Instead of encrypting, pass the HS an opaque token which we locally resolve in a map to our profile data

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
This commit is contained in:
Michael Telatynski 2020-04-09 21:17:37 +01:00
parent 4afd29f62c
commit 15bb819c8a
3 changed files with 40 additions and 39 deletions

View file

@ -35,7 +35,7 @@ const tray = require('./tray');
const vectorMenu = require('./vectormenu'); const vectorMenu = require('./vectormenu');
const webContentsHandler = require('./webcontents-handler'); const webContentsHandler = require('./webcontents-handler');
const updater = require('./updater'); const updater = require('./updater');
const {getProfileFromDeeplink, protocolInit, getArgs} = require('./protocol'); const {getProfileFromDeeplink, protocolInit, recordSSOSession} = require('./protocol');
const windowStateKeeper = require('electron-window-state'); const windowStateKeeper = require('electron-window-state');
const Store = require('electron-store'); const Store = require('electron-store');
@ -237,8 +237,8 @@ ipcMain.on('ipcCall', async function(ev, payload) {
case 'getConfig': case 'getConfig':
ret = vectorConfig; ret = vectorConfig;
break; break;
case 'getRiotDesktopSsoArgs': case 'startSSOFlow':
ret = getArgs(argv); recordSSOSession(args[0]);
break; break;
default: default:

View file

@ -15,10 +15,15 @@ limitations under the License.
*/ */
const {app} = require("electron"); const {app} = require("electron");
const crypto = require("crypto"); const path = require("path");
const fs = require("fs");
const PROTOCOL = "riot://"; const PROTOCOL = "riot://";
const SEARCH_PARAM = "riot-desktop-args"; const SEARCH_PARAM = "riot-desktop-ssoid";
const STORE_FILE_NAME = "sso-sessions.json";
// we getPath userData before electron-main changes it, so this is the default value
const storePath = path.join(app.getPath("userData"), STORE_FILE_NAME);
const processUrl = (url) => { const processUrl = (url) => {
if (!global.mainWindow) return; if (!global.mainWindow) return;
@ -26,36 +31,33 @@ const processUrl = (url) => {
global.mainWindow.loadURL(url.replace(PROTOCOL, "vector://")); global.mainWindow.loadURL(url.replace(PROTOCOL, "vector://"));
}; };
// we encrypt anything that we expose to be passed back to our callback protocol const readStore = () => {
// so that homeservers don't see our directory paths and have the ability to manipulate them. try {
const algorithm = "aes-192-cbc"; const s = fs.readFileSync(storePath, { encoding: "utf8" });
const o = JSON.parse(s);
const getKeyIv = () => ({ return typeof o === "object" ? o : {};
key: crypto.scryptSync(app.getPath("exe"), "salt", 24), } catch (e) {
iv: Buffer.alloc(16, 0), return {};
}); }
const encrypt = (plaintext) => {
const {key, iv} = getKeyIv();
const cipher = crypto.createCipheriv(algorithm, key, iv);
let ciphertext = cipher.update(plaintext, "utf8", "hex");
ciphertext += cipher.final("hex");
return ciphertext;
}; };
const decrypt = (ciphertext) => { const writeStore = (data) => {
const {key, iv} = getKeyIv(); fs.writeFileSync(storePath, JSON.stringify(data));
const decipher = crypto.createDecipheriv(algorithm, key, iv);
let plaintext = decipher.update(ciphertext, "hex", "utf8");
plaintext += decipher.final("utf8");
return plaintext;
}; };
module.exports = { module.exports = {
getArgs: (argv) => { recordSSOSession: (sessionID) => {
if (argv['profile-dir'] || argv['profile']) { const userDataPath = app.getPath('userData');
return encrypt(app.getPath('userData')); const store = readStore();
for (const key in store) {
// ensure each instance only has one (the latest) session ID to prevent the file growing unbounded
if (store[key] === userDataPath) {
delete store[key];
break;
} }
}
store[sessionID] = userDataPath;
writeStore(store);
}, },
getProfileFromDeeplink: (args) => { getProfileFromDeeplink: (args) => {
// check if we are passed a profile in the SSO callback url // check if we are passed a profile in the SSO callback url
@ -63,9 +65,10 @@ module.exports = {
if (deeplinkUrl && deeplinkUrl.includes(SEARCH_PARAM)) { if (deeplinkUrl && deeplinkUrl.includes(SEARCH_PARAM)) {
const parsedUrl = new URL(deeplinkUrl); const parsedUrl = new URL(deeplinkUrl);
if (parsedUrl.protocol === 'riot:') { if (parsedUrl.protocol === 'riot:') {
const profile = parsedUrl.searchParams.get(SEARCH_PARAM); const ssoID = parsedUrl.searchParams.get(SEARCH_PARAM);
console.log("Forwarding to profile: ", profile); const store = readStore();
return decrypt(profile); console.log("Forwarding to profile: ", store[ssoID]);
return store[ssoID];
} }
} }
}, },

View file

@ -32,6 +32,7 @@ import Spinner from "matrix-react-sdk/src/components/views/elements/Spinner";
import {Categories, Modifiers, registerShortcut} from "matrix-react-sdk/src/accessibility/KeyboardShortcuts"; import {Categories, Modifiers, registerShortcut} from "matrix-react-sdk/src/accessibility/KeyboardShortcuts";
import {Key} from "matrix-react-sdk/src/Keyboard"; import {Key} from "matrix-react-sdk/src/Keyboard";
import React from "react"; import React from "react";
import {randomString} from "matrix-js-sdk/src/randomstring";
const ipcRenderer = window.ipcRenderer; const ipcRenderer = window.ipcRenderer;
const isMac = navigator.platform.toUpperCase().includes('MAC'); const isMac = navigator.platform.toUpperCase().includes('MAC');
@ -229,10 +230,9 @@ export default class ElectronPlatform extends VectorBasePlatform {
}); });
} }
// we assume this happens before any SSO actions occur but do not block. // this is the opaque token we pass to the HS which when we get it in our callback we can resolve to a profile
this._ipcCall('getRiotDesktopSsoArgs').then(riotDesktopSsoArgs => { this.ssoID = randomString(32);
this.riotDesktopSsoArgs = riotDesktopSsoArgs; this._ipcCall("startSSOFlow", this.ssoID);
});
} }
async getConfig(): Promise<{}> { async getConfig(): Promise<{}> {
@ -429,9 +429,7 @@ export default class ElectronPlatform extends VectorBasePlatform {
getSSOCallbackUrl(hsUrl: string, isUrl: string): URL { getSSOCallbackUrl(hsUrl: string, isUrl: string): URL {
const url = super.getSSOCallbackUrl(hsUrl, isUrl); const url = super.getSSOCallbackUrl(hsUrl, isUrl);
url.protocol = "riot"; url.protocol = "riot";
if (this.riotDesktopSsoArgs) { url.searchParams.set("riot-desktop-ssoid", this.ssoID);
url.searchParams.set("riot-desktop-args", this.riotDesktopSsoArgs);
}
return url; return url;
} }