Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content-Length header set to 0 in GET requests for LNURL-auth #393

Closed
ekzyis opened this issue Aug 15, 2023 · 2 comments
Closed

Content-Length header set to 0 in GET requests for LNURL-auth #393

ekzyis opened this issue Aug 15, 2023 · 2 comments

Comments

@ekzyis
Copy link
Contributor

ekzyis commented Aug 15, 2023

Hi, we've noticed that Phoenix sets the Content-Length header to 0 for the GET request to the LNURL-auth callback.

According to the HTTP spec, GET requests from user agents SHOULD NOT include the Content-Length header:

A user agent SHOULD NOT send a Content-Length header field when the request message does not contain content and the method semantics do not anticipate such data.

-- https://www.rfc-editor.org/rfc/rfc9110#field.content-length

See stackernews/stacker.news#407 for more details.

@ekzyis ekzyis changed the title Content-Length header set to 0 used in GET requests for LNURL-auth Content-Length header set to 0 in GET requests for LNURL-auth Aug 15, 2023
robbiehanson added a commit that referenced this issue Nov 22, 2023
…s. Currently unsure if this fix should be applied here, or if we should instead petition for a change within Ktor, which would solve the issue more broadly.
@robbiehanson
Copy link
Contributor

I investigated this, and confirmed that the Ktor library does indeed send "Content-Length: 0" for GET requests.

I also figured out how to remove it. But removing that header wasn't easy or straight-forward. One has to use a custom plugin, and understand the internals of Ktor. In other words, it's basically undocumented.

A user agent SHOULD NOT send a Content-Length header field when the request message does not contain content and the method semantics do not anticipate such data.

I think this confirms that Ktor shouldn't be sending that header (at least not when method == GET && body.length == 0).

However "SHOULD NOT" is not the same as "MUST NOT". So if we follow the robustness principle:

be conservative in what you send, be liberal in what you accept

then we'd probably conclude that:

  • the default server setup you're using is overly strict
  • Ktor should not be sending that header value by default

I think you already submitted an issue to NextJS ?

And I submitted an issue to Ktor: KTOR-6508

@ekzyis
Copy link
Contributor Author

ekzyis commented Nov 23, 2023

However "SHOULD NOT" is not the same as "MUST NOT". So if we follow the robustness principle:

be conservative in what you send, be liberal in what you accept
then we'd probably conclude that:

  • the default server setup you're using is overly strict
  • Ktor should not be sending that header value by default

yes, that makes sense, we fixed it on our side by removing the Content-length header on the login route in nginx :)

I think you already submitted an issue to NextJS ?

Looks like we did not! That was an oversight on our part. Will create one now

Update: Other people already reported similar problems and in a comment, someone mentioned this Content-length: 0 problem. So I think they are already aware.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants