mirror of
https://github.com/CringeStudios/element-desktop.git
synced 2025-01-31 05:29:58 +01:00
2d6e087fb0
* Check url with homeserver * Move check to where access-token is added * Do IPC comm sparingly Before, the code would fetch the hs for every request. Since this needs the whole event-handler dance, it's best we do it only for the requests that match the media endpoints. Also added some try..catch since we create URL objects that could potentially throw * Check origin instead of just hostname
107 lines
4.3 KiB
TypeScript
107 lines
4.3 KiB
TypeScript
/*
|
|
Copyright 2024 New Vector Ltd.
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only
|
|
Please see LICENSE files in the repository root for full details.
|
|
*/
|
|
|
|
import { BrowserWindow, ipcMain, session } from "electron";
|
|
|
|
/**
|
|
* Check for feature support from the server.
|
|
* This requires asking the renderer process for supported versions.
|
|
*/
|
|
async function getSupportedVersions(window: BrowserWindow): Promise<string[]> {
|
|
return new Promise((resolve) => {
|
|
ipcMain.once("serverSupportedVersions", (_, versionsResponse) => {
|
|
resolve(versionsResponse?.versions || []);
|
|
});
|
|
window.webContents.send("serverSupportedVersions"); // ping now that the listener exists
|
|
});
|
|
}
|
|
|
|
/**
|
|
* Get the access token for the user.
|
|
* This requires asking the renderer process for the access token.
|
|
*/
|
|
async function getAccessToken(window: BrowserWindow): Promise<string | undefined> {
|
|
return new Promise((resolve) => {
|
|
ipcMain.once("userAccessToken", (_, accessToken) => {
|
|
resolve(accessToken);
|
|
});
|
|
window.webContents.send("userAccessToken"); // ping now that the listener exists
|
|
});
|
|
}
|
|
|
|
/**
|
|
* Get the homeserver url
|
|
* This requires asking the renderer process for the homeserver url.
|
|
*/
|
|
async function getHomeserverUrl(window: BrowserWindow): Promise<string> {
|
|
return new Promise((resolve) => {
|
|
ipcMain.once("homeserverUrl", (_, homeserver) => {
|
|
resolve(homeserver);
|
|
});
|
|
window.webContents.send("homeserverUrl"); // ping now that the listener exists
|
|
});
|
|
}
|
|
|
|
export function setupMediaAuth(window: BrowserWindow): void {
|
|
session.defaultSession.webRequest.onBeforeRequest(async (req, callback) => {
|
|
// This handler emulates the element-web service worker, where URLs are rewritten late in the request
|
|
// for backwards compatibility. As authenticated media becomes more prevalent, this should be replaced
|
|
// by the app using authenticated URLs from the outset.
|
|
try {
|
|
const url = new URL(req.url);
|
|
if (
|
|
!url.pathname.startsWith("/_matrix/media/v3/download") &&
|
|
!url.pathname.startsWith("/_matrix/media/v3/thumbnail")
|
|
) {
|
|
return callback({}); // not a URL we care about
|
|
}
|
|
|
|
const supportedVersions = await getSupportedVersions(window);
|
|
// We have to check that the access token is truthy otherwise we'd be intercepting pre-login media request too,
|
|
// e.g. those required for SSO button icons.
|
|
const accessToken = await getAccessToken(window);
|
|
if (supportedVersions.includes("v1.11") && accessToken) {
|
|
url.href = url.href.replace(/\/media\/v3\/(.*)\//, "/client/v1/media/$1/");
|
|
return callback({ redirectURL: url.toString() });
|
|
} else {
|
|
return callback({}); // no support == no modification
|
|
}
|
|
} catch (e) {
|
|
console.error(e);
|
|
}
|
|
});
|
|
|
|
session.defaultSession.webRequest.onBeforeSendHeaders(async (req, callback) => {
|
|
try {
|
|
const url = new URL(req.url);
|
|
if (!url.pathname.startsWith("/_matrix/client/v1/media")) {
|
|
return callback({}); // invoke unmodified
|
|
}
|
|
|
|
// Is this request actually going to the homeserver?
|
|
// We don't combine this check with the one above on purpose.
|
|
// We're fetching the homeserver url through IPC and should do so
|
|
// as sparingly as possible.
|
|
const homeserver = await getHomeserverUrl(window);
|
|
const isRequestToHomeServer = homeserver && url.origin === new URL(homeserver).origin;
|
|
if (!isRequestToHomeServer) {
|
|
return callback({}); // invoke unmodified
|
|
}
|
|
|
|
// Only add authorization header to authenticated media URLs. This emulates the service worker
|
|
// behaviour in element-web.
|
|
const accessToken = await getAccessToken(window);
|
|
// `accessToken` can be falsy, but if we're trying to download media without authentication
|
|
// then we should expect failure anyway.
|
|
const headers = { ...req.requestHeaders, Authorization: `Bearer ${accessToken}` };
|
|
return callback({ requestHeaders: headers });
|
|
} catch (e) {
|
|
console.error(e);
|
|
}
|
|
});
|
|
}
|