tauri-apps/archived-tauri-plugin-http
1
0
Fork 0
mirror of https://github.com/tauri-apps/tauri-plugin-http.git synced 2026-01-31 00:45:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: update to tauri beta, add permissions (#862)

Browse Source 
Co-authored-by: Lucas Nogueira <lucas@tauri.app>
Co-authored-by: Lucas Nogueira <lucas@crabnebula.dev>

Committed via a GitHub action: https://github.com/tauri-apps/plugins-workspace/actions/runs/7768617455

Co-authored-by: lucasfernog <lucasfernog@users.noreply.github.com>
This commit is contained in:
Tillmann
2024-02-03 18:15:41 +00:00
committed by tauri-bot
parent abeeedc1b2
commit 2a6d37c849
16 changed files with 288 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
Cargo.toml
View File

@@ -6,10 +6,18 @@ edition = { workspace = true }
authors = { workspace = true }
license = { workspace = true }
rust-version = { workspace = true }
links = "tauri-plugin-http"
[package.metadata.docs.rs]
rustc-args = [ "--cfg", "docsrs" ]
rustdoc-args = [ "--cfg", "docsrs" ]
rustc-args = ["--cfg", "docsrs"]
rustdoc-args = ["--cfg", "docsrs"]
[build-dependencies]
tauri-plugin = { workspace = true, features = ["build"] }
schemars = { workspace = true }
serde = { workspace = true }
url = { workspace = true }
glob = "0.3"
[dependencies]
serde = { workspace = true }
@@ -24,22 +32,22 @@ url = { workspace = true }
data-url = "0.3"
[features]
multipart = [ "reqwest/multipart" ]
json = [ "reqwest/json" ]
stream = [ "reqwest/stream" ]
native-tls = [ "reqwest/native-tls" ]
native-tls-vendored = [ "reqwest/native-tls-vendored" ]
rustls-tls = [ "reqwest/rustls-tls" ]
default-tls = [ "reqwest/default-tls" ]
native-tls-alpn = [ "reqwest/native-tls-alpn" ]
rustls-tls-manual-roots = [ "reqwest/rustls-tls-manual-roots" ]
rustls-tls-webpki-roots = [ "reqwest/rustls-tls-webpki-roots" ]
rustls-tls-native-roots = [ "reqwest/rustls-tls-native-roots" ]
blocking = [ "reqwest/blocking" ]
cookies = [ "reqwest/cookies" ]
gzip = [ "reqwest/gzip" ]
brotli = [ "reqwest/brotli" ]
deflate = [ "reqwest/deflate" ]
trust-dns = [ "reqwest/trust-dns" ]
socks = [ "reqwest/socks" ]
http3 = [ "reqwest/http3" ]
multipart = ["reqwest/multipart"]
json = ["reqwest/json"]
stream = ["reqwest/stream"]
native-tls = ["reqwest/native-tls"]
native-tls-vendored = ["reqwest/native-tls-vendored"]
rustls-tls = ["reqwest/rustls-tls"]
default-tls = ["reqwest/default-tls"]
native-tls-alpn = ["reqwest/native-tls-alpn"]
rustls-tls-manual-roots = ["reqwest/rustls-tls-manual-roots"]
rustls-tls-webpki-roots = ["reqwest/rustls-tls-webpki-roots"]
rustls-tls-native-roots = ["reqwest/rustls-tls-native-roots"]
blocking = ["reqwest/blocking"]
cookies = ["reqwest/cookies"]
gzip = ["reqwest/gzip"]
brotli = ["reqwest/brotli"]
deflate = ["reqwest/deflate"]
trust-dns = ["reqwest/trust-dns"]
socks = ["reqwest/socks"]
http3 = ["reqwest/http3"]

40
build.rs Normal file
View File

@@ -0,0 +1,40 @@
// Copyright 2019-2023 Tauri Programme within The Commons Conservancy
// SPDX-License-Identifier: Apache-2.0
// SPDX-License-Identifier: MIT
#[path = "src/scope.rs"]
#[allow(dead_code)]
mod scope;
const COMMANDS: &[&str] = &["fetch", "fetch_cancel", "fetch_send", "fetch_read_body"];
/// HTTP scope entry object definition.
#[derive(schemars::JsonSchema)]
struct ScopeEntry {
/// A URL that can be accessed by the webview when using the HTTP APIs.
/// The scoped URL is matched against the request URL using a glob pattern.
///
/// Examples:
///
/// - "https://*" or "https://**" : allows all HTTPS urls
///
/// - "https://*.github.com/tauri-apps/tauri": allows any subdomain of "github.com" with the "tauri-apps/api" path
///
/// - "https://myapi.service.com/users/*": allows access to any URLs that begins with "https://myapi.service.com/users/"
url: String,
}
// ensure scope entry is up to date
impl From<ScopeEntry> for scope::Entry {
fn from(value: ScopeEntry) -> Self {
scope::Entry {
url: value.url.parse().unwrap(),
}
}
}
fn main() {
tauri_plugin::Builder::new(COMMANDS)
.global_scope_schema(schemars::schema_for!(ScopeEntry))
.build();
}

2
node_modules/@tauri-apps/api generated vendored
View File

@@ -1 +1 @@
../../../../node_modules/.pnpm/@tauri-apps+api@2.0.0-alpha.13/node_modules/@tauri-apps/api
../../../../node_modules/.pnpm/@tauri-apps+api@2.0.0-beta.0/node_modules/@tauri-apps/api

2
package.json
View File

@@ -23,6 +23,6 @@
"LICENSE"
],
"dependencies": {
"@tauri-apps/api": "2.0.0-alpha.13"
"@tauri-apps/api": "2.0.0-beta.0"
}
}

1
permissions/.dgitignore Normal file
View File

@@ -0,0 +1 @@
schemas/

1
permissions/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
schemas/

13
permissions/autogenerated/commands/fetch.toml Normal file
View File

@@ -0,0 +1,13 @@
# Automatically generated - DO NOT EDIT!
"$schema" = "../../schemas/schema.json"
[[permission]]
identifier = "allow-fetch"
description = "Enables the fetch command without any pre-configured scope."
commands.allow = ["fetch"]
[[permission]]
identifier = "deny-fetch"
description = "Denies the fetch command without any pre-configured scope."
commands.deny = ["fetch"]

13
permissions/autogenerated/commands/fetch_cancel.toml Normal file
View File

@@ -0,0 +1,13 @@
# Automatically generated - DO NOT EDIT!
"$schema" = "../../schemas/schema.json"
[[permission]]
identifier = "allow-fetch-cancel"
description = "Enables the fetch_cancel command without any pre-configured scope."
commands.allow = ["fetch_cancel"]
[[permission]]
identifier = "deny-fetch-cancel"
description = "Denies the fetch_cancel command without any pre-configured scope."
commands.deny = ["fetch_cancel"]

13
permissions/autogenerated/commands/fetch_read_body.toml Normal file
View File

@@ -0,0 +1,13 @@
# Automatically generated - DO NOT EDIT!
"$schema" = "../../schemas/schema.json"
[[permission]]
identifier = "allow-fetch-read-body"
description = "Enables the fetch_read_body command without any pre-configured scope."
commands.allow = ["fetch_read_body"]
[[permission]]
identifier = "deny-fetch-read-body"
description = "Denies the fetch_read_body command without any pre-configured scope."
commands.deny = ["fetch_read_body"]

13
permissions/autogenerated/commands/fetch_send.toml Normal file
View File

@@ -0,0 +1,13 @@
# Automatically generated - DO NOT EDIT!
"$schema" = "../../schemas/schema.json"
[[permission]]
identifier = "allow-fetch-send"
description = "Enables the fetch_send command without any pre-configured scope."
commands.allow = ["fetch_send"]
[[permission]]
identifier = "deny-fetch-send"
description = "Denies the fetch_send command without any pre-configured scope."
commands.deny = ["fetch_send"]

38
permissions/autogenerated/reference.md Normal file
View File

@@ -0,0 +1,38 @@
# Permissions
## allow-fetch
Enables the fetch command without any pre-configured scope.
## deny-fetch
Denies the fetch command without any pre-configured scope.
## allow-fetch-cancel
Enables the fetch_cancel command without any pre-configured scope.
## deny-fetch-cancel
Denies the fetch_cancel command without any pre-configured scope.
## allow-fetch-read-body
Enables the fetch_read_body command without any pre-configured scope.
## deny-fetch-read-body
Denies the fetch_read_body command without any pre-configured scope.
## allow-fetch-send
Enables the fetch_send command without any pre-configured scope.
## deny-fetch-send
Denies the fetch_send command without any pre-configured scope.
## default
Allows all fetch operations

9
permissions/default.toml Normal file
View File

@@ -0,0 +1,9 @@
"$schema" = "schemas/schema.json"
[default]
description = "Allows all fetch operations"
permissions = [
"allow-fetch",
"allow-fetch-cancel",
"allow-fetch-read-body",
"allow-fetch-send",
]

34
src/commands.rs
View File

@@ -7,9 +7,17 @@ use std::{collections::HashMap, future::Future, pin::Pin, sync::Arc, time::Durat
use http::{header, HeaderName, HeaderValue, Method, StatusCode};
use reqwest::{redirect::Policy, NoProxy};
use serde::{Deserialize, Serialize};
use tauri::{async_runtime::Mutex, command, AppHandle, Manager, ResourceId, Runtime};
use tauri::{
async_runtime::Mutex,
command,
ipc::{CommandScope, GlobalScope},
AppHandle, Manager, ResourceId, Runtime,
};
use crate::{Error, HttpExt, Result};
use crate::{
scope::{Entry, Scope},
Error, Result,
};
struct ReqwestResponse(reqwest::Response);
@@ -131,6 +139,8 @@ fn attach_proxy(
pub async fn fetch<R: Runtime>(
app: AppHandle<R>,
client_config: ClientConfig,
command_scope: CommandScope<'_, Entry>,
global_scope: GlobalScope<'_, Entry>,
) -> crate::Result<ResourceId> {
let ClientConfig {
method,
@@ -148,7 +158,20 @@ pub async fn fetch<R: Runtime>(
match scheme {
"http" | "https" => {
if app.http().scope.is_allowed(&url) {
if Scope::new(
command_scope
.allows()
.iter()
.chain(global_scope.allows())
.collect(),
command_scope
.denies()
.iter()
.chain(global_scope.denies())
.collect(),
)
.is_allowed(&url)
{
let mut builder = reqwest::ClientBuilder::new();
if let Some(timeout) = connect_timeout {
@@ -238,10 +261,11 @@ pub async fn fetch_cancel<R: Runtime>(app: AppHandle<R>, rid: ResourceId) -> cra
};
let mut req = req.0.lock().await;
*req = Box::pin(async { Err(Error::RequestCanceled) });
Ok(())
}
#[command]
#[tauri::command]
pub async fn fetch_send<R: Runtime>(
app: AppHandle<R>,
rid: ResourceId,
@@ -278,7 +302,7 @@ pub async fn fetch_send<R: Runtime>(
})
}
#[command]
#[tauri::command]
pub(crate) async fn fetch_read_body<R: Runtime>(
app: AppHandle<R>,
rid: ResourceId,

22
src/config.rs
View File

@@ -1,22 +0,0 @@
// Copyright 2019-2023 Tauri Programme within The Commons Conservancy
// SPDX-License-Identifier: Apache-2.0
// SPDX-License-Identifier: MIT
use serde::Deserialize;
#[derive(Deserialize)]
pub struct Config {
pub scope: HttpAllowlistScope,
}
/// HTTP API scope definition.
/// It is a list of URLs that can be accessed by the webview when using the HTTP APIs.
/// The scoped URL is matched against the request URL using a glob pattern.
///
/// Examples:
/// - "https://*" or "https://**" : allows all HTTPS urls
/// - "https://*.github.com/tauri-apps/tauri": allows any subdomain of "github.com" with the "tauri-apps/api" path
/// - "https://myapi.service.com/users/*": allows access to any URLs that begins with "https://myapi.service.com/users/"
#[allow(rustdoc::bare_urls)]
#[derive(Debug, Default, PartialEq, Eq, Clone, Deserialize)]
pub struct HttpAllowlistScope(pub Vec<String>);

20
src/lib.rs
View File

@@ -12,18 +12,15 @@ use tauri::{
AppHandle, Manager, Runtime,
};
use crate::config::{Config, HttpAllowlistScope};
pub use error::{Error, Result};
mod commands;
mod config;
mod error;
mod scope;
struct Http<R: Runtime> {
#[allow(dead_code)]
app: AppHandle<R>,
scope: scope::Scope,
}
trait HttpExt<R: Runtime> {
@@ -36,8 +33,8 @@ impl<R: Runtime, T: Manager<R>> HttpExt<R> for T {
}
}
pub fn init<R: Runtime>() -> TauriPlugin<R, Option<Config>> {
Builder::<R, Option<Config>>::new("http")
pub fn init<R: Runtime>() -> TauriPlugin<R> {
Builder::<R>::new("http")
.js_init_script(include_str!("api-iife.js").to_string())
.invoke_handler(tauri::generate_handler![
commands::fetch,
@@ -45,17 +42,8 @@ pub fn init<R: Runtime>() -> TauriPlugin<R, Option<Config>> {
commands::fetch_send,
commands::fetch_read_body,
])
.setup(|app, api| {
let default_scope = HttpAllowlistScope::default();
app.manage(Http {
app: app.clone(),
scope: scope::Scope::new(
api.config()
.as_ref()
.map(|c| &c.scope)
.unwrap_or(&default_scope),
),
});
.setup(|app, _api| {
app.manage(Http { app: app.clone() });
Ok(())
})
.build()

120
src/scope.rs
View File

@@ -2,52 +2,92 @@
// SPDX-License-Identifier: Apache-2.0
// SPDX-License-Identifier: MIT
use glob::Pattern;
use reqwest::Url;
use serde::{Deserialize, Deserializer};
use url::Url;
use crate::config::HttpAllowlistScope;
/// Scope for filesystem access.
#[derive(Debug, Clone)]
pub struct Scope {
allowed_urls: Vec<Pattern>,
#[allow(rustdoc::bare_urls)]
#[derive(Debug)]
pub struct Entry {
pub url: glob::Pattern,
}
impl Scope {
/// Creates a new scope from the scope configuration.
pub(crate) fn new(scope: &HttpAllowlistScope) -> Self {
Self {
allowed_urls: scope
.0
.iter()
.map(|url| {
glob::Pattern::new(url).unwrap_or_else(|_| {
panic!("scoped URL is not a valid glob pattern: `{url}`")
})
})
.collect(),
impl<'de> Deserialize<'de> for Entry {
fn deserialize<D>(deserializer: D) -> std::result::Result<Self, D::Error>
where
D: Deserializer<'de>,
{
#[derive(Deserialize)]
struct EntryRaw {
url: String,
}
EntryRaw::deserialize(deserializer).and_then(|raw| {
Ok(Entry {
url: glob::Pattern::new(&raw.url).map_err(|e| {
serde::de::Error::custom(format!(
"URL `{}` is not a valid glob pattern: {e}",
raw.url
))
})?,
})
})
}
}
/// Scope for filesystem access.
#[derive(Debug)]
pub struct Scope<'a> {
allowed: Vec<&'a Entry>,
denied: Vec<&'a Entry>,
}
impl<'a> Scope<'a> {
/// Creates a new scope from the scope configuration.
pub(crate) fn new(allowed: Vec<&'a Entry>, denied: Vec<&'a Entry>) -> Self {
Self { allowed, denied }
}
/// Determines if the given URL is allowed on this scope.
pub fn is_allowed(&self, url: &Url) -> bool {
self.allowed_urls.iter().any(|allowed| {
allowed.matches(url.as_str())
|| allowed.matches(url.as_str().strip_suffix('/').unwrap_or_default())
})
let denied = self.denied.iter().any(|entry| {
entry.url.matches(url.as_str())
|| entry
.url
.matches(url.as_str().strip_suffix('/').unwrap_or_default())
});
if denied {
false
} else {
self.allowed.iter().any(|entry| {
entry.url.matches(url.as_str())
|| entry
.url
.matches(url.as_str().strip_suffix('/').unwrap_or_default())
})
}
}
}
#[cfg(test)]
mod tests {
use crate::config::HttpAllowlistScope;
use std::str::FromStr;
use super::Entry;
impl FromStr for Entry {
type Err = glob::PatternError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
let pattern = s.parse()?;
Ok(Self { url: pattern })
}
}
#[test]
fn is_allowed() {
// plain URL
let scope = super::Scope::new(&HttpAllowlistScope(vec!["http://localhost:8080"
.parse()
.unwrap()]));
let entry = "http://localhost:8080".parse().unwrap();
let scope = super::Scope::new(vec![&entry], Vec::new());
assert!(scope.is_allowed(&"http://localhost:8080".parse().unwrap()));
assert!(scope.is_allowed(&"http://localhost:8080/".parse().unwrap()));
@@ -57,10 +97,15 @@ mod tests {
assert!(!scope.is_allowed(&"http://localhost:8081".parse().unwrap()));
assert!(!scope.is_allowed(&"http://local:8080".parse().unwrap()));
// deny takes precedence
let allow = "http://localhost:8080/file.png".parse().unwrap();
let deny = "http://localhost:8080/*".parse().unwrap();
let scope = super::Scope::new(vec![&allow], vec![&deny]);
assert!(!scope.is_allowed(&"http://localhost:8080/file.png".parse().unwrap()));
// URL with fixed path
let scope = super::Scope::new(&HttpAllowlistScope(vec!["http://localhost:8080/file.png"
.parse()
.unwrap()]));
let entry = "http://localhost:8080/file.png".parse().unwrap();
let scope = super::Scope::new(vec![&entry], Vec::new());
assert!(scope.is_allowed(&"http://localhost:8080/file.png".parse().unwrap()));
@@ -69,22 +114,23 @@ mod tests {
assert!(!scope.is_allowed(&"http://localhost:8080/file.png/other.jpg".parse().unwrap()));
// URL with glob pattern
let scope = super::Scope::new(&HttpAllowlistScope(vec!["http://localhost:8080/*.png"
.parse()
.unwrap()]));
let entry = "http://localhost:8080/*.png".parse().unwrap();
let scope = super::Scope::new(vec![&entry], Vec::new());
assert!(scope.is_allowed(&"http://localhost:8080/file.png".parse().unwrap()));
assert!(scope.is_allowed(&"http://localhost:8080/assets/file.png".parse().unwrap()));
assert!(!scope.is_allowed(&"http://localhost:8080/file.jpeg".parse().unwrap()));
let scope = super::Scope::new(&HttpAllowlistScope(vec!["http://*".parse().unwrap()]));
let entry = "http://*".parse().unwrap();
let scope = super::Scope::new(vec![&entry], Vec::new());
assert!(scope.is_allowed(&"http://something.else".parse().unwrap()));
assert!(scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap()));
assert!(!scope.is_allowed(&"https://something.else".parse().unwrap()));
let scope = super::Scope::new(&HttpAllowlistScope(vec!["http://**".parse().unwrap()]));
let entry = "http://**".parse().unwrap();
let scope = super::Scope::new(vec![&entry], Vec::new());
assert!(scope.is_allowed(&"http://something.else".parse().unwrap()));
assert!(scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap()));