Authenticate requests between components#486
Conversation
execjosh
force-pushed
the
authenticate-component-requests
branch
from
d7f8aea to
4ae4169
Compare
execjosh
force-pushed
the
authenticate-component-requests
branch
from
4ae4169 to
31d9be9
Compare
execjosh
force-pushed
the
authenticate-component-requests
branch
from
31d9be9 to
5a43805
Compare
|
|
||
| - (void)shutdown:(Boolean)keepAlive | ||
| { | ||
| if (shuttingDown) { |
There was a problem hiding this comment.
this one is merged as a separate PR already :)
| return dataDictionary; | ||
| NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL:urlPath]; | ||
| [request setValue:@"Übersicht" forHTTPHeaderField:@"Origin"]; | ||
| if (preferences.enableSecurity) { |
There was a problem hiding this comment.
might seem like a small thing, but what do you think about having this setting only control whether the server checks the token. It can be sent in all other places regardless.
This way the 'code surface' this setting impacts is reduced
There was a problem hiding this comment.
That's a good point! I'll change the code to do that :)
| // this will trigger a render | ||
| [self->screensController syncScreens:self]; | ||
|
|
||
| [self fetchState:^(NSDictionary* state) { |
There was a problem hiding this comment.
is this one related to this change?
There was a problem hiding this comment.
Yes. From what I can tell, there is no way to send custom headers with HTTP requests through NSData. The results from NSURLSessionDataTask come asynchronously. So, we need to pass a callback.
Perhaps there is a synchronous way to make an HTTP request with custom headers?
There was a problem hiding this comment.
oh I see, I get the change now (misread at first)!
Use a randomly generated token to authenticate requests to the server for all endpoints, including WebSockets. The token is passed to the node server via STDIN, which should sufficiently prevent eavesdropping.
execjosh
force-pushed
the
authenticate-component-requests
branch
from
5a43805 to
9c7cf76
Compare
| <button fixedFrame="YES" translatesAutoresizingMaskIntoConstraints="NO" id="4Cm-6a-MW9"> | ||
| <rect key="frame" x="220" y="265" width="182" height="18"/> | ||
| <autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMinY="YES"/> | ||
| <buttonCell key="cell" type="check" title="Enable security measures" bezelStyle="regularSquare" imagePosition="left" state="on" inset="2" id="6iu-kH-BSa"> |
There was a problem hiding this comment.
Would you prefer to have one setting for each security measure?
Also, if it's fine to have one checkbox, is there a better wording?
There was a problem hiding this comment.
I need to think about it a bit as well. Worst case I can play with it before releasing, so let's just leave as is for now.
|
One thing I just came across is NSHTTPCookieStorage. I also vaguely remember looking at it (and maybe using it) when I first implemented this. |
|
@execjosh did you see my last comment here by any chance? |
|
Oops, I must have missed it. I will try to have a look at NSHTTPCookieStorage when I get a chance. |
3 participants
Use a randomly generated token to authenticate requests to the server for all endpoints, including WebSockets, which will help prevent naïve exploitation of the privilege escalation threat of the
/run/endpoint. The token is passed to the node server via STDIN, which should sufficiently prevent eavesdropping.There is a new setting that toggles this functionality and is enabled by default.
Implementation details
This is implemented using
httpCookieStore, which is only available on macOS 10.13+. However this project targets 10.11.The
WKWebViewinjects the token as a cookie for requests from the foreground and background; so, this change should be transparent to all widgets. Additionally, theHttpOnlyflag is set on the cookie, which prevents it from being accessed from JavaScript.