annotate mod_rest/apidemo.lib.lua @ 5401:c8d04ac200fc

mod_http_oauth2: Reject loopback URIs as client_uri This really should be a proper website with info, https://localhost is not good enough. Ideally we'd validate that it's got proper DNS and is actually reachable, but triggering HTTP or even DNS lookups seems like it would carry abuse potential that would best to avoid.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:20:55 +0200
parents d03448560acf
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4488
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local _M = {};
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local api_demo = module:get_option_path("rest_demo_resources", nil);
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local http_files = require "net.http.files";
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 local mime_map = module:shared("/*/http_files/mime").types or {css = "text/css"; js = "application/javascript"};
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 _M.resources = http_files.serve({
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 path = api_demo;
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 mime_map = mime_map;
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 });
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local index do
4929
d5612dcf6733 mod_rest/apidemo: Don't show traceback to users on config/resource problem
Kim Alvefur <zash@zash.se>
parents: 4728
diff changeset
14 local f, err = io.open(api_demo.."/index.html");
d5612dcf6733 mod_rest/apidemo: Don't show traceback to users on config/resource problem
Kim Alvefur <zash@zash.se>
parents: 4728
diff changeset
15 if not f then
d5612dcf6733 mod_rest/apidemo: Don't show traceback to users on config/resource problem
Kim Alvefur <zash@zash.se>
parents: 4728
diff changeset
16 module:log("error", "Could not open resource: %s", err);
d5612dcf6733 mod_rest/apidemo: Don't show traceback to users on config/resource problem
Kim Alvefur <zash@zash.se>
parents: 4728
diff changeset
17 module:log("error", "'rest_demo_resources' should point to the 'dist' directory");
d5612dcf6733 mod_rest/apidemo: Don't show traceback to users on config/resource problem
Kim Alvefur <zash@zash.se>
parents: 4728
diff changeset
18 return _M
d5612dcf6733 mod_rest/apidemo: Don't show traceback to users on config/resource problem
Kim Alvefur <zash@zash.se>
parents: 4728
diff changeset
19 end
4488
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 index = f:read("*a");
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 f:close();
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 -- SUCH HACK, VERY GSUB, WOW!
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 index = index:gsub("(%s?url%s*:%s*)%b\"\"", string.format("%%1%q", module:http_url().."/demo/openapi.yaml"), 1);
4550
0befc680970b mod_rest/apidemo: Disable validator
Kim Alvefur <zash@zash.se>
parents: 4528
diff changeset
25 index = index:gsub("(%s*SwaggerUIBundle%s*%(%s*{)(%s*)", "%1%2validatorUrl: false,%2");
4488
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 end
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 do
4528
fd15e7f00ff5 mod_rest: Move openapi spec into res/ dir to get it included in rocks
Kim Alvefur <zash@zash.se>
parents: 4498
diff changeset
29 local f = module:load_resource("res/openapi.yaml");
5220
d03448560acf mod_rest: Point URLs to mod_http_oauth2 in demo mode
Kim Alvefur <zash@zash.se>
parents: 4929
diff changeset
30 local openapi = f:read("*a");
d03448560acf mod_rest: Point URLs to mod_http_oauth2 in demo mode
Kim Alvefur <zash@zash.se>
parents: 4929
diff changeset
31 openapi = openapi:gsub("https://example%.com/oauth2", module:http_url("oauth2"));
4488
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 _M.schema = {
4498
1776831d0fab mod_rest/apidemo: Serve yaml with a (non-standard) content-type
Kim Alvefur <zash@zash.se>
parents: 4488
diff changeset
33 headers = {
1776831d0fab mod_rest/apidemo: Serve yaml with a (non-standard) content-type
Kim Alvefur <zash@zash.se>
parents: 4488
diff changeset
34 content_type = "text/x-yaml";
1776831d0fab mod_rest/apidemo: Serve yaml with a (non-standard) content-type
Kim Alvefur <zash@zash.se>
parents: 4488
diff changeset
35 };
5220
d03448560acf mod_rest: Point URLs to mod_http_oauth2 in demo mode
Kim Alvefur <zash@zash.se>
parents: 4929
diff changeset
36 body = openapi;
4488
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 }
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 f:close();
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 end
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 _M.redirect = {
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 status_code = 303;
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 headers = {
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 location = module:http_url().."/demo/";
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 };
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 };
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48 _M.main_page = {
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 headers = {
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 content_type = "text/html";
4550
0befc680970b mod_rest/apidemo: Disable validator
Kim Alvefur <zash@zash.se>
parents: 4528
diff changeset
51 content_security_policy = "default-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'";
4488
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 };
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 body = index;
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54 }
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55
eea62d30ae08 mod_rest: Add option for serving interactive openapi documentation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 return _M