Skip to content

fix: handler HEAD calls in sse routes #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: handler HEAD calls in sse routes #96

wants to merge 2 commits into from
+26 −3

Conversation

@lucarin91
Copy link
Contributor

@lucarin91 lucarin91 commented Nov 20, 2025
edited
Loading

Motivation

On SSE handlers, we need to make sure that we early return in HEAD calls, otherwise we remain attacked forever.

Change description

Additional Notes

Reviewer checklist

  • PR addresses a single concern.
  • PR title and description are properly filled.
  • Changes will be merged in main.
  • Changes are covered by tests.
  • Logging is meaningful in case of troubleshooting.

@lucarin91 lucarin91 requested a review from dido18 November 20, 2025 16:42
@per1234 per1234 added the bug Something isn't working label Nov 20, 2025
dido18
dido18 reviewed Nov 21, 2025
View reviewed changes
Copy link
Contributor

@dido18 dido18 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest using a reusable middleware

func headMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method == "HEAD" {
			w.WriteHeader(http.StatusOK)
			return
		}
		next.ServeHTTP(w, r)
	})
}

usage

	mux.Handle("GET /v1/apps/events", headMiddleware(handlers.HandlerAppStatus(dockerClient, idProvider, cfg)))

@lucarin91
Copy link
Contributor Author

lucarin91 commented Nov 21, 2025

I suggest using a reusable middleware

func headMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method == "HEAD" {
			w.WriteHeader(http.StatusOK)
			return
		}
		next.ServeHTTP(w, r)
	})
}

usage

	mux.Handle("GET /v1/apps/events", headMiddleware(handlers.HandlerAppStatus(dockerClient, idProvider, cfg)))

I was thinking about that but I was also concern by the fact that I think the HEAD request should do the same parameter checks we are doing in the GET request and not always return 200 OK.

For instance, I would expect that

HEAD /v1/apps/<asd>/logs?tail=not-a-nuber

Will return an error because tail should be a number. In that sense the HEAD request is like a pre-fligth of the GET request. Anyway i didn't read explicit mansion of parameter validation in the HEAD semantics document here. They only say that the HEAD method should behave like the GET method without the body, which is a little bit left to the interpretation.

@dido18
Copy link
Contributor

dido18 commented Nov 21, 2025

But why is the FE sending the HEAD request?

I suggest using a reusable middleware

func headMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method == "HEAD" {
			w.WriteHeader(http.StatusOK)
			return
		}
		next.ServeHTTP(w, r)
	})
}

usage

	mux.Handle("GET /v1/apps/events", headMiddleware(handlers.HandlerAppStatus(dockerClient, idProvider, cfg)))

I was thinking about that but I was also concern by the fact that I think the HEAD request should do the same parameter checks we are doing in the GET request and not always return 200 OK.

For instance, I would expect that

HEAD /v1/apps/<asd>/logs?tail=not-a-nuber

Will return an error because tail should be a number. In that sense the HEAD request is like a pre-fligth of the GET request. Anyway i didn't read explicit mansion of parameter validation in the HEAD semantics document here. They only say that the HEAD method should behave like the GET method without the body, which is a little bit left to the interpretation.

ok, it is strange that the FE is sending a HEAD to the SSE endpoint.
The standard definition mentions the fetch(GET) https://html.spec.whatwg.org/multipage/server-sent-events.html.

What clients is the FE using to call the SSE endpoint?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dido18 dido18 dido18 left review comments

@mirkoCrobu mirkoCrobu mirkoCrobu approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lucarin91 @dido18 @mirkoCrobu @per1234