feat: Adding routes handling, always going through ROUTES instead of hardcoded everywhere#6886
feat: Adding routes handling, always going through ROUTES instead of hardcoded everywhere#6886DennisGaida wants to merge 22 commits intolouislam:masterfrom
Conversation
|
Looks interesting. |
|
There was a problem hiding this comment.
As you understood, it is not a security hardening(#6886 (comment)).
I prefer not to disturb existing users by changing all URLs just to satisfy a small number of users. I personally don't like it unfortunately.
I prefer to keep the original URLs by default.
However, it will only be accepted if:
-
It is controlled via an environment variable, may be
UPTIME_KUMA_FRONTEND_PREFIX? -
Since there are many hardcoded URLs or crafted URLs in this repo, automated tests do not cover everything 100%, so you MUST manually review all files in the repository. For example, I saw someone craft the url like this:
uptime-kuma/server/notification-providers/teams.js
Lines 217 to 219 in 0a578fa
-
For the same reason, you must manually test every feature.
I like that, good idea. Will have a think about this and add - ultimately I want the frontend itself to be at the root level and all "setting" / "admin" stuff to be in a subpath, but making this configurable for the user sounds perfect.
Of course I did that as good as I can. Clicking every button etc., but one can never be sure of course. But thanks for that example I'll go through stuff some more. For the PR, I will then just change the URLs to be the current state - in the end we would have cleaner URL management and not hardcoded URLs scattered everywhere and by environment variables you will be able to set "your own" path for admin stuff. |
…with no extension
…ts with no extension
…ork. - ran npm rnu test-backend-20
cbdd2ba to
a54283f
Compare
- routes built dynamically with buildRoutes() - e2e tests now use ROUTES instead of hardcoded paths
To not overcomplicate things, let's not have the possibility for cli injection of this parameter. Otherweise we would need to rewrite e.g. config.js
|
Alright. Made this less invasive by keeping the default (i.e. no prefix).
Whereas I do agree with you @louislam, that this is purely a UX feature and has no real security benefit, it would still feel better to to "block" all URLs beginning with "/admin" from public - but this is besides the point of this PR. This PR now only gives the possibility to users to set a prefix or don't (default). The biggest benefit of this PR though is that all the hardcoded paths are removed from the codebase. |
the regex was too broad matching administrative routes such as /status-page/add in addition to public routes such as /status/:slug.
Summary
I am fully aware this touches a lot of files, but in the end it all references back to
routes.ts. Even if you don't like the URLs I am proposing (/admin/...), these could be easily changed in theroutes.tsto the previous URLs/paths, but we would get away from those hardcoded paths.In this pull request, the following changes are made:
Implemented
routes.tsso all routes go through it for UX/UI and pretty URLsRemoves all hardcoded URLs / paths everywhere and I hope I haven't missed a spot
I tried testing all paths and all functionalities as well as setting up a completely new UK instance
All legacy URLs are being redirected automatically (see
routes.json the bottom) - no broken bookmarks/linksDocumentation & Tests never reference paths directly hence nothing to update
I don't know how to do CI tests locally, so I didn't do that next to
npm run dev,npm run tscandnode server/server.js, maybe there are some automatic GH actions?Resolves Consistent routes / URIs for easier security hardening #2505
Please follow this checklist to avoid unnecessary back and forth (click to expand)
I understand that I am responsible for and able to explain every line of code I submit.