info here correct, could something be better written? decaporg/decap-website#140
Uh oh!
There was an error while loading. Please reload this page.
Summary
The documentation currently says:
This is fair but it is also unnecessary. The server can be restricted in such a way that it is safe to use.
I introduced two optional environment variables to configure
decap-server. TheBIND_HOSTvariable allows binding to127.0.0.1rather than all IP addresses. AndORIGINallows restricting CORS responses to a specific origin rather that allowing the API to be accessed from any server.Note that I would have preferred making
BIND_HOST=localhostthe default. I didn’t want to introduce backwards incompatible changes however.Test plan
Running
npm run startstill allows connecting to bothhttp://localhost:8081/andhttp://<public_ip>:8081>/. The responses contain the HTTP headerAccess-Content-Allow-Origin: *as before this change.Running
BIND_HOST=localhost npm run startallows connecting tohttp://localhost:8081/but connections tohttp://<public_ip>:8081>/are no longer possible. It’s a purely local server now.Running
ORIGIN=https://example.com npm run startchanges the HTTP header in responses toAccess-Content-Allow-Origin: https://example.com. The server can no longer be accessed by arbitrary websites.Tests complain about
portbeingnumber | stringwhereasnumberis expected. This is unrelated to my change but I’ve fixed it.Checklist
Please add a
xinside each checkbox:(削除) I’ve also noticed that the script required fornpm run formatdoesn’t actually exist. I guessnpm run lintis meant here which for me errors out due to two warnings unrelated to my changes – but for some reason it succeeds in the CI runs (are these running an older lint version?). (削除ここまで)🐈