CringeStudios/element-desktop
5
0
Fork 0
mirror of https://github.com/CringeStudios/element-desktop.git synced 2025-01-18 23:44:59 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Refactor media auth redirects to not kick in if the user is not logged in (#1817)

Browse Source
This commit is contained in:
Michael Telatynski 2024-08-07 09:44:18 +01:00 committed by GitHub
parent 38c3bc440e
commit 6fca680085
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 83 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
src/electron-main.ts
View File

@ -19,7 +19,7 @@ limitations under the License.
// Squirrel on windows starts the app with various flags as hooks to tell us when we've been installed/uninstalled etc. // Squirrel on windows starts the app with various flags as hooks to tell us when we've been installed/uninstalled etc.
import "./squirrelhooks"; import "./squirrelhooks";
import { app, BrowserWindow, Menu, autoUpdater, protocol, dialog, Input, Event, session, ipcMain } from "electron"; import { app, BrowserWindow, Menu, autoUpdater, protocol, dialog, Input, Event, session } from "electron";
import * as Sentry from "@sentry/electron/main"; import * as Sentry from "@sentry/electron/main";
import AutoLaunch from "auto-launch"; import AutoLaunch from "auto-launch";
import path from "path"; import path from "path";
@ -42,6 +42,7 @@ import { _t, AppLocalization } from "./language-helper";
import { setDisplayMediaCallback } from "./displayMediaCallback"; import { setDisplayMediaCallback } from "./displayMediaCallback";
import { setupMacosTitleBar } from "./macos-titlebar"; import { setupMacosTitleBar } from "./macos-titlebar";
import { loadJsonFile } from "./utils"; import { loadJsonFile } from "./utils";
import { setupMediaAuth } from "./media-auth";
const argv = minimist(process.argv, { const argv = minimist(process.argv, {
alias: { help: "h" }, alias: { help: "h" },
@ -550,50 +551,7 @@ app.on("ready", async () => {
setDisplayMediaCallback(callback); setDisplayMediaCallback(callback);
}); });
session.defaultSession.webRequest.onBeforeRequest((req, callback) => { setupMediaAuth(global.mainWindow);
// This handler emulates the element-web service worker, where URLs are rewritten late in the request
// for backwards compatibility. As authenticated media becomes more prevalent, this should be replaced
// by the app using authenticated URLs from the outset.
let url = req.url;
if (!url.includes("/_matrix/media/v3/download") && !url.includes("/_matrix/media/v3/thumbnail")) {
return callback({}); // not a URL we care about
}
// Check for feature support from the server. This requires asking the renderer process for supported
// versions.
ipcMain.once("serverSupportedVersions", (_, versionsResponse) => {
if (versionsResponse?.versions?.includes("v1.11")) {
url = url.replace(/\/media\/v3\/(.*)\//, "/client/v1/media/$1/");
return callback({ redirectURL: url });
} else {
return callback({}); // no support == no modification
}
});
global.mainWindow!.webContents.send("serverSupportedVersions"); // ping now that the listener exists
// we don't invoke callback() in this function - see the ipcMain.once above for callback usage.
});
session.defaultSession.webRequest.onBeforeSendHeaders((req, callback) => {
if (!req.url.includes("/_matrix/client/v1/media")) {
return callback({}); // invoke unmodified
}
// Only add authorization header to authenticated media URLs. This emulates the service worker
// behaviour in element-web.
// We need to get the access token from the renderer process to do that, though.
ipcMain.once("userAccessToken", (_, accessToken) => {
// `accessToken` can be falsy, but if we're trying to download media without authentication
// then we should expect failure anyway.
const headers = { ...req.requestHeaders };
headers["Authorization"] = `Bearer ${accessToken}`;
return callback({ requestHeaders: headers });
});
global.mainWindow!.webContents.send("userAccessToken");
// we don't invoke callback() in this function - see the ipcMain.once above for callback usage.
});
}); });
app.on("window-all-closed", () => { app.on("window-all-closed", () => {

80
src/media-auth.ts Normal file
View File

@ -0,0 +1,80 @@
/*
Copyright 2024 New Vector Ltd
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
import { BrowserWindow, ipcMain, session } from "electron";
/**
* Check for feature support from the server.
* This requires asking the renderer process for supported versions.
*/
async function getSupportedVersions(window: BrowserWindow): Promise<string[]> {
return new Promise((resolve) => {
ipcMain.once("serverSupportedVersions", (_, versionsResponse) => {
resolve(versionsResponse?.versions || []);
});
window.webContents.send("serverSupportedVersions"); // ping now that the listener exists
});
}
/**
* Get the access token for the user.
* This requires asking the renderer process for the access token.
*/
async function getAccessToken(window: BrowserWindow): Promise<string | undefined> {
return new Promise((resolve) => {
ipcMain.once("userAccessToken", (_, accessToken) => {
resolve(accessToken);
});
window.webContents.send("userAccessToken"); // ping now that the listener exists
});
}
export function setupMediaAuth(window: BrowserWindow): void {
session.defaultSession.webRequest.onBeforeRequest(async (req, callback) => {
// This handler emulates the element-web service worker, where URLs are rewritten late in the request
// for backwards compatibility. As authenticated media becomes more prevalent, this should be replaced
// by the app using authenticated URLs from the outset.
let url = req.url;
if (!url.includes("/_matrix/media/v3/download") && !url.includes("/_matrix/media/v3/thumbnail")) {
return callback({}); // not a URL we care about
}
const supportedVersions = await getSupportedVersions(window);
// We have to check that the access token is truthy otherwise we'd be intercepting pre-login media request too,
// e.g. those required for SSO button icons.
const accessToken = await getAccessToken(window);
if (supportedVersions.includes("v1.11") && accessToken) {
url = url.replace(/\/media\/v3\/(.*)\//, "/client/v1/media/$1/");
return callback({ redirectURL: url });
} else {
return callback({}); // no support == no modification
}
});
session.defaultSession.webRequest.onBeforeSendHeaders(async (req, callback) => {
if (!req.url.includes("/_matrix/client/v1/media")) {
return callback({}); // invoke unmodified
}
// Only add authorization header to authenticated media URLs. This emulates the service worker
// behaviour in element-web.
const accessToken = await getAccessToken(window);
// `accessToken` can be falsy, but if we're trying to download media without authentication
// then we should expect failure anyway.
const headers = { ...req.requestHeaders, Authorization: `Bearer ${accessToken}` };
return callback({ requestHeaders: headers });
});
}