Skip to content

fix(server): clarify loopback auth warning #332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
OnlyYu1996 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(server): clarify loopback auth warning #332

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 43 additions & 4 deletions src/cortex-app-server/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,18 +57,17 @@ pub async fn run_with_shutdown<F>(config: ServerConfig, shutdown: F) -> anyhow::
where
F: std::future::Future<Output = ()> + Send + 'static,
{
let addr: SocketAddr = config.listen_addr.parse()?;

// Warn if authentication is disabled
if !config.auth.enabled {
warn!("Server running without authentication!");
warn!("Anyone on the network can access this server.");
warn!("Use --auth to enable authentication.");
warn_auth_disabled(addr);
}

let state = Arc::new(AppState::new(config.clone()).await?);
let state_for_cleanup = Arc::clone(&state);
let app = create_router_with_state(state);

let addr: SocketAddr = config.listen_addr.parse()?;
info!("Starting Cortex server on {}", addr);

// Start mDNS publisher if enabled
Expand Down Expand Up @@ -121,6 +120,20 @@ where
Ok(())
}

fn warn_auth_disabled(addr: SocketAddr) {
warn!("Server running without authentication!");
warn!("{}", auth_disabled_exposure_warning(addr));
warn!("Use --auth to enable authentication.");
}

fn auth_disabled_exposure_warning(addr: SocketAddr) -> &'static str {
if addr.ip().is_loopback() {
"Only local processes can access this server."
} else {
"Anyone on the network can access this server."
}
}

/// Create the application router.
pub fn create_router(state: AppState) -> Router {
create_router_with_state(Arc::new(state))
Expand All @@ -143,3 +156,29 @@ pub fn create_router_with_state(state: Arc<AppState>) -> Router {
.layer(CorsLayer::permissive())
.with_state(state)
}

#[cfg(test)]
mod tests {
use super::auth_disabled_exposure_warning;
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};

#[test]
fn test_auth_disabled_exposure_warning_for_loopback_and_network_binds() {
let ipv4_loopback = SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 3000);
let ipv6_loopback = SocketAddr::new(IpAddr::V6(Ipv6Addr::LOCALHOST), 3000);
let wildcard = SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), 3000);

assert_eq!(
auth_disabled_exposure_warning(ipv4_loopback),
"Only local processes can access this server."
);
assert_eq!(
auth_disabled_exposure_warning(ipv6_loopback),
"Only local processes can access this server."
);
assert_eq!(
auth_disabled_exposure_warning(wildcard),
"Anyone on the network can access this server."
);
}
}