Quasar: Run dev server on localhost exposes it globally

Created on 13 Feb 2020 · 7Comments · Source: quasarframework/quasar

Describe the bug
Is it intended to expose dev server globally even if host is set localhost? See Additional context.

That is far from what I expect:

$ HOSTNAME=localhost npx quasar dev -H localhost
...
Project is running at http://0.0.0.0:8080/
...

Expected behavior
Project is running at http://localhost:8080/
or
Project is running at http://127.0.0.1:8080/

Additional context
I came to this while debugging: https://github.com/quasarframework/quasar/blob/master/app/bin/quasar-dev#L97

It was called from:
https://github.com/quasarframework/quasar/blob/dev/app/lib/quasar-config.js#L265

I also believe, localhost is more expected here:
https://github.com/quasarframework/quasar/blob/dev/app/lib/quasar-config.js#L241

bug

Source

POD666

Most helpful comment

@Paradoxis Corrected and will be available in "@quasar/app" v1.6.1.

rstoenescu on 3 Apr 2020

🎉2

All 7 comments

Hi,

This is not a bug. This is how it's intended to be used, otherwise for eg. it would make the phone/tablet + dev machine connection impossible. When it's localhost, it opens up the port on every network interface that you have because of the above mentioned.

rstoenescu on 13 Feb 2020

👎3

I don't need a phone/tablet connection in common but I'm keen on not exposing my machine to a whole coworking network. Making it impossible to hide my DEV server doesn't seem to be healthy from the security perspective.

Instead of the current behavior, I propose to throw a warning about phone/tablet connection limitations if localhost is used.

POD666 on 13 Feb 2020

That's a pretty confusing design decision and behavior.

A developer explicitly says they want to run a server on a localhost and gets it running on all interfaces. With no option to override this behavior whatsoever.

z4y4ts on 13 Feb 2020

If you need such strong privacy then it's easy to do:

add a loopback address on your machine with an address in class 127.0.0.X (X > 1)
set the host in quasar.conf to that address

pdanpdan on 13 Feb 2020

👍2

@pdanpdan thanks for the workaround! I will try it. I will have to try it 😅

I'm still concerned that quasar-config doesn't respect the value I pass and silently replaces it to the opposite.

At least you should update related docs to prevent people from spending time on debugging.

POD666 on 13 Feb 2020

@rstoenescu I'm sorry but this line is just plain irresponsible:

if (host && ['localhost', '127.0.0.1', '::1'].includes(host.toLowerCase())) {
    host = '0.0.0.0'
}

My dev server proxies all requests to the dev backend which leaves a gaping security hole in my setup. This isn't a privacy thing as much as it is a security thing. Development servers are often very insecure with the ability to execute arbitrary code enabled via debuggers or badly written mid-development code. Hence why they should generally be set to localhost.

I understand that the application should be reachable by mobile devices, but at least set the default value of host to 0.0.0.0 and if users specify localhost, 127.0.0.1 or ::1 it should be exactly that, local, not global.