From 65e4b70a3edae6383a43494b35f65b825b76896c Mon Sep 17 00:00:00 2001
From: Matej Focko <mfocko@redhat.com>
Date: Thu, 16 Jan 2025 16:26:15 +0100
Subject: [PATCH] fix(api): deny all API requests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There seems to be a relation to the persistent connections of the HTTP/2
(initial connection with TLS handshake is done to the dashboard; SNI is
‹dashboard.packit.dev› and with the same SNI it makes a request to the
Packit Service API, thus resulting in the request being routed to the
dashboard rather than the production API itself, since the routing for
TLS Passthrough connections is done based on the SNI).

Therefore yield 421 for each such misdirected request to force the
browser to open a new connection.

Fixes packit/packit-service#2529

Signed-off-by: Matej Focko <mfocko@redhat.com>
---
 packit_dashboard/api/routes.py | 26 ++++++++++++++++++++++++++
 packit_dashboard/app.py        |  2 ++
 2 files changed, 28 insertions(+)
 create mode 100644 packit_dashboard/api/routes.py

diff --git a/packit_dashboard/api/routes.py b/packit_dashboard/api/routes.py
new file mode 100644
index 00000000..1207d21f
--- /dev/null
+++ b/packit_dashboard/api/routes.py
@@ -0,0 +1,26 @@
+# Copyright Contributors to the Packit project.
+# SPDX-License-Identifier: MIT
+
+from logging import getLogger
+
+from flask import Blueprint
+from flask_cors import CORS
+
+
+logger = getLogger("packit_dashboard")
+api = Blueprint(
+    "api",
+    __name__,
+)
+CORS(api)
+
+
+@api.route("/api/", defaults={"path": ""})
+@api.route("/api/<path:path>")
+def drop(path):
+    """
+    Return ‹421› for all misdirected requests that reused / used persistent
+    HTTP/2 connection with the wrong SNI and got routed via OpenShift to the
+    dashboard rather than the actual Packit Service API endpoint.
+    """
+    return ("", 421)
diff --git a/packit_dashboard/app.py b/packit_dashboard/app.py
index 0ff141a0..cbc558b3 100644
--- a/packit_dashboard/app.py
+++ b/packit_dashboard/app.py
@@ -6,6 +6,7 @@
 from flask import Flask
 from flask_talisman import Talisman
 
+from packit_dashboard.api.routes import api
 from packit_dashboard.home.routes import home
 
 app = Flask(
@@ -16,6 +17,7 @@
 # Note: Declare any other flask blueprints or routes above this.
 # Routes declared below this will be rendered by React
 app.register_blueprint(home)
+app.register_blueprint(api)
 
 
 # Enable CSP and HSTS