Search code examples
fastapinginx-reverse-proxyuvicorn

FastAPI POST is insecure with docker and NPM

I know there are many posts around this topic, however I'm facing an issue when using fastAPI in a docker container and Nginx Proxy Manager (NPM) is in front of it.

The application has many POSTs, however there is a particular one, when POSTing I get redirected to http and I get the following error from Edge:

The information you’re about to submit is not secure Because this form is being submitted using a connection that’s not secure, your information will be visible to others.

My dockerfile CMD is:

CMD ["uvicorn", "app.main:app", "--proxy-headers", "--host", "0.0.0.0", "--port", "80"]

The route and function is:

router = APIRouter(prefix="/records")
@router.post("/")
async def create_record(request: Request, user: dict = Depends(get_current_user),
                        name: str = Form(...), description: str = Form(...),
                        db: Session = Depends(get_db)):

    if user is None:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)

    record_model = Records()
    record_model.name = name
    record_model.description = description

    db.add(record_model)
    db.commit()

    return RedirectResponse(url="/records", status_code=status.HTTP_302_FOUND)

Here is the form:

 <form action="/records" method="POST">
    <div class="modal-body">
        <div class="mb-3">
            <label class="form-label">Name</label>
            <input type="text" class="form-control" name="name" placeholder="Your record name">
        </div>
        <div class="mb-3">
            <label class="form-label">Description</label>
            <input type="text" class="form-control" name="description" placeholder="Your record description">
        </div>
    </div>
    <div class="modal-footer">
          <a href="#" class="btn btn-link link-secondary" data-bs-dismiss="modal">
            Cancel
          </a>
          <button type="submit" class="btn btn-primary ms-auto" data-bs-dismiss="modal">
            Create new Record
          </button>
    </div>

</form>

Attached are the NPM screenshots: enter image description here

enter image description here

As mentioned, what doesn't make sense is I can login (which is a POST) and I can do other POSTs for other functions.

The only thing I can think of is the fact that I'm using the form in a modal?

Solution

  • Ok. So I figured it out. It only took me staying up till 3AM to solve it. Looking at the logs initially, seeing a 307 temporary redirect did not stand out. However, when sending a POST and you see a 307 redirect, then the problem is with the route or when you are posting the form.

    In the question I have a

    router = APIRouter(prefix="/records")

    Then a route for the POST like this:

    @router.post("/")

    In the html form section I have

    <form method="POST" action="/records">

    Either the form should POST to /records/ or the routes should not have the prefix and then a route of @router.post("/")

    I have only tested removing the route prefix, but i'll most likely see if posting to /records/ does the trick and makes life a little easier.