Security News
Research
Supply Chain Attack on Rspack npm Packages Injects Cryptojacking Malware
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
A client library for the IPFS HTTP API, implemented in JavaScript. This client library implements the interface-ipfs-core enabling applications to change between a embebed js-ipfs node and any remote IPFS node without having to change the code. In addition, this client library implements a set of utility functions.
This module uses node.js, and can be installed through npm:
> npm install --save ipfs-api
Note: ipfs-api requires Node.js v6 (LTS) or higher.
To interact with the API, you need to have a local daemon running. It needs to be open on the right port. 5001
is the default, and is used in the examples below, but it can be set to whatever you need.
# Show the ipfs config API port to check it is correct
> ipfs config Addresses.API
/ip4/127.0.0.1/tcp/5001
# Set it if it does not match the above output
> ipfs config Addresses.API /ip4/127.0.0.1/tcp/5001
# Restart the daemon after changing the config
# Run the daemon
> ipfs daemon
var ipfsAPI = require('ipfs-api')
// connect to ipfs daemon API server
var ipfs = ipfsAPI('localhost', '5001', {protocol: 'http'}) // leaving out the arguments will default to these values
// or connect with multiaddr
var ipfs = ipfsAPI('/ip4/127.0.0.1/tcp/5001')
// or using options
var ipfs = ipfsAPI({host: 'localhost', port: '5001', protocol: 'http'})
const bitswap = require('ipfs-api/src/bitswap')('/ip4/127.0.0.1/tcp/5001')
bitswap.unwant(key, (err) => {
// ...
}
Same as in Node.js, you just have to browserify the code before serving it. See the browserify repo for how to do that.
See the example in the examples folder to get a boilerplate.
See the example in the examples folder to get an idea on how to use js-ipfs-api with webpack
Instead of a local installation (and browserification) you may request a remote copy of IPFS API from unpkg CDN.
To always request the latest version, use the following:
<script src="https://unpkg.com/ipfs-api/dist/index.js"></script>
For maximum security you may also decide to:
reference a specific version of IPFS API (to prevent unexpected breaking changes when a newer latest version is published)
generate a SRI hash of that version and use it to ensure integrity
set the CORS settings attribute to make anonymous requests to CDN
Example:
<script src="https://unpkg.com/ipfs-api@9.0.0/dist/index.js"
integrity="sha384-5bXRcW9kyxxnSMbOoHzraqa7Z0PQWIao+cgeg327zit1hz5LZCEbIMx/LWKPReuB"
crossorigin="anonymous"></script>
CDN-based IPFS API provides the IpfsApi
constructor as a method of the global window
object. Example:
var ipfs = window.IpfsApi('localhost', '5001')
If you omit the host and port, the API will parse window.host
, and use this information. This also works, and can be useful if you want to write apps that can be run from multiple different gateways:
var ipfs = window.IpfsApi()
In a web browser IPFS API (either browserified or CDN-based) might encounter an error saying that the origin is not allowed. This would be a CORS ("Cross Origin Resource Sharing") failure: IPFS servers are designed to reject requests from unknown domains by default. You can whitelist the domain that you are calling from by changing your ipfs config like this:
$ ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin "[\"http://example.com\"]"
$ ipfs config --json API.HTTPHeaders.Access-Control-Allow-Credentials "[\"true\"]"
$ ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods "[\"PUT\", \"POST\", \"GET\"]"
js-ipfs-api
follows the spec defined byinterface-ipfs-core
, which concerns the interface to expect from IPFS implementations. This interface is a currently active endeavor. You can use it today to consult the methods available.
Files
ipfs.files.add(data, [options], [callback])
. Alias to ipfs.add
.ipfs.files.addReadableStream([options])
ipfs.files.addPullStream([options])
ipfs.files.cat(ipfsPath, [options], [callback])
. Alias to ipfs.cat
.ipfs.files.catReadableStream(ipfsPath, [options])
ipfs.files.catPullStream(ipfsPath, [options])
ipfs.files.get(ipfsPath, [options], [callback])
. Alias to ipfs.get
.ipfs.files.getReadableStream(ipfsPath, [options])
ipfs.files.getPullStream(ipfsPath, [options])
ipfs.ls(ipfsPath, [callback])
ipfs.files.cp([from, to], [callback])
ipfs.files.mkdir(path, [options, callback])
ipfs.files.stat(path, [options, callback])
ipfs.files.rm(path, [options, callback])
ipfs.files.read(path, [options, callback])
ipfs.files.write(path, content, [options, callback])
ipfs.files.mv([from, to], [callback])
ipfs.files.ls([path, options, callback])
ipfs.files.flush([path, callback])
Graph
ipfs.object.new([template][, callback])
ipfs.object.put(obj, [options, callback])
ipfs.object.get(multihash, [options, callback])
ipfs.object.data(multihash, [options, callback])
ipfs.object.links(multihash, [options, callback])
ipfs.object.stat(multihash, [options, callback])
ipfs.object.patch.addLink(multihash, DAGLink, [options, callback])
ipfs.object.patch.rmLink(multihash, DAGLink, [options, callback])
ipfs.object.patch.appendData(multihash, data, [options, callback])
ipfs.object.patch.setData(multihash, data, [options, callback])
Network
ipfs.bootstrap.list
ipfs.bootstrap.add
ipfs.bootstrap.rm
ipfs.bitswap.wantlist()
ipfs.bitswap.stat()
ipfs.bitswap.unwant()
Node Management
ipfs.id([callback])
ipfs.version([callback])
ipfs.ping(id, [options, callback])
ipfs.pingPullStream(id, [options])
ipfs.pingReadableStream(id, [options])
ipfs.dns(domain, [callback])
ipfs.stop([callback])
. Alias to ipfs.shutdown
.log
ipfs.log.ls([callback])
ipfs.log.tail([callback])
ipfs.log.level(subsystem, level, [options, callback])
Pubsub Caveat
Currently, the PubSub API only works in Node.js envinroment
We currently don't support pubsub when run in the browser, and we test it with separate set of tests to make sure if it's being used in the browser, pubsub errors.
More info: https://github.com/ipfs/js-ipfs-api/issues/518
This means:
Domain data types
A set of data types are exposed directly from the IPFS instance under ipfs.types
. That way you're not required to import/require the following.
ipfs.types.Buffer
ipfs.types.PeerId
ipfs.types.PeerInfo
ipfs.types.multiaddr
ipfs.types.multibase
ipfs.types.multihash
ipfs.types.CID
ipfs.types.dagPB
ipfs.types.dagCBOR
Utility functions
Adding to the methods defined by interface-ipfs-core
, js-ipfs-api
exposes a set of extra utility methods. These utility functions are scoped behind the ipfs.util
.
Complete documentation for these methods is coming with: https://github.com/ipfs/js-ipfs-api/pull/305
ipfs.util.addFromFs(path, option, callback)
Reads a file or folder from path
on the filesystem and adds it to IPFS. Options:
path
is a directory, use option { recursive: true }
to add the directory and all its sub-directories.
{ ignore: ['ignore/this/folder/**', 'and/this/file'] }
..
, for example, .git/
) are not included by default. To add them, use the option { hidden: true }
.ipfs.util.addFromFs('path/to/a/folder', { recursive: true , ignore: ['subfolder/to/ignore/**']}, (err, result) => {
if (err) { throw err }
console.log(result)
})
result
is an array of objects describing the files that were added, such as:
[
{
path: 'test-folder',
hash: 'QmRNjDeKStKGTQXnJ2NFqeQ9oW23WcpbmvCVrpDHgDg3T6',
size: 2278
},
// ...
]
ipfs.util.addFromURL(url, callback)
ipfs.util.addFromURL('http://example.com/', (err, result) => {
if (err) {
throw err
}
console.log(result)
})
ipfs.util.addFromStream(stream, callback)
This is very similar to ipfs.files.add({path:'', content: stream})
. It is like the reverse of cat
ipfs.util.addFromStream(<readable-stream>, (err, result) => {
if (err) {
throw err
}
console.log(result)
})
ipfs.util.getEndpointConfig()
This returns an object containing the host
and the port
ipfs.util.crypto
This contains an object with the crypto primitives
ipfs.util.isIPFS
This contains an object with the is-ipfs utilities to help identifying IPFS resources
If you do not pass in a callback all API functions will return a Promise
. For example:
ipfs.id()
.then((id) => {
console.log('my id is: ', id)
})
.catch((err) => {
console.log('Fail: ', err)
})
This relies on a global Promise
object. If you are in an environment where that is not yet available you need to bring your own polyfill.
We run tests by executing npm test
in a terminal window. This will run both Node.js and Browser tests, both in Chrome and PhantomJS. To ensure that the module conforms with the interface-ipfs-core
spec, we run the batch of tests provided by the interface module, which can be found here.
The js-ipfs-api is a work in progress. As such, there's a few things you can do right now to help out:
interface-ipfs-core
.Want to hack on IPFS?
This module started as a direct mapping from the go-ipfs cli to a JavaScript implementation, although this was useful and familiar to a lot of developers that were coming to IPFS for the first time, it also created some confusion on how to operate the core of IPFS and have access to the full capacity of the protocol. After much consideration, we decided to create interface-ipfs-core
with the goal of standardizing the interface of a core implementation of IPFS, and keep the utility functions the IPFS community learned to use and love, such as reading files from disk and storing them directly to IPFS.
20.2.1 (2018-05-06)
<a name="20.2.0"></a>
FAQs
A client library for the IPFS HTTP API
The npm package ipfs-api receives a total of 3,339 weekly downloads. As such, ipfs-api popularity was classified as popular.
We found that ipfs-api demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.
Security News
Sonar’s acquisition of Tidelift highlights a growing industry shift toward sustainable open source funding, addressing maintainer burnout and critical software dependencies.