fix(api): deny all API requests

There seems to be a relation to the persistent connections of the HTTP/2
(initial connection with TLS handshake is done to the dashboard; SNI is
‹dashboard.packit.dev› and with the same SNI it makes a request to the
Packit Service API, thus resulting in the request being routed to the
dashboard rather than the production API itself, since the routing for
TLS Passthrough connections is done based on the SNI).

Therefore yield 421 for each such misdirected request to force the
browser to open a new connection.

Fixes packit/packit-service#2529

Signed-off-by: Matej Focko <mfocko@redhat.com>

Author: mfocko

packit_dashboard/api/routes.py

@@ -0,0 +1,26 @@
+# Copyright Contributors to the Packit project.
+# SPDX-License-Identifier: MIT
+
+from logging import getLogger
+
+from flask import Blueprint
+from flask_cors import CORS
+
+
+logger = getLogger("packit_dashboard")
+api = Blueprint(
+    "api",
+    __name__,
+)
+CORS(api)
+
+
+@api.route("/api/", defaults={"path": ""})
+@api.route("/api/<path:path>")
+def drop(path):
+    """
+    Return ‹421› for all misdirected requests that reused / used persistent
+    HTTP/2 connection with the wrong SNI and got routed via OpenShift to the
+    dashboard rather than the actual Packit Service API endpoint.
+    """
+    return ("", 421)

packit_dashboard/app.py

@@ -6,6 +6,7 @@
 from flask import Flask
 from flask_talisman import Talisman
 
+from packit_dashboard.api.routes import api
 from packit_dashboard.home.routes import home
 
 app = Flask(
@@ -16,6 +17,7 @@
 # Note: Declare any other flask blueprints or routes above this.
 # Routes declared below this will be rendered by React
 app.register_blueprint(home)
+app.register_blueprint(api)
 
 
 # Enable CSP and HSTS