Class: AtprotoAuth::HttpClient

Inherits:

Object

• Object
• AtprotoAuth::HttpClient

Defined in:

lib/atproto_auth/http_client.rb

Overview

A secure HTTP client for making OAuth-related requests. Implements protections against SSRF attacks and enforces security headers.

Defined Under Namespace

Classes: HttpError, SSRFError

Constant Summary

FORBIDDEN_IP_RANGES =

[
  IPAddr.new("0.0.0.0/8"),      # Current network
  IPAddr.new("10.0.0.0/8"),     # Private network
  IPAddr.new("127.0.0.0/8"),    # Loopback
  IPAddr.new("169.254.0.0/16"), # Link-local
  IPAddr.new("172.16.0.0/12"),  # Private network
  IPAddr.new("192.168.0.0/16"), # Private network
  IPAddr.new("fc00::/7"),       # Unique local address
  IPAddr.new("fe80::/10")       # Link-local address
].freeze

ALLOWED_SCHEMES =

["https"].freeze

DEFAULT_TIMEOUT =

seconds

10

MAX_REDIRECTS =

5

MAX_RESPONSE_SIZE =

10MB

10 * 1024 * 1024

RedirectHandlerOptions =

Data.define(:original_uri, :method, :response, :headers, :redirect_count, :body)

Instance Method Summary

• #get(url, headers = {}) ⇒ Hash

  Makes a secure HTTP GET request.

• #initialize(timeout: DEFAULT_TIMEOUT, verify_ssl: true) ⇒ HttpClient constructor

  A new instance of HttpClient.

• #post(url, body: nil, headers: {}) ⇒ Hash

  Makes a secure HTTP POST request.

Constructor Details

#initialize(timeout: DEFAULT_TIMEOUT, verify_ssl: true) ⇒ HttpClient

Returns a new instance of HttpClient.

Parameters:

• timeout (Integer) (defaults to: DEFAULT_TIMEOUT) —

  Request timeout in seconds

• verify_ssl (Boolean) (defaults to: true) —

  Whether to verify SSL certificates

# File 'lib/atproto_auth/http_client.rb', line 44

def initialize(timeout: DEFAULT_TIMEOUT, verify_ssl: true)
  @timeout = timeout
  @verify_ssl = verify_ssl
end

Instance Method Details

#get(url, headers = {}) ⇒ Hash

Makes a secure HTTP GET request

Parameters:

• url (String) —

  URL to request

• headers (Hash) (defaults to: {}) —

  Additional headers to send

Returns:

• (Hash) —

  Response with :status, :headers, and :body

Raises:

• (SSRFError) —

  If the request would be unsafe

• (HttpError) —

  If the request fails

# File 'lib/atproto_auth/http_client.rb', line 55

def get(url, headers = {})
  uri = validate_uri!(url)
  validate_ip!(uri)

  response = make_request(uri, headers)
  validate_response!(response)

  {
    status: response.code.to_i,
    headers: response.each_header.to_h,
    body: response.body
  }
end

#post(url, body: nil, headers: {}) ⇒ Hash

Makes a secure HTTP POST request

Parameters:

• url (String) —

  URL to request

• body (String) (defaults to: nil) —

  Request body

• headers (Hash) (defaults to: {}) —

  Additional headers to send

Returns:

• (Hash) —

  Response with :status, :headers, and :body

Raises:

• (SSRFError) —

  If the request would be unsafe

• (HttpError) —

  If the request fails

# File 'lib/atproto_auth/http_client.rb', line 76

def post(url, body: nil, headers: {})
  uri = validate_uri!(url)
  validate_ip!(uri)

  response = make_post_request(uri, body, headers)
  validate_response!(response)

  {
    status: response.code.to_i,
    headers: response.each_header.to_h,
    body: response.body
  }
end