fix: 🐛 request.url getter fails when using IPv6 and HTTP2 [#4560]

[gsoldevila]

Summary

Fixes #4560

Problem

In HTTP2 the Host: header is no longer present. According to the spec:

In HTTP/2, the functionality of the HTTP/1.1 Host header is replaced by the :authority pseudo-header, which is a mandatory, colon-prefixed header that specifies the authority (host and port) of the target server. This change is part of HTTP/2's binary framing and header compression (HPACK), and any HTTP/2 request converted to HTTP/1.1 must create a Host header from the :authority pseudo-header.

• When building the request object and extracting its information (here), we rely solely on Host: header.
• Then, when starting Hapi in HTTP2 mode and performing a request, the Host: header is missing, so the request.url getter) uses the host:port from the _core.info.
• Now, if the server is configured with an IPv6 host (such as ::1), the getter ends up building an invalid URL, as the host name is not surrounded by square brackets. An IPv6 address like 2001:db8::1:8080 would be ambiguous, as 8080 could be interpreted as the last segment of the IP address rather than the port.

Solution

The PR updates the request logic in 2 places:

• First, we default to using :authority if Host header is NOT present.
• Then, if for any reason both headers are missing and we default to using the server info, we make the logic support the IPv6 scenario by wrapping the hostname (e.g. ::1) in square brackets [::1].

[gsoldevila]

Perhaps we could test if the req is an IPv6 request somehow, and choose Host or :authority accordingly. WDYT?

[damusix]

Yes, that would be great and expect if we want this included. I've done some light digging and come up with the following to help this along:

https://github.com/hapijs/hapi/blob/master/lib/core.js#L334 listens for whatever host / address you pass it, you can set it to loopback :: to bind to ipv6

Test it using builtins that only request IPv6

const http = require('http');

const options = {
    hostname: '::1', // The IPv6 loopback address of your local server
    port: 3000,
    path: '/',
    method: 'GET',
    family: 6 // Force IPv6
};

const req = http.request(options, (res) => {
    console.log(`STATUS: ${res.statusCode}`);
    res.setEncoding('utf8');
    res.on('data', (chunk) => {
        console.log(`BODY: ${chunk}`);
    });
});

req.on('error', (e) => {
    console.error(`problem with request: ${e.message}`);
});

req.end();

or alternatively, reuse some of the patterns in hapi tests: https://github.com/hapijs/hapi/blob/master/test/core.js#L925

The right place to add those tests would be https://github.com/hapijs/hapi/blob/master/test/core.js

Checkout some of the commentary around ipv6:

https://github.com/hapijs/hapi/blob/master/test/core.js#L102
https://github.com/hapijs/hapi/blob/master/test/core.js#L711

Seems like there's no explicit ipv6 tests, and they would need to be done only if the host machine has ipv6 enabled to prevent false positives.

Hope this helps!

@Marsup @kanongil anything to add or correct on the above?