Web proxy to work around the lack of CORS headers for nightly wheels uploaded to the Anaconda.org index

[agriyakhetarpal]

🚀 Feature

This issue proposes the creation of a web proxy that can set CORS headers for a PyPI-like indices such as Anaconda.org that do not set such headers. Currently, package managers for Pyodide such as micropip and piplite (i.e., the abstraction over micropip) are unable to download packages from such indices (see pyodide/micropip#101). The CORS headers will allow for a web worker such as a browser tab or any webpage to access resources from other servers, in this case, wheels from Anaconda – the primary platform for uploads of nightly wheels for Scientific Python projects, being tracked in #3049 (comment).

Motivation

The major motivator is being able to serve nightly Pyodide wheels for various projects at different levels of scale based on the traffic their documentation website receives. These wheels will be further utilised for interactive documentation utilities for the latest/unreleased versions or specific released versions of a project's documentation: Quansight-Labs/czi-scientific-python-mgmt#19.

This will embed the installation command in a cell, which can be later hidden through JupyterLite in the future for cleaner UX: jupyterlite/jupyterlite#975, jupyterlite/jupyterlite#508. Similar requests have been received for other projects as well: scikit-hep/pyhf#1826

Pitch

Refactoring this existing project by @Carreau: https://github.com/Carreau/cloudflare-pypi-multi-index seems to be the best idea right now. A concise description of the turn of events could be as follows:

1. set up a web proxy,
2. host it through a VPS or any of the major cloud service providers on a paid plan (where @rgommers mentions that @Quansight can help out with this),
3. this retrieves wheels on demand from the Anaconda.org PyPI index with CORS headers set, and
4. therefore, micropip.install() can proceed with the installation of these wheels through this index URL in a cell

Alternatives

Various alternatives exist:

• Embedding the JupyterLite build artifacts and the custom Emscripten wheel on a data storage service such as AWS S3 where they can be loaded from (similar to how awkward and awkward-cpp do it: docs: new Try-It page based on plain Pyodide scikit-hep/awkward#3058).
• Push the artifacts to GitHub releases and serve an index such as https://github.com/astariul/github-hosted-pypi – here, GitHub Pages as a platform isn't meant to serve as a CDN and there are restrictions around violating GitHub's ToS (terms of service)
• For documentation on GitHub Pages, the wheels can be pushed to the Git source tree, though this would be a bad idea because it would bloat the repository with large binary files (however, downloading the wheels from a GitHub Release and embedding them at runtime through a workflow that pushes artifacts to the gh-pages branch could be a reliable and reasonable option – people will have to avoid pulling the gh-pages branch and pull just the main branch or similar)

Additional context

It is to be noted that PyPI previously did not set CORS headers but now does, through pypi/warehouse#4687 and pypi/conveyor#5. The simple API also sets CORS headers via pypi/warehouse#13222 which are used by micropip to download pure Python packages.

However, moving forward with PyPI as a supported platform for hosting Pyodide wheels requires the provision of a PEP and its subsequent acceptance.

Also, cc: @steppi @melissawm for visibility

[Carreau]

Thanks for the issue and the ping.

I'm not super familiar with cors, so a few notes from my own investigation.

here is the micropip documentation to install from an arbitrary url.

From the source it looks like micorpip's insall has a install(index_urls=...), but the index need to support the JSON API:

    - The index URL should support the
     `JSON API <https://warehouse.pypa.io/api-reference/json/>`__ .

Which anaconda.org does not; I guess the proxy can do the simple->json translation or should we poke anaconda to fix anaconda.org to also expose the /json api ?

For https://github.com/Carreau/cloudflare-pypi-multi-index we were planning on having a deployment for scientific Python.org that both merge the nightly index from anaconda.org and pypi (so that pip and other only need to "see" a single URL). I think it's possible to add different routes with different configurations but I would be in favor of having a single server.

One of the big difference between this and the nightly index and cors index, is that the cors index will need to stream the full wheels while the nightly index does not need to.

[Carreau]

Looking at the json api, I think we can "fake" it by getting the original json form PyPI and injecting some fake incomplete entry in it.

Basically for each nightly wheel we need an entry like so:

[
      {
        "comment_text": "",
        "digests": {
          "blake2b_256": "f61e9d1150c390281156e3022c49b06ac8ba0e59bdeb8573723236579cd5a619",
          "md5": "dfc3aff8deab820664a8021eccd99e0a",
          "sha256": "9c207b0ef2d276d1bfcfeb9a62804336abbe4b170574ea061500952319b1d78c"
        },
        "downloads": -1,
        "filename": "ipython-8.9.0-py3-none-any.whl",
        "has_sig": false,
        "md5_digest": "dfc3aff8deab820664a8021eccd99e0a",
        "packagetype": "bdist_wheel",
        "python_version": "py3",
        "requires_python": ">=3.8",
        "size": 783077,
        "upload_time": "2023-01-27T11:59:45",
        "upload_time_iso_8601": "2023-01-27T11:59:45.400407Z",
        "url": "https://files.pythonhosted.org/packages/f6/1e/9d1150c390281156e3022c49b06ac8ba0e59bdeb8573723236579cd5a619/ipython-8.9.0-py3-none-any.whl",
        "yanked": false,
        "yanked_reason": null
      },
]

I'm going to guess for nightly we can fake some of this data.

[ryanking13]

Thanks for the suggestion @agriyakhetarpal! I still think the easiest thing to do is to try hard to convince the anaconda folks to put adding CORS headers on their TODO list, but aside, creating a CORS header proxy would be useful as it can be used in any places.

micropip.install() can proceed with the installation of these wheels through this index URL in a cell

If there is something that needs to be implemented or changed on the Pyodide or micropip side for the proxy implementation, I'd be happy to help.

host it through a VPS or any of the major cloud service providers on a paid plan (where @rgommers mentions that https://github.com/Quansight can help out with this),

I would appreciate it if Quansight is willing to host the proxy. I don't think Pyodide will host the proxy directly at any time (as we're not a company).

Refactoring this existing project by @Carreau: https://github.com/Carreau/cloudflare-pypi-multi-index seems to be the best idea right now. A concise description of the turn of events could be as follows:

I also once made a general CORS proxy using Cloudflare workers (it was not for Pyodide anyways). So it is interesting that someone came up with the same idea.

[Carreau]

I don't know much about JS/cloudflare, and stugled to do even do a small prototype, so if you know what you are doing we've better to adapt your code than mine :-p

I think the only thing I would do is not a general cors proxy (to avoid abuse), but only for pypi/anaconda.org.

If we can push anaconda to add cors, I would also push to have them add the json api, it's much easier to word with than the legacy one...

I also believe that an edge worker is better suited than a VPS as we don't really have any state.

Though if we deploy such a proxy one of the thing we can also add is usage metrics and which packages are often requested.

(also as a note, the idea behind cloudflare-pypi-multi-index, is that when using pip it's more complicated to deal with multiple index then with micropip, as you have to deal with --index-url and --extra-index-url, which confuses users.

[ryanking13]

I don't know much about JS/cloudflare, and stugled to do even do a small prototype, so if you know what you are doing we've better to adapt your code than mine

To be honest, I built it for my own personal use, and I am not aware of the requirements for a CORS proxy, so I don't think it's much better. But feel free to take a look if it is helpful :)

I think the only thing I would do is not a general cors proxy (to avoid abuse), but only for pypi/anaconda.org.

Right, I experienced so many abusers using my proxy (most of them were doing sort of crypto mining things...)

[Carreau]

so I got https://pyodide.org/en/stable/console.html to not raise cors, by slightly modifying @ryanking13 example.

>>> import micropip
>>> await micropip.install('shapely', index_urls=['http://localhost:8787/scientific-python-nightly-wheels/simple'])

Loading micropip, packaging
pyodide.asm.js:10 Loaded micropip, packaging
pyodide.asm.js:10 Loading numpy, shapely
pyodide.asm.js:10 Loaded numpy, shapely
pyodide.asm.js:10 shapely already loaded from default channel
pyodide.asm.js:10 No new packages to load

But is also does not install the nightly.

Do we know of an index somewhere that misses cors, and I can test on ?

I'm also not sure how to debug, and probably should learn to build pyodide and micropip locally

[ryanking13]

Do we know of an index somewhere that misses cors

Is Anaconda.org not enough for testing?

I'm also not sure how to debug, and probably should learn to build pyodide and micropip locally

I believe you won't need to build Pyodide (unless you need to modify the behavior of pyfetch?). Building micropip and loading it from stable version of Pyodide would be enough.

[Carreau]

Do we know of an index somewhere that misses cors, and I can test on ?

Sorry, I was thinking of a specific package/(sub)index https://pypi.anaconda.org/ is not an index, but https://pypi.anaconda.org/scientific-python-nightly-wheels/simple/ is one.

[Carreau]

Ok, I banged my head on pyodide/micropip#121 for way too long.
I'm going to add a bunch of debug logging to micropip.

[Carreau]

I think we might need patch upstream to have CORS for 404, (pypi/warehouse#14229) otherwise we don't even get the 404 when the package does not exists, and micropip cannot differentiate network/configuration issues from non existing packages.

[Carreau]

Another options is t have a deeper understanding of indexes, and have an option like oserror_on_404:bool, which if set to false actually raise on OSError, and otherwise rely on res.status_code.