gotrue icon indicating copy to clipboard operation
gotrue copied to clipboard
verified publisher icon netlify

Mailer templates cannot be fetched from private IPs

Open edwardcwang opened this issue 3 years ago • 0 comments

- Do you want to request a feature or report a bug? Bug

- What is the current behavior? Mailer template URLs such as the one in GOTRUE_MAILER_TEMPLATES_CONFIRMATION or GOTRUE_MAILER_TEMPLATES_RECOVERY cannot be fetched from private URLs.

- If the current behavior is a bug, please provide the steps to reproduce.

  1. Spin up GoTrue in a docker-compose environment and point mailer template URLs e.g. GOTRUE_MAILER_TEMPLATES_RECOVERY at another container.
  2. Attempt to initiate e.g. a password recovery e-mail.
  3. Template not fetched and used; default template loaded instead. Error messages in console:
{"component":"api","level":"info","method":"POST","msg":"request started","path":"/recover","referer":"","remote_addr":"172.19.0.4:47086","timestamp":"2022-08-04T17:45:35Z"}
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
time="2022-08-04T17:45:35Z" level=error msg="Cancelled attempted request to ip in private range" transport=local_blocker
2022/08/04 17:45:35 Error loading template from http://anothercontainer:8080/recovery.txt: Get "http://anothercontainer:8080/recovery.txt": context canceled

- What is the expected behavior? Mailer templates should be able to be fetched from private IPs, particularly in a Docker setting. Or at least provide the option to whitelist certain IP ranges.

- Please mention your Go version, and operating system version.

https://hub.docker.com/layers/gotrue/supabase/gotrue/v2.10.3/images/sha256-fdb56c9d06f84cf7a61186927b8f2501bd39a671b90fae99277682cc867af9cb?context=explore

edwardcwang avatar Aug 04 '22 17:08 edwardcwang