fix(api): deny all API requests

There seems to be a relation to the persistent connections of the HTTP/2 (initial connection with TLS handshake is done to the dashboard; SNI is ‹dashboard.packit.dev› and with the same SNI it makes a request to the Packit Service API, thus resulting in the request being routed to the dashboard rather than the production API itself, since the routing for TLS Passthrough connections is done based on the SNI). Therefore yield 421 for each such misdirected request to force the browser to open a new connection. Fixes packit/packit-service#2529 Signed-off-by: Matej Focko <[email protected]>
packit · Jan 16, 2025 · 338767f · 338767f
1 parent 3bc9e5c
commit 338767f
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/packit_dashboard/api/routes.py b/packit_dashboard/api/routes.py
@@ -0,0 +1,26 @@
+# Copyright Contributors to the Packit project.
+# SPDX-License-Identifier: MIT
+
+from logging import getLogger
+
+from flask import Blueprint
+from flask_cors import CORS
+
+
+logger = getLogger("packit_dashboard")
+api = Blueprint(
+    "api",
+    __name__,
+)
+CORS(api)
+
+
+@api.route("/api/", defaults={"path": ""})
+@api.route("/api/<path:path>")
+def drop(path):
+    """
+    Return ‹421› for all misdirected requests that reused / used persistent
+    HTTP/2 connection with the wrong SNI and got routed via OpenShift to the
+    dashboard rather than the actual Packit Service API endpoint.
+    """
+    return ("", 421)
diff --git a/packit_dashboard/app.py b/packit_dashboard/app.py
@@ -6,6 +6,7 @@
 from flask import Flask
 from flask_talisman import Talisman
 
+from packit_dashboard.api.routes import api
 from packit_dashboard.home.routes import home
 
 app = Flask(
@@ -16,6 +17,7 @@
 # Note: Declare any other flask blueprints or routes above this.
 # Routes declared below this will be rendered by React
 app.register_blueprint(home)
+app.register_blueprint(api)
 
 
 # Enable CSP and HSTS