Enabling HSTS does crash the Admin as it fetches docs over http

[rvanlaak]

API Platform version(s) affected: 4.1.0

Description

On Cloudflare we enabled HSTS to have strict https everywhere. The React Admin does fetch the docs.jsonld from http though. This results in a mixed-protocol exception.

How to reproduce

Only the Caddyfile seems to point to docs.jsonld by including that as header. The file is untouched since we started the project:

https://github.com/api-platform/api-platform/blob/main/api/frankenphp/Caddyfile#L42

Possible Solution

Not sure where the fetch gets initiated, but maybe not include the protocol so that gets determined by the initiator?

- http://foo.bar.com/docs.jsonld
+ //foo.bar.com/docs.jsonld

Does the docs url gets parsed client side or server side (read: next / node)?

Additional Context

• On localhost we have https as well, but cannot reproduce this as the docs.jsonld is properly fetched over https over there.
• On production I can narrow it down to the parseHydraDocumentation.ts file

[slax57]

Might be a dumb question, but what did you set as entrypoint for your <HydraAdmin> or <OpenApiAdmin>? 🤔

[rvanlaak]

Investigation update; although Caddy properly returns the headers as following in the originating request (as can be inspected in the network tab):

</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"

... the Headers interface, even when the initiating request was over https, will return the full url with the http protocol. So it seems that the response object creation to the initial app Entrypoint is related.

[rvanlaak]

Some more investigation; this could also be related to the ABS_URL reference type, as APIP itself also returns a Link to the documentation: https://github.com/api-platform/core/blob/main/src/Hydra/State/HydraLinkProcessor.php#L48

As documented on the LinkInterface, having an absolute URL is not a requirement:

A relative URI, as defined by RFC 5988. The base of the relative link is assumed to be known based on context by the client.

The assumption I'm testing is that this is related to proxying / the application being behind a load balancer on k8s.

As Caddy serves a relative docs url, the absolute url could potentially lead to loading two requests; one to http and one to https.

I'd recommend making the generated documentation URI relative on the HydraLinkProcessor as well. Let me know if you'd like a PR for that.

Locally trying to confirm whether making the docs link relative results in the following exception though:

[slax57]

This goes beyond the scope of the Admin (which I'm mainly relevant at).
@alanpoulain @soyuka any insight?

[rvanlaak]

@slax57 it actually mostly isn't out of scope of Admin, as the docs link now is relative and is working and resolving correctly (PR incoming), but Admin does for some reason tries to load Entrypoint as a class from the API documentation (reproduction scenario incoming)?

[rvanlaak]

@slax57 PR for core api-platform/core#7236