Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

Lock down IPFS dsms-node: close external port 5001 and add auth to dsms-gateway #26

New Issue
Open
opened 2026-04-20 09:37:51 +00:00 by sharang · 0 comments
sharang commented 2026-04-20 09:37:51 +00:00
Owner
Copy Link
Copy Source

Problem

docker-compose.yml exposes IPFS Kubo API port 5001 on the host. This port allows reading and writing arbitrary IPFS blocks without authentication. The dsms-gateway (port 8082) also has no JWT validation on its HTTP endpoints.

Required Actions

  1. Remove port 5001:5001 mapping from dsms-node in docker-compose.yml — the IPFS API should only be accessible within the Docker network, not from outside
  2. Restrict IPFS API to localhost only: add --api-addr /ip4/127.0.0.1/tcp/5001 to Kubo config
  3. Add JWT middleware to dsms-gateway Node.js service — validate Authorization: Bearer on all routes
  4. Verify Swarm port 4001 is intentionally public (needed for IPFS peering) — if not, close it too

Acceptance Criteria

  • curl http://<host>:5001/api/v0/id from outside Docker returns connection refused
  • dsms-gateway returns 401 for requests without a valid JWT
  • IPFS swarm peer connections still work (4001 can remain open if needed)
## Problem `docker-compose.yml` exposes IPFS Kubo API port 5001 on the host. This port allows reading and writing arbitrary IPFS blocks without authentication. The dsms-gateway (`port 8082`) also has no JWT validation on its HTTP endpoints. ## Required Actions 1. Remove port `5001:5001` mapping from `dsms-node` in `docker-compose.yml` — the IPFS API should only be accessible within the Docker network, not from outside 2. Restrict IPFS API to localhost only: add `--api-addr /ip4/127.0.0.1/tcp/5001` to Kubo config 3. Add JWT middleware to `dsms-gateway` Node.js service — validate `Authorization: Bearer` on all routes 4. Verify Swarm port 4001 is intentionally public (needed for IPFS peering) — if not, close it too ## Acceptance Criteria - `curl http://<host>:5001/api/v0/id` from outside Docker returns connection refused - dsms-gateway returns 401 for requests without a valid JWT - IPFS swarm peer connections still work (4001 can remain open if needed)
sharang added this to the M5: Frontend Hardening milestone 2026-04-20 09:37:51 +00:00
sharang added the securityseverity: medium labels 2026-04-20 09:37:52 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
config
Env vars, secrets management, startup validation
 data-integrity
Transactions, indexes, pagination
 frontend
Next.js, client-side concerns
 observability
Logging, audit trails, health checks
 reliability
Error handling, retries, circuit breakers
 security
Auth, secrets, injection, tenant isolation
 severity: critical
System-level risk, data breach or full outage
 severity: high
Significant risk, must fix before go-live
 severity: medium
Important but not blocking go-live
 testing
Test coverage, integration tests
No Label security severity: medium
Milestone
No items
No Milestone M5: Frontend Hardening
Projects
Clear projects
No project
Assignees
Clear assignees
sharang (Sharang Parnerkar) Benjamin_Boenisch
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Boenisch/breakpilot-compliance#26
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?