Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure backend socket.io from other applications that can access localhost i.e. browser #1940

Merged
merged 35 commits into from
Nov 9, 2023
Merged

Secure backend socket.io from other applications that can access localhost i.e. browser #1940

merged 35 commits into from
Nov 9, 2023

Conversation

Kacper-RF
Copy link
Contributor

@Kacper-RF Kacper-RF commented Oct 9, 2023
edited
Loading

Pull Request Checklist

  • I have linked this PR to related GitHub issue.
  • I have updated the CHANGELOG.md file with relevant changes (the file is located at the root of monorepo).

(Optional) Mobile checklist

Please ensure you completed the following checks if you did any changes to the mobile package:

  • I have run e2e tests for mobile
  • I have updated base screenshots for visual regression tests

@Kacper-RF Kacper-RF marked this pull request as ready for review October 18, 2023 13:01
@Kacper-RF Kacper-RF mentioned this pull request Oct 18, 2023
Closed
siepra
siepra approved these changes Oct 18, 2023
View reviewed changes
Copy link
Collaborator

@siepra siepra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally those utility functions for eg. generating random string should be moved to some external files/classes on mobile (obj-c code is already complex enough to be hard to read).
It will work though

leblowl
leblowl requested changes Oct 25, 2023
View reviewed changes
Copy link
Collaborator

@leblowl leblowl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job getting this all working! I have a few suggestions, but looks good overall.

packages/backend/src/nest/app.module.ts Outdated Show resolved Hide resolved
packages/common/src/auth.ts Outdated Show resolved Hide resolved
packages/desktop/src/main/main.ts Show resolved Hide resolved
packages/mobile/android/app/src/main/java/com/quietmobile/Backend/BackendWorker.kt Outdated Show resolved Hide resolved
packages/mobile/ios/Quiet/AppDelegate.m Outdated

return randomString;
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably use something like: https://developer.apple.com/documentation/security/1399291-secrandomcopybytes

and maybe call it generateSecret to match other implementations.

packages/mobile/ios/Utils.swift

return randomString
}
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above

We should probably use something like: https://developer.apple.com/documentation/security/1399291-secrandomcopybytes

and maybe call it generateSecret to match other implementations.

Also it looks like this is a duplicate of the same function in AppDelegate.m

leblowl
leblowl approved these changes Nov 7, 2023
View reviewed changes
Copy link
Collaborator

@leblowl leblowl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!

packages/backend/src/utils.ts Outdated Show resolved Hide resolved
@Kacper-RF Kacper-RF merged commit 625f13e into master Nov 9, 2023
21 of 22 checks passed
@siepra siepra deleted the bug/114 branch November 21, 2023 11:51
EmiM added a commit that referenced this pull request Nov 23, 2023
@EmiM @Kacper-RF
@vinkabuki @siepra @githubquiet
Chore/master to develop (#2104)
16612aa 
* Fix - js injection in message input (#1943)

* use notarytool for macos notarization

* Secure backend socket.io from other applications that can access localhost i.e. browser (#1940)

* secure socket IO connection with token and origin, transform token from main.ts to backend and state manager

* Add authorization headers to socketio android notifications client

* Secure socketIO connection on iOS

* Extend lastKnownPort to lastKnownSocketIOData on android

* Handle socketIOSecret for iOS lifecycle event

* feat: getRandomValues and concept for validating options on backend

* fix: use secure crypto for ios socketio secret

---------

Co-authored-by: Vin Kabuki <[email protected]>
Co-authored-by: siepra <[email protected]>

* feat: notifier component #1980

* feat: use mailto for support address #1980

* fix: building mobile package #1980

* Publish

 - @quiet/[email protected]
 - @quiet/[email protected]
 - [email protected]
 - [email protected]
 - [email protected]
 - @quiet/[email protected]
 - @quiet/[email protected]

* fix: pass team id for notarization

* chore: abort build on notarization failure (#2081)

* chore: deactivate 'breaking changes warning' for mobile and desktop #2097 #2096

* fix: use default websocket port in case of none

---------

Co-authored-by: Kacper Michalik <[email protected]>
Co-authored-by: Vin Kabuki <[email protected]>
Co-authored-by: Kacper-RF <[email protected]>
Co-authored-by: siepra <[email protected]>
Co-authored-by: Wiktor Sieprawski <[email protected]>
Co-authored-by: [email protected] <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leblowl leblowl leblowl approved these changes

@siepra siepra siepra approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Kacper-RF @leblowl @siepra @vinkabuki