From c5d85f1722136da53f935b4383e764975f88b436 Mon Sep 17 00:00:00 2001 From: Grant Linville Date: Wed, 4 Dec 2024 13:45:35 -0500 Subject: [PATCH] chore: openapi: remove https restriction (#916) Signed-off-by: Grant Linville --- docs/docs/03-tools/03-openapi.md | 6 ------ pkg/engine/openapi.go | 20 +++++++++----------- pkg/openapi/run.go | 23 +++++++++-------------- 3 files changed, 18 insertions(+), 31 deletions(-) diff --git a/docs/docs/03-tools/03-openapi.md b/docs/docs/03-tools/03-openapi.md index 0b0f4961..e99172eb 100644 --- a/docs/docs/03-tools/03-openapi.md +++ b/docs/docs/03-tools/03-openapi.md @@ -41,12 +41,6 @@ Will be resolved as `https://api.example.com/v1`. ## Authentication -:::warning -All authentication options will be completely ignored if the server uses HTTP and not HTTPS, unless the request is for `localhost` or 127.0.0.1. -This is to protect users from accidentally sending credentials in plain text. -HTTP is only OK, if it's on localhost/127.0.0.1. -::: - ### 1. Security Schemes GPTScript will read the defined [security schemes](https://swagger.io/docs/specification/authentication/) in the OpenAPI definition. The currently supported types are `apiKey` and `http`. diff --git a/pkg/engine/openapi.go b/pkg/engine/openapi.go index a951bd37..a9a1a644 100644 --- a/pkg/engine/openapi.go +++ b/pkg/engine/openapi.go @@ -197,19 +197,17 @@ func (e *Engine) runOpenAPI(tool types.Tool, input string) (*Return, error) { return nil, fmt.Errorf("failed to create request: %w", err) } - // Check for authentication (only if using HTTPS or localhost) - if u.Scheme == "https" || u.Hostname() == "localhost" || u.Hostname() == "127.0.0.1" { - if len(instructions.SecurityInfos) > 0 { - if err := openapi.HandleAuths(req, envMap, instructions.SecurityInfos); err != nil { - return nil, fmt.Errorf("error setting up authentication: %w", err) - } + // Check for authentication + if len(instructions.SecurityInfos) > 0 { + if err := openapi.HandleAuths(req, envMap, instructions.SecurityInfos); err != nil { + return nil, fmt.Errorf("error setting up authentication: %w", err) } + } - // If there is a bearer token set for the whole server, and no Authorization header has been defined, use it. - if token, ok := envMap["GPTSCRIPT_"+env.ToEnvLike(u.Hostname())+"_BEARER_TOKEN"]; ok { - if req.Header.Get("Authorization") == "" { - req.Header.Set("Authorization", "Bearer "+token) - } + // If there is a bearer token set for the whole server, and no Authorization header has been defined, use it. + if token, ok := envMap["GPTSCRIPT_"+env.ToEnvLike(u.Hostname())+"_BEARER_TOKEN"]; ok { + if req.Header.Get("Authorization") == "" { + req.Header.Set("Authorization", "Bearer "+token) } } diff --git a/pkg/openapi/run.go b/pkg/openapi/run.go index ac1ec660..237d8b57 100644 --- a/pkg/openapi/run.go +++ b/pkg/openapi/run.go @@ -8,7 +8,6 @@ import ( "mime/multipart" "net/http" "net/url" - "os" "strings" "github.com/getkin/kin-openapi/openapi3" @@ -69,22 +68,18 @@ func Run(operationID, defaultHost, args string, t *openapi3.T, envs []string) (s return "", false, fmt.Errorf("failed to create request: %w", err) } - // Check for authentication (only if using HTTPS or localhost) - if u.Scheme == "https" || u.Hostname() == "localhost" || u.Hostname() == "127.0.0.1" { - if len(opInfo.SecurityInfos) > 0 { - if err := HandleAuths(req, envMap, opInfo.SecurityInfos); err != nil { - return "", false, fmt.Errorf("error setting up authentication: %w", err) - } + // Check for authentication + if len(opInfo.SecurityInfos) > 0 { + if err := HandleAuths(req, envMap, opInfo.SecurityInfos); err != nil { + return "", false, fmt.Errorf("error setting up authentication: %w", err) } + } - // If there is a bearer token set for the whole server, and no Authorization header has been defined, use it. - if token, ok := envMap["GPTSCRIPT_"+env.ToEnvLike(u.Hostname())+"_BEARER_TOKEN"]; ok { - if req.Header.Get("Authorization") == "" { - req.Header.Set("Authorization", "Bearer "+token) - } + // If there is a bearer token set for the whole server, and no Authorization header has been defined, use it. + if token, ok := envMap["GPTSCRIPT_"+env.ToEnvLike(u.Hostname())+"_BEARER_TOKEN"]; ok { + if req.Header.Get("Authorization") == "" { + req.Header.Set("Authorization", "Bearer "+token) } - } else { - fmt.Fprintf(os.Stderr, "no auth") } // Handle query parameters