eric/duckdb-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: eric:v1.3.2
Branches Tags
eric:main eric:backup-before-squash-20250913-180154 eric:yl/format-check eric:yl/debug-certs-error eric:yl/listen-interface
eric:v1.3.2
..
compare: eric:backup-before-squash-20250913-180154
Branches Tags
eric:main eric:backup-before-squash-20250913-180154 eric:yl/format-check eric:yl/debug-certs-error eric:yl/listen-interface
eric:v1.3.2

9 Commits
v1.3.2 ... backup-bef

Author SHA1 Message Date
Eric Liu
baca4b7761 Refactor GitHub Actions workflow for Gitea Packages: streamline preflight upload process, enhance authentication handling using GitHub actor, and remove redundant debug outputs for improved clarity.
All checks were successful
Build linux_amd64 extension and upload to Packages / build-linux-amd64 (push) Successful in 25m15s
Details
2025-09-13 17:23:52 +00:00
Eric Liu
5d4321cb36 Update GitHub Actions workflow to use RELEASE_TOKEN for Gitea Packages upload, ensuring consistent authentication across steps.
Some checks failed
Build linux_amd64 extension and upload to Packages / build-linux-amd64 (push) Has been cancelled
Details
2025-09-13 17:21:46 +00:00
Eric Liu
3481b914b1 Refactor GitHub Actions workflow for Gitea Packages: update to use RELEASE_TOKEN for authentication, enhance server URL normalization, and improve error handling for HTTP responses during uploads.
Some checks failed
Build linux_amd64 extension and upload to Packages / build-linux-amd64 (push) Has been cancelled
Details
2025-09-13 17:20:04 +00:00
Eric Liu
63c713dab0 Enhance GitHub Actions workflow for Gitea Packages by adding jq to dependencies, improving server URL normalization, and refining error handling for preflight uploads with support for HTTP redirects.
Some checks failed
Build linux_amd64 extension and upload to Packages / build-linux-amd64 (push) Failing after 12s
Details
2025-09-13 17:15:49 +00:00
Eric Liu
2be3632ac7 Add preflight upload step to GitHub Actions workflow for Gitea Packages, including token validation and error handling for uploads.
Some checks failed
Build linux_amd64 extension and upload to Packages / build-linux-amd64 (push) Failing after 13s
Details
2025-09-13 17:10:47 +00:00
Eric Liu
14debc4d35 Update GitHub Actions workflow to use RELEASE_TOKEN for manual repository checkout step, enhancing security and access control.
Some checks failed
Build linux_amd64 extension and upload to Packages / build-linux-amd64 (push) Failing after 25m20s
Details
2025-09-13 06:31:59 +00:00
Eric Liu
a3526d3eb4 Update GitHub Actions workflow to trigger on pushes to the main branch, ensuring builds are initiated for the latest changes. 2025-09-13 06:05:34 +00:00
Eric Liu
af15bb9036 Add manual repository checkout step in GitHub Actions workflow for linux_amd64 build to ensure proper initialization and status verification. 2025-09-13 06:00:04 +00:00
Eric Liu
dc74e53e77 Enhance GitHub Actions workflow for linux_amd64 build: add workspace status check, initialize submodules, build release, and compute package version before uploading to Gitea Packages. 2025-09-13 05:58:00 +00:00
2 changed files with 9 additions and 90 deletions
Expand all files Collapse all files

17
.github/workflows/build-linux-amd64.yml vendored
View File

@@ -188,19 +188,4 @@ jobs:
-H "Content-Type: application/octet-stream" \
--retry 2 --retry-delay 2 --max-time 300 \
--upload-file "$file" "$url"
echo "Upload complete."
# Also upload the DuckDB shell binary
bin_path="./build/release/duckdb"
if [ ! -f "$bin_path" ]; then
echo "duckdb binary not found at $bin_path" >&2
exit 1
fi
bin_name="$(basename "$bin_path")"
bin_url="$server/api/packages/$owner/generic/$pkg/$version/$bin_name?replace=1"
echo "Uploading $bin_path to $bin_url"
curl -fS -L -X PUT \
-u "$auth_user:${GITEA_TOKEN}" \
-H "Content-Type: application/octet-stream" \
--retry 2 --retry-delay 2 --max-time 300 \
--upload-file "$bin_path" "$bin_url"
echo "DuckDB binary upload complete."
echo "Upload complete."

82
src/http_server.cpp
View File

@@ -22,76 +22,6 @@ namespace ui {
unique_ptr<HttpServer> HttpServer::server_instance;
// Helpers for validating request origin/referer in deployments where the UI is
// exposed on a non-localhost host (e.g., Docker, k8s, reverse proxies). These
// checks allow either the configured local_url, or the runtime host derived
// from the request headers. They also allow an escape hatch via the
// environment variable `ui_allow_any_origin=1|true`.
namespace {
// Returns true if the given referer begins with any of the expected base URLs.
static bool RefererStartsWithAny(const std::string &referer,
const std::vector<std::string> &bases) {
for (const auto &base : bases) {
if (!base.empty() && referer.compare(0, base.size(), base) == 0) {
return true;
}
}
return false;
}
static std::vector<std::string>
ExpectedBaseUrls(const httplib::Request &req, const std::string &local_url) {
// Prefer forwarded host if present, otherwise fall back to Host.
auto forwarded_host = req.get_header_value("X-Forwarded-Host");
auto host = forwarded_host.empty() ? req.get_header_value("Host")
: forwarded_host;
std::vector<std::string> bases;
bases.push_back(local_url);
if (!host.empty()) {
bases.push_back(StringUtil::Format("http://%s", host));
bases.push_back(StringUtil::Format("https://%s", host));
}
return bases;
}
static bool IsOriginAllowed(const httplib::Request &req,
const std::string &local_url) {
if (IsEnvEnabled("ui_allow_any_origin")) {
return true;
}
auto origin = req.get_header_value("Origin");
if (origin.empty()) {
return false;
}
auto bases = ExpectedBaseUrls(req, local_url);
for (const auto &base : bases) {
if (origin == base) {
return true;
}
}
return false;
}
static bool IsRefererAllowed(const httplib::Request &req,
const std::string &local_url) {
if (IsEnvEnabled("ui_allow_any_origin")) {
return true;
}
auto referer = req.get_header_value("Referer");
if (referer.empty()) {
return false;
}
return RefererStartsWithAny(referer, ExpectedBaseUrls(req, local_url));
}
} // namespace
HttpServer *HttpServer::GetInstance(ClientContext &context) {
if (server_instance) {
// We already have an instance, make sure we're running on the right DB
@@ -298,7 +228,8 @@ void HttpServer::HandleGetLocalToken(const httplib::Request &req,
httplib::Response &res) {
// GET requests don't include Origin, so use Referer instead.
// Referer includes the path, so only compare the start.
if (!IsRefererAllowed(req, local_url)) {
auto referer = req.get_header_value("Referer");
if (referer.compare(0, local_url.size(), local_url) != 0) {
res.status = 401;
return;
}
@@ -390,7 +321,8 @@ void HttpServer::HandleGet(const httplib::Request &req,
void HttpServer::HandleInterrupt(const httplib::Request &req,
httplib::Response &res) {
if (!IsOriginAllowed(req, local_url)) {
auto origin = req.get_header_value("Origin");
if (origin != local_url) {
res.status = 401;
return;
}
@@ -429,7 +361,8 @@ void HttpServer::HandleRun(const httplib::Request &req, httplib::Response &res,
void HttpServer::DoHandleRun(const httplib::Request &req,
httplib::Response &res,
const httplib::ContentReader &content_reader) {
if (!IsOriginAllowed(req, local_url)) {
auto origin = req.get_header_value("Origin");
if (origin != local_url) {
res.status = 401;
return;
}
@@ -692,7 +625,8 @@ void HttpServer::DoHandleRun(const httplib::Request &req,
void HttpServer::HandleTokenize(const httplib::Request &req,
httplib::Response &res,
const httplib::ContentReader &content_reader) {
if (!IsOriginAllowed(req, local_url)) {
auto origin = req.get_header_value("Origin");
if (origin != local_url) {
res.status = 401;
return;
}