INTERNALS/MAIN.GO: line 107: is writing the path in the proxy URL like this a privacy breech?

[stravid87]

Description

Line 107 of the interceptor: is writing the path in the proxy URL like this a privacy breech?
r, err := http.NewRequest("POST", c.proxyURL+parsedURL.Path, bytes.NewBuffer(data))
This parsedURL.Path should really only be accessible to the S.P.
This information is carried to line 160 of server/tunnel.go

Requirements:

Tasks

Beta Give feedback

1. Isolate the path & query params in the Interceptor
2. Encrypt the path & query params so that they are included as part of the request body.
3. Transmit this encrypted body through the proxy
4. During decryption of the request in the middleware, parse the path and query params.
5. Add back the path and query params to the node request object mimicking how it is done by express.js

Acceptance Criteria

When a frontend user creates a get, post, or other request type, this information should be fully hidden from the proxy and transmitted as part of the encrypted body only. The Service Provider should be able to access this information within the node.js backend by invoking the properties:

app.post[get]("/", (req, res) => {
  console.log(req.query); // an object containing a property for each query string parameter in the route
  console.log(req.path); // Contains the path part of the request URL.
});

Reference:
https://expressjs.com/en/api.html#req.path
https://expressjs.com/en/api.html#req.path

[stravid87]

Currently this is now:

	backendURL := fmt.Sprintf(os.Getenv("VITE_BACKEND")+"%s", r.URL)
	// backendURL := fmt.Sprintf("https://%s%s", r.Header.Get("X-Forwarded-Host"), r.URL)

in server/handlers/tunnel.go

The path needs to be encrypted.

[stravid87]

Note, Marc has requested to have access to params.
To solve this issue can be a challenge but should very much be possible.
The URL path and query params should be scrapped from the URL by the interceptor as well as the query params.
These should then be encrypted and transited through the proxy for decryption and attachment in the middleware such that the service provider receives them like normal and the proxy is ignorant to them.

[stravid87]

Nice work. Done & done.

[stravid87]

July 8 - 15

• Add encrypted URL into the body during the Static function (effectively done)
• Continue with experimentation on decrypting the body in the Middleware to get the URL back

[stravid87]

July 16 - 22

• Open a formal PR on the Interceptor and Middleware for Daniel (+/- myself to review)

[stravid87]

July 29

• Bring PR [DRAFT] Made changes on sp mock FE and BE to get poem by id #86 from draft to open PR

[stravid87]

Aug 5, 2024

Can we make the "/media" call on Line 644 in 'interceptro.go' dynamic?
Line 55 of server.go should be configurable to any string and still work if configured correctly in the frontend.