Allow whitelisted HTTP headers to pass through to shiny apps

config/shiny-server-rules.config

@@ -216,3 +216,10 @@ sanitize_errors {
   at $ server location;
   maxcount 1;
 }
+
+whitelist_headers {
+  desc "Allow specific headers to pass through to the shiny apps, useful to detect browser attributes or get specific information from a proxy.";
+  param String names... "The headers to let through. Examples are: referer, user-agent, x-my-special-header";
+  at $ server location;
+  maxcount 1;
+}

config/whitelist_headers.config

@@ -0,0 +1,14 @@
+# Instruct Shiny Server to run applications as the user "shiny"
+run_as shiny;
+
+# Define a server that listens on port 3838
+server {
+  listen 3838;
+
+  # Define a location at the base URL
+  location / {
+
+    # Allow referer and user-agent to pass through from the original request to the shiny app
+    whitelist_headers referer user-agent;
+  }
+}

lib/proxy/http.js

@@ -120,14 +120,16 @@ function ShinyProxy(router, schedulerRegistry) {
         req.url = '/' + req.url;
       // TODO: Also strip path members
 
+
+      var headers = _.pick(req.headers, appSpec.settings.appDefaults.whitelistedHeaders);
       //TODO: clean this up. This should be a part of the promise chain, but
       // when returning an error, it would just crash as an unhandled excptn
       // and never make it into the .fail().
       var wrk;
       try{
         // Extract the non-param portion of the URL
-        wrk = schedulerRegistry.getWorker_p(appSpec, req.url.match(/([^\?]+)(\?.*)?/)[1], 
-        worker)
+        wrk = schedulerRegistry.getWorker_p(appSpec, req.url.match(/([^\?]+)(\?.*)?/)[1],
+        worker, headers)
       }
       catch(err){
         if (err instanceof OutOfCapacityError){

lib/proxy/sockjs.js

@@ -149,7 +149,7 @@ function createServer(router, schedulerRegistry) {
       }
 
       pathInfo = pathInfo.replace(/\/__sockjs__\/.*/, "/websocket/");
-      wsClient = appWorkerHandle.endpoint.createWebSocketClient(pathInfo);
+      wsClient = appWorkerHandle.endpoint.createWebSocketClient(pathInfo, appWorkerHandle.headers);
 
       wsClient.onopen = function(event) {
         conn.removeListener('data', connDataHandler);

lib/router/config-router-util.js

@@ -52,6 +52,7 @@ function parseApplication(settings, locNode, provideDefaults){
     appSettings.sanitizeErrors = true;
     appSettings.disableProtocols = [];
     appSettings.bookmarkStateDir = '/var/lib/shiny-server/bookmarks';
+    appSettings.whitelistedHeaders = [];
   }
 
   if (locNode.getValues('app_idle_timeout') &&
@@ -89,6 +90,12 @@ function parseApplication(settings, locNode, provideDefaults){
       }
     });
   }
+
+  var whitelistHeadersNode = locNode.getOne('whitelist_headers', true);
+  if (whitelistHeadersNode && whitelistHeadersNode.values.names) {
+    appSettings.whitelistedHeaders = whitelistHeadersNode.values.names;
+  }
+
   if (locNode.getValues('disable_websockets').val){
     appSettings.disableProtocols.push('websocket');
   }

lib/scheduler/scheduler-registry.js

@@ -63,7 +63,7 @@ module.exports = SchedulerRegistry;
    *   targetting. If left blank, an arbitrary worker will be selected. Ignored
    *   when using the SimpleScheduler.
    */
-  this.getWorker_p = function(appSpec, url, worker) {
+  this.getWorker_p = function(appSpec, url, worker, headers) {
     var key = appSpec.getKey();
     if (!this.$schedulers[key]){
       //no scheduler, instantiate a simple scheduler
@@ -72,9 +72,9 @@ module.exports = SchedulerRegistry;
       if (this.$transport){
         this.$schedulers[key].setTransport(this.$transport);
       }
-    }  
-    
-    return this.$schedulers[key].acquireWorker_p(appSpec, url, worker); 
+    }
+
+    return this.$schedulers[key].acquireWorker_p(appSpec, url, worker, headers);
   };
 
   this.shutdown = function() {

lib/scheduler/scheduler.js

@@ -221,7 +221,7 @@ function connectEndpoint_p(endpoint, timeout, shouldContinue) {
       return workerPromise.then(function(appWorker) {
         var appWorkerHandle = new AppWorkerHandle(appSpec, endpoint,
           logFilePath, exitPromise,
-          _.bind(appWorker.kill, appWorker));
+          _.bind(appWorker.kill, appWorker), workerData.headers);
 
 
         var initTimeout = 60 * 1000;

lib/scheduler/simple-scheduler.js

@@ -31,7 +31,7 @@ util.inherits(SimpleScheduler, Scheduler);
 	 * Defines how this schedule will identify and select an R process to 
 	 * fulfill its requests.
 	 */
-	this.acquireWorker_p = function(appSpec, url){
+	this.acquireWorker_p = function(appSpec, url, worker, headers){
 	    if (this.$workers && _.size(this.$workers) > 0) {
 	      logger.trace('Reusing existing instance');
 
@@ -65,7 +65,7 @@ util.inherits(SimpleScheduler, Scheduler);
 	    }
 
 	    logger.trace('Spawning new instance');
-	    return this.spawnWorker_p(appSpec);
+	    return this.spawnWorker_p(appSpec, {headers: headers});
 	};
 
 }).call(SimpleScheduler.prototype);

lib/worker/app-worker-handle.js

@@ -14,14 +14,15 @@ var events = require('events');
 var util = require('util');
 
 var AppWorkerHandle = function(appSpec, endpoint, logFilePath,
-    exitPromise, kill) {
+    exitPromise, kill, headers) {
 
   events.EventEmitter.call(this);
   this.appSpec = appSpec;
   this.endpoint = endpoint;
   this.logFilePath = logFilePath;
   this.exitPromise = exitPromise;
   this.kill = kill;
+  this.headers = headers;
 };
 module.exports = AppWorkerHandle;
 

package.json

@@ -43,5 +43,8 @@
   "license": "AGPL-3.0",
   "engines": {
     "node": ">=6.6.0"
+  },
+  "devDependencies": {
+    "escape-html": "^1.0.3"
   }
 }

samples/sample-apps/headers/server.R

@@ -0,0 +1,19 @@
+library(shiny)
+
+shinyServer(function(input, output, session) {
+
+  output$summary <- renderText({
+    ls(env=session$request)
+  })
+
+  output$headers <- renderUI({
+    selectInput("header", "Header:", ls(env=session$request))
+  })
+
+  output$value <- renderText({
+    if (nchar(input$header) < 1 || !exists(input$header, envir=session$request)){
+      return("NULL");
+    }
+    return (get(input$header, envir=session$request));
+  })
+})

samples/sample-apps/headers/ui.R

@@ -0,0 +1,12 @@
+shinyUI(pageWithSidebar(
+  headerPanel("Shiny Client Data"),
+  sidebarPanel(
+    uiOutput("headers")
+  ),
+  mainPanel(
+    h3("Headers passed into Shiny"),
+    verbatimTextOutput("summary"),
+    h3("Value of specified header"),
+    verbatimTextOutput("value")
+  )
+))

tools/makedocs.js

@@ -17,13 +17,13 @@
  * This script is for generating config.html. It is designed to run under
  * node-supervisor (https://github.com/isaacs/node-supervisor).
  *
- *   supervisor -n exit --extensions 'js|html' lib/makedocs.js
+ *   supervisor -n exit --extensions 'js|html' tools/makedocs.js
  */
 
 var fs = require('fs');
 var path = require('path');
 var util = require('util');
-var htmlEscape = require('connect/lib/utils').escape;
+var htmlEscape = require('escape-html');
 var Handlebars = require('handlebars');
 var _ = require('underscore');
 var map = require('../lib/core/map');