Set remote authority on frontend (#25)

Trying to determine the remote authority on the backend is brittle
because it does not work behind reverse proxies unless they send the
right headers containing information about the proxied source.

We could require users add the relevant configuration or provide the
remote authority via a flag but neither are user-friendly options.

We can make it work out of the box by changing the frontend to make
requests to its current address (which is what we try to set the remote
authority to anyway).  This actually already happens for the most part
except in some UI and logs although recent issues suggest there might be
other problems which should be entirely resolved by setting this on the
frontend.

In other words, the remote authority we set on the backend should never
be used so we set it to something invalid to ensure we notice (the
alternative is to rip it out but that is probably a bigger patch thus
generating more conflicts).

One scenario where we might want to set the remote authority from the
backend is if the frontend is served from a different location than the
backend but that is not supported behavior at the moment.  Even if we
did support this we still cannot determine the authority from the
backend (even for non-proxy scenarios in this case) and would need to
add a flag for it so this change would still be necessary.

coder/code-server#4604
coder/code-server#4607
coder/code-server#4608

Author: code-asher

package.json

@@ -65,7 +65,6 @@
     "@vscode/vscode-languagedetection": "1.0.21",
     "applicationinsights": "1.0.8",
     "cookie": "^0.4.1",
-    "forwarded-parse": "^2.1.2",
     "graceful-fs": "4.2.8",
     "http-proxy-agent": "^2.1.0",
     "https-proxy-agent": "^2.2.3",

src/vs/code/browser/workbench/workbench.ts

@@ -559,6 +559,12 @@ class WindowIndicator implements IWindowIndicator {
 	// Finally create workbench
 	create(document.body, {
 		...config,
+		/**
+		 * Ensure the remote authority points to the current address since we cannot
+		 * determine this reliably on the backend.
+		 * @author coder
+		 */
+		remoteAuthority: location.host,
 		/**
 		 * Override relative URLs in the product configuration against the window
 		 * location as necessary. Only paths that must be absolute need to be

src/vs/server/webClientServer.ts

@@ -9,7 +9,6 @@ import * as url from 'url';
 import * as util from 'util';
 import * as cookie from 'cookie';
 import * as crypto from 'crypto';
-import parseForwardHeader = require('forwarded-parse');
 import { isEqualOrParent, sanitizeFilePath } from 'vs/base/common/extpath';
 import { getMediaMime } from 'vs/base/common/mime';
 import { isLinux } from 'vs/base/common/platform';
@@ -27,7 +26,6 @@ import type { IWorkbenchConstructionOptions } from 'vs/workbench/workbench.web.a
 import { editorBackground, editorForeground } from 'vs/platform/theme/common/colorRegistry';
 import { ClientTheme, getOriginalUrl, HTTPNotFoundError, relativePath, relativeRoot, WebManifest } from 'vs/server/common/net';
 import { IServerThemeService } from 'vs/server/serverThemeService';
-import { isFalsyOrWhitespace } from 'vs/base/common/strings';
 
 const textMimeType = {
 	'.html': 'text/html',
@@ -167,29 +165,6 @@ export class WebClientServer {
 
 	private _iconSizes = [192, 512];
 
-	private getRemoteAuthority(req: http.IncomingMessage): URL {
-		if (req.headers.forwarded) {
-			const [parsedHeader] = parseForwardHeader(req.headers.forwarded);
-			return new URL(`${parsedHeader.proto}://${parsedHeader.host}`);
-		}
-
-		/* Return first non-empty header. */
-		const parseHeaders = (headerNames: string[]): string | undefined => {
-			for (const headerName of headerNames) {
-				const header = req.headers[headerName]?.toString();
-				if (!isFalsyOrWhitespace(header)) {
-					return header;
-				}
-			}
-			return undefined;
-		};
-
-		const proto = parseHeaders(['X-Forwarded-Proto']) || 'http';
-		const host = parseHeaders(['X-Forwarded-Host', 'host']) || 'localhost';
-
-		return new URL(`${proto}://${host}`);
-	}
-
 	/**
 	 * PWA manifest file. This informs the browser that the app may be installed.
 	 */
@@ -292,9 +267,15 @@ export class WebClientServer {
 		// 	return this.serveError(req, res, 403, `Forbidden.`, parsedUrl);
 		// }
 
-		const remoteAuthority = this.getRemoteAuthority(req);
-
-		const transformer = createRemoteURITransformer(remoteAuthority.host);
+		/**
+		 * It is not possible to reliably detect the remote authority on the server
+		 * in all cases.  Set this to something invalid to make sure we catch code
+		 * that is using this when it should not.
+		 *
+		 * @author coder
+		 */
+		const remoteAuthority = 'remote';
+		const transformer = createRemoteURITransformer(remoteAuthority);
 		const { workspacePath, isFolder } = await this._getWorkspaceFromCLI();
 
 		function escapeAttribute(value: string): string {
@@ -343,8 +324,7 @@ export class WebClientServer {
 				},
 				folderUri: (workspacePath && isFolder) ? transformer.transformOutgoing(URI.file(workspacePath)) : undefined,
 				workspaceUri: (workspacePath && !isFolder) ? transformer.transformOutgoing(URI.file(workspacePath)) : undefined,
-				// Add port to prevent client-side mismatch for reverse proxies.
-				remoteAuthority: `${remoteAuthority.hostname}:${remoteAuthority.port || (remoteAuthority.protocol === 'https:' ? '443' : '80')}`,
+				remoteAuthority,
 				_wrapWebWorkerExtHostInIframe,
 				developmentOptions: {
 					enableSmokeTestDriver: this._environmentService.driverHandle === 'web' ? true : undefined,

yarn.lock

@@ -4348,11 +4348,6 @@ form-data@~2.3.2:
     combined-stream "^1.0.6"
     mime-types "^2.1.12"
 
-forwarded-parse@^2.1.2:
-  version "2.1.2"
-  resolved "https://registry.yarnpkg.com/forwarded-parse/-/forwarded-parse-2.1.2.tgz#08511eddaaa2ddfd56ba11138eee7df117a09325"
-  integrity sha512-alTFZZQDKMporBH77856pXgzhEzaUVmLCDk+egLgIgHst3Tpndzz8MnKe+GzRJRfvVdn69HhpW7cmXzvtLvJAw==
-
 fragment-cache@^0.2.1:
   version "0.2.1"
   resolved "https://registry.yarnpkg.com/fragment-cache/-/fragment-cache-0.2.1.tgz#4290fad27f13e89be7f33799c6bc5a0abfff0d19"