From 28dcfca47b5cc11760e7d4d66a6ce1d18bf978a0 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Sun, 25 Sep 2022 16:35:01 +0000 Subject: [PATCH] add sensitive-headers --- web3_proxy/Cargo.toml | 2 +- web3_proxy/src/frontend/mod.rs | 18 ++++++++++++------ web3_proxy/src/frontend/{http.rs => status.rs} | 0 3 files changed, 13 insertions(+), 7 deletions(-) rename web3_proxy/src/frontend/{http.rs => status.rs} (100%) diff --git a/web3_proxy/Cargo.toml b/web3_proxy/Cargo.toml index f352d92d..979a7ac5 100644 --- a/web3_proxy/Cargo.toml +++ b/web3_proxy/Cargo.toml @@ -67,7 +67,7 @@ toml = "0.5.9" tower = "0.4.13" # TODO: i don't think we need this. we can use it from tower-http instead. though this seems to use ulid and not uuid? tower-request-id = "0.2.0" -tower-http = { version = "0.3.4", features = ["cors", "trace"] } +tower-http = { version = "0.3.4", features = ["cors", "sensitive-headers", "trace"] } tracing = "0.1.36" # TODO: tracing-subscriber has serde and serde_json features that we might want to use tracing-subscriber = { version = "0.3.15", features = ["env-filter", "parking_lot"] } diff --git a/web3_proxy/src/frontend/mod.rs b/web3_proxy/src/frontend/mod.rs index 11bfd582..827c8a2e 100644 --- a/web3_proxy/src/frontend/mod.rs +++ b/web3_proxy/src/frontend/mod.rs @@ -1,21 +1,24 @@ pub mod authorization; mod errors; -mod http; mod rpc_proxy_http; mod rpc_proxy_ws; +mod status; mod users; use crate::app::Web3ProxyApp; -use ::http::Request; use axum::{ body::Body, handler::Handler, routing::{get, post}, Extension, Router, }; +use http::header::AUTHORIZATION; +use http::Request; +use std::iter::once; use std::net::SocketAddr; use std::sync::Arc; use tower_http::cors::CorsLayer; +use tower_http::sensitive_headers::SetSensitiveRequestHeadersLayer; use tower_http::trace::TraceLayer; use tower_request_id::{RequestId, RequestIdLayer}; use tracing::{error_span, info}; @@ -57,10 +60,10 @@ pub async fn serve(port: u16, proxy_app: Arc) -> anyhow::Result<() "/rpc/:user_key", get(rpc_proxy_ws::websocket_handler_with_key), ) - .route("/rpc/health", get(http::health)) - .route("/rpc/status", get(http::status)) + .route("/rpc/health", get(status::health)) + .route("/rpc/status", get(status::status)) // TODO: make this optional or remove it since it is available on another port - .route("/rpc/prometheus", get(http::prometheus)) + .route("/rpc/prometheus", get(status::prometheus)) .route("/rpc/user/login/:user_address", get(users::get_login)) .route( "/rpc/user/login/:user_address/:message_eip", @@ -71,13 +74,16 @@ pub async fn serve(port: u16, proxy_app: Arc) -> anyhow::Result<() .route("/rpc/user/logout", get(users::get_logout)) // layers are ordered bottom up // the last layer is first for requests and last for responses - .layer(Extension(proxy_app)) + // Mark the `Authorization` request header as sensitive so it doesn't show in logs + .layer(SetSensitiveRequestHeadersLayer::new(once(AUTHORIZATION))) // add the request id to our tracing logs .layer(request_tracing_layer) // handle cors .layer(CorsLayer::very_permissive()) // create a unique id for each request .layer(RequestIdLayer) + // application state + .layer(Extension(proxy_app)) // 404 for any unknown routes .fallback(errors::handler_404.into_service()); diff --git a/web3_proxy/src/frontend/http.rs b/web3_proxy/src/frontend/status.rs similarity index 100% rename from web3_proxy/src/frontend/http.rs rename to web3_proxy/src/frontend/status.rs