Chore/master to develop (#2104)

* Fix - js injection in message input (#1943) * use notarytool for macos notarization * Secure backend socket.io from other applications that can access localhost i.e. browser (#1940) * secure socket IO connection with token and origin, transform token from main.ts to backend and state manager * Add authorization headers to socketio android notifications client * Secure socketIO connection on iOS * Extend lastKnownPort to lastKnownSocketIOData on android * Handle socketIOSecret for iOS lifecycle event * feat: getRandomValues and concept for validating options on backend * fix: use secure crypto for ios socketio secret --------- Co-authored-by: Vin Kabuki <[email protected]> Co-authored-by: siepra <[email protected]> * feat: notifier component #1980 * feat: use mailto for support address #1980 * fix: building mobile package #1980 * Publish - @quiet/[email protected] - @quiet/[email protected] - [email protected] - [email protected] - [email protected] - @quiet/[email protected] - @quiet/[email protected] * fix: pass team id for notarization * chore: abort build on notarization failure (#2081) * chore: deactivate 'breaking changes warning' for mobile and desktop #2097 #2096 * fix: use default websocket port in case of none --------- Co-authored-by: Kacper Michalik <[email protected]> Co-authored-by: Vin Kabuki <[email protected]> Co-authored-by: Kacper-RF <[email protected]> Co-authored-by: siepra <[email protected]> Co-authored-by: Wiktor Sieprawski <[email protected]> Co-authored-by: [email protected] <[email protected]>
TryQuiet · Nov 23, 2023 · 16612aa · 16612aa
1 parent 4fc2d6d
commit 16612aa
Show file tree

Hide file tree

Showing 72 changed files with 1,318 additions and 321 deletions.
diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml
@@ -138,8 +138,9 @@ jobs:
  GH_TOKEN: ${{ secrets.GH_TOKEN }}
  CSC_KEY_PASSWORD: ${{ secrets.MAC_CSC_KEY_PASSWORD }}
  CSC_LINK: ${{ secrets.MAC_CSC_LINK }}
- APPLEID: ${{ secrets.APPLE_ID }}
- APPLEIDPASS: ${{ secrets.APPLE_ID_PASS }}
+ APPLE_ID: ${{ secrets.APPLE_ID }}
+ APPLE_ID_PASS: ${{ secrets.APPLE_ID_PASS }}
+ APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  USE_HARD_LINKS: false

diff --git a/packages/backend/CHANGELOG.md b/packages/backend/CHANGELOG.md
@@ -193,6 +193,7 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 
 # [1.10.0-alpha.0](https://github.com/TryQuiet/backend/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-08-29)
+## [1.9.5](https://github.com/TryQuiet/backend/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-11-09)
 
 **Note:** Version bump only for package @quiet/backend
 

diff --git a/packages/backend/src/backendManager.ts b/packages/backend/src/backendManager.ts
@@ -8,8 +8,10 @@ import { ConnectionsManagerService } from './nest/connections-manager/connection
 import { TorControl } from './nest/tor/tor-control.service'
 import { torBinForPlatform, torDirForPlatform } from './nest/common/utils'
 import initRnBridge from './rn-bridge'
-
+import { INestApplicationContext } from '@nestjs/common'
 import logger from './nest/common/logger'
+import { OpenServices, validateOptions } from './options'
+
 const log = logger('backendManager')
 
 const program = new Command()
@@ -25,21 +27,13 @@ program
  .option('-a, --appDataPath <string>', 'Path of application data directory')
  .option('-d, --socketIOPort <number>', 'Socket io data server port')
  .option('-r, --resourcesPath <string>', 'Application resources path')
+ .option('-scrt, --socketIOSecret <string>', 'socketIO secret')
 
 program.parse(process.argv)
 const options = program.opts()
 
 console.log('options', options)
 
-interface OpenServices {
- torControlPort?: any
- socketIOPort?: any
- httpTunnelPort?: any
- authCookie?: any
-}
-
-import { INestApplicationContext } from '@nestjs/common'
-
 export const runBackendDesktop = async () => {
  const isDev = process.env.NODE_ENV === 'development'
 
@@ -48,11 +42,14 @@ export const runBackendDesktop = async () => {
  // @ts-ignore
  global.crypto = webcrypto
 
+ validateOptions(options)
+
  const resourcesPath = isDev ? null : options.resourcesPath.trim()
 
  const app = await NestFactory.createApplicationContext(
  AppModule.forOptions({
  socketIOPort: options.socketIOPort,
+ socketIOSecret: options.socketIOSecret,
  torBinaryPath: torBinForPlatform(resourcesPath),
  torResourcesPath: torDirForPlatform(resourcesPath),
  torControlPort: await getPort(),
@@ -87,7 +84,7 @@ export const runBackendDesktop = async () => {
  })
 }
 
-export const runBackendMobile = async (): Promise<any> => {
+export const runBackendMobile = async () => {
  // Enable triggering push notifications
  process.env['BACKEND'] = 'mobile'
  process.env['CONNECTION_TIME'] = (new Date().getTime() / 1000).toString() // Get time in seconds
@@ -97,6 +94,7 @@ export const runBackendMobile = async (): Promise<any> => {
  const app: INestApplicationContext = await NestFactory.createApplicationContext(
  AppModule.forOptions({
  socketIOPort: options.dataPort,
+ socketIOSecret: options.socketIOSecret,
  httpTunnelPort: options.httpTunnelPort ? options.httpTunnelPort : null,
  torAuthCookie: options.authCookie ? options.authCookie : null,
  torControlPort: options.controlPort ? options.controlPort : await getPort(),

diff --git a/packages/backend/src/nest/app.module.ts b/packages/backend/src/nest/app.module.ts
@@ -32,7 +32,7 @@ import { Server as SocketIO } from 'socket.io'
 import { StorageModule } from './storage/storage.module'
 import { IpfsModule } from './ipfs/ipfs.module'
 import { Level } from 'level'
-import { getCors } from './common/utils'
+import { verifyToken } from '@quiet/common'
 
 @Global()
 @Module({
@@ -94,10 +94,40 @@ export class AppModule {
  _app.use(cors())
  const server = createServer(_app)
  const io = new SocketIO(server, {
- cors: getCors(),
+ cors: {
+ origin: '127.0.0.1',
+ allowedHeaders: ['authorization'],
+ credentials: true,
+ },
  pingInterval: 1000_000,
  pingTimeout: 1000_000,
  })
+ io.engine.use((req, res, next) => {
+ const authHeader = req.headers['authorization']
+ if (!authHeader) {
+ console.error('No authorization header')
+ res.writeHead(401, 'No authorization header')
+ res.end()
+ return
+ }
+
+ const token = authHeader && authHeader.split(' ')[1]
+ if (!token) {
+ console.error('No auth token')
+ res.writeHead(401, 'No authorization token')
+ res.end()
+ return
+ }
+
+ if (verifyToken(options.socketIOSecret, token)) {
+ next()
+ } else {
+ console.error('Wrong basic token')
+ res.writeHead(401, 'Unauthorized')
+ res.end()
+ }
+ })
+
  return { server, io }
  },
  inject: [EXPRESS_PROVIDER],
@@ -122,7 +152,7 @@ export class AppModule {
  },
  {
  provide: LEVEL_DB,
- useFactory: (dbPath: string) => new Level<string, any>(dbPath, { valueEncoding: 'json' }),
+ useFactory: (dbPath: string) => new Level<string, unknown>(dbPath, { valueEncoding: 'json' }),
  inject: [DB_PATH],
  },
  ],

diff --git a/packages/backend/src/nest/types.ts b/packages/backend/src/nest/types.ts
@@ -5,6 +5,7 @@ import { Server as SocketIO } from 'socket.io'
 export class ConnectionsManagerTypes {
  options: Partial<ConnectionsManagerOptions>
  socketIOPort: number
+ socketIOSecret: string
  httpTunnelPort?: number
  torAuthCookie?: string
  torControlPort?: number

diff --git a/packages/backend/src/options.ts b/packages/backend/src/options.ts
@@ -0,0 +1,32 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+import commander from 'commander'
+
+export interface OpenServices {
+ torControlPort?: any
+ socketIOPort?: any
+ socketIOSecret?: any
+ httpTunnelPort?: any
+ authCookie?: any
+}
+
+interface Options {
+ platform?: any
+ dataPath?: any
+ dataPort?: any
+ torBinary?: any
+ authCookie?: any
+ controlPort?: any
+ httpTunnelPort?: any
+ appDataPath?: string
+ socketIOPort?: number
+ resourcesPath?: string
+ socketIOSecret: string
+}
+
+// concept
+export const validateOptions = (_options: commander.OptionValues) => {
+ const options = _options as Options
+ if (!options.socketIOSecret) {
+ throw new Error('socketIOSecret is missing in options')
+ }
+}
diff --git a/packages/common/CHANGELOG.md b/packages/common/CHANGELOG.md
@@ -5,10 +5,6 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 ## [2.0.2-alpha.1](https://github.com/TryQuiet/quiet/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-11-14)
 
-**Note:** Version bump only for package @quiet/common
-
-
-
 
 
 ## [2.0.2-alpha.0](https://github.com/TryQuiet/quiet/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-10-26)
@@ -107,9 +103,17 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 
 
+# [1.9.0-alpha.0](/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-08-29)
+
+
+## [1.8.2](https://github.com/TryQuiet/quiet/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-11-09)
+
+**Note:** Version bump only for package @quiet/common
+
+
+
 
 
-# [1.9.0-alpha.0](/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-08-29)
 ## [1.8.1](https://github.com/TryQuiet/quiet/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-09-15)
 
 **Note:** Version bump only for package @quiet/common

diff --git a/packages/common/package-lock.json b/packages/common/package-lock.json