Summary:
Until now, launching flipper-server with TCP would accept any incoming connection as long as it comes from the same origin (localhost) using web socket host origin verification.
This is not entirely secure as origin can be spoofed with tools like curl.
Our team created a security review and a proposal was written:
https://docs.google.com/document/d/16iXypCQibPiner061SoaQUFUY9tLVAEpkKfV_hUXI7c/
Effectively, Flipper can generate a token which is then used by the client to authenticate.
This diff contains the changes required to generate, obtain, and validate authentication tokens from clients connecting to flipper over TCP connections.
The token itself is a JWT token. JWT was chosen because it is a simple industry standard which offers three features which can immediately benefit us:
- Expiration handling. No need for Flipper to store this information anywhere.
- Payload. Payload can be used to push any data we deem relevant i.e. unix username.
- Signing. Signed and verified using the same server key pair which is already in place for certificate exchange.
Additionally, the token is stored in the Flipper static folder. This ensures that the browser and PWA clients have access to it.
Reviewed By: mweststrate
Differential Revision: D45179654
fbshipit-source-id: 6761bcb24f4ba30b67d1511cde8fe875158d78af
Summary:
^
There's no references to this anywhere, so delete.
Reviewed By: antonk52
Differential Revision: D45309041
fbshipit-source-id: e62e94b089eee30b82b05f64c8e7b31dd03597b6
Summary:
FlipperServerClient is a useful abstraction for any JS-based client of headless Flipper. No need to bundle it with flipper-frontend-core, as the rest is not useful for external clients.
Currently, I am planning to add it to jest-e2e to send commands to Flipper
Reviewed By: lblasa
Differential Revision: D40765668
fbshipit-source-id: af48710bb15444ac1ecd649fe9a2ab252f3088f3
Summary:
Flipper plugins fail when importing css from third-party dependencies. This diff tries to fix that.
Effectively, the plugin can import the css and export it when is bundled.
When we load the plugin, we check if there's a css file for it. If there's one, we return it and try to use it.
Reviewed By: aigoncharov
Differential Revision: D40758178
fbshipit-source-id: e53afffcc481504905d5eeb1aea1f9114ee2a86b
Summary:
Start bundling source maps together with the source code itself in the dev mode. Therefore it is no longer required to add a link to the external source map file in dev mode.
In prod mode we still ship them separately.
Reviewed By: mweststrate
Differential Revision: D39775064
fbshipit-source-id: 6c56df7a3fce084c07a8618a63dbd8ae4741348c
Summary:
In D39311893 (094c5bdfdd) we started monkey-patching `require` to resolve global dependencies in the plugins. Apparently, patching `globalThis.require` did not work in the electron env. On my local machine it kept working because I had the experimental `flipper-server` feature enabled which embeds flipper-server into the electron build. In flipper-server we properly patch `require` via `Module.prototype.require` which affected the global require in electron.
With this fix we now properly patch require in electron via Module.prototype.require all the time
Changelog: Fix plugin loading with experimental flipper-server disabled
Reviewed By: nikoant
Differential Revision: D39633821
fbshipit-source-id: 9554f643c625620d116075ae87f573d8447850f6
Summary: As we stopped bundling plugins in D39276249, we no longer need the entry points for the bundled plugins (these entry points are always going to be empty)
Reviewed By: lblasa
Differential Revision: D39307565
fbshipit-source-id: 43751fe31c8bd962677c226b27cfe52093d3f2d4
Summary:
^
Before this change, the client assumed the host and port came from location.host which is fine on the browser.
In all other cases, that object/properties may be undefined.
As such, add host and port as function args and use that instead.
Reviewed By: passy
Differential Revision: D36440423
fbshipit-source-id: 5f931f1d610d583db6a2e549e1213585f0d03dee
Summary:
Before:
```
flipper-server/src/startBaseServer.tsx(222,30): error TS2345: Argument of type 'string | undefined' is not assignable to parameter of type 'string'.
Type 'undefined' is not assignable to type 'string'.
flipper-ui-browser/src/flipperServerConnection.tsx(25,9): error TS2322: Type 'Timeout' is not assignable to type 'number'.
```
Reviewed By: nikoant
Differential Revision: D36100188
fbshipit-source-id: 1913a43109a0e068394a188d362f6a9e473e7904
Summary: Make sure icons are prefetched for flipper-server prod builds, like we do for electron, so that the user doesn't need an internet connection to see icons
Reviewed By: nikoant
Differential Revision: D33296389
fbshipit-source-id: bfa92d78d8d77030238e5cca10d7aa6dcfb88e8b
Summary:
This diff fixes several issues around loading plugin, such as:
* make suresource maps work in the flipper-server production build
* make sure default plugins are no symlinked, which wouldn't work anywhere else but on the the system where it was build
* support release channel param for flipper-server
Bundled flipper-server is now 42MB (with icons (see later diffs) and plugins
```
ll flipper-server-v0.0.0.tgz
-rw-r--r-- 1 mweststrate staff 42M 23 Dec 15:29 flipper-server-v0.0.0.tgz
```
Reviewed By: nikoant
Differential Revision: D33294677
fbshipit-source-id: 63538dc8127f883fee6a3608673ad11ce239b350
Summary: This diff is some boyscouting on cleaning up our globals, and stop using them inconsistently icmw global or window
Reviewed By: aigoncharov
Differential Revision: D33171108
fbshipit-source-id: 400893e5f31523631a7ab6fda428524c751901f1
Summary:
This diff adds `types` fields on the compiler config for every project. This way we can make sure that for example node types and packages are not available in flipper-ui-core. Without an explicit types field, all types would be shared between all packages, and implicitly included into the compilation of everything. For the same reason `types/index.d.ts` has been removed, we want to be intentional on which types are being used in which package.
This diff does most of the work, the next diff will fine tune the globals, and do some further cleanup.
As an alternative solution I first tried a `nohoist: **/node_modules/types/**` and make sure every package list explicitly the types used in package json, which works but is much more error prone, as for example two different react types versions in two packages will cause the most unreadable compiler error due to the types not being shared and not literally the same.
Reviewed By: lawrencelomax
Differential Revision: D33124441
fbshipit-source-id: c2b9d768f845ac28005d8331ef5fa1066c7e4cd7
Summary:
Changelog: Register shortcuts only for Flipper application instead of globally. Fixes https://github.com/facebook/flipper/issues/3090
As reported, during decapitation we accidentally started registering shortcuts globally, rather per app as it used to be in the menu's. This diff fixes that and also makes sure shortcuts are supported in the browser version of flipper
Reviewed By: lawrencelomax
Differential Revision: D33158445
fbshipit-source-id: 8371e5b96e772152eeb93ba990e1f5edb9e67085
Summary:
Bundled plugins so far didn't load because the defaultPlugins was not generated yet. Fixed follow up errors that resulted from node modules not being available in the browser, and made the process more robust so that one plugin that fails to initialise doesn't kill all bundled plugins from being loaded.
Cleaned up the server scripts, and reused the BUILTINS list that is already maintained in the babel transformer.
Report errors during the build process if modules are referred that are stubbed out (later on we could maybe error on that)
Reviewed By: aigoncharov
Differential Revision: D33020243
fbshipit-source-id: 3ce13b0049664b5fb19c1f45f0b33c1d7fdbea4c
Summary: Removed process, adbkit and electron usages that were still remaining. Verified changes by disabling the built-in module stubbing (will be cleaned up further later in this stack).
Reviewed By: aigoncharov
Differential Revision: D33019083
fbshipit-source-id: 8bfce31f4b5ed349cb4fd86d34c9b41b9b8b8360
Summary: Run doctor checks remained pending when the socket disonnected during a check. This
Reviewed By: aigoncharov
Differential Revision: D32984539
fbshipit-source-id: 277005e78803afaaa220cc5ca7fdc9cca6254453
Summary: This diffs adds debugging support to flipper server, by adding VSCode config for it
Reviewed By: timur-valiev, aigoncharov
Differential Revision: D32982874
fbshipit-source-id: 8e187ad05a05566a598db04b97e8b08e3de7e835
Summary:
The build process for the server was a simple ts-node that compiled all deps. However, that didn't do any source transformations we need, like replacing `fb-stubs` with `fb` in facebook builds.
This diff works out the dev build process to align more with how other parts of the code base is build, by starting metro to build and bundle the server (only the sources of flipper-server, flipper-server-core and other flipper packages are bundled, node-deps are left as is).
To achieve this, since metro doesn't have support for 'external' packages like any arbitrarily other bundler, we recycle the electronRequire work around that is used in the desktop app as well
Reviewed By: aigoncharov
Differential Revision: D32949677
fbshipit-source-id: 00d326bb17b68aece6fb43af98d0def13b335e74
Summary:
I was running flipper-server on a fresh machine without Flipper installed and discovered that reading / writing settings failed since `~/.flipper` wasn't existing, due to using `access` instead of `pathExists`.
Added a warning about needing to restart the server after making changes, since that is tricky to do from the UI.
Fixed an issue in the settings screen, which would fs.stat as part of rendering, causing the Settings UI not to load.
Reviewed By: timur-valiev, aigoncharov
Differential Revision: D32984538
fbshipit-source-id: 2b2011ad9d84c72ac824d92a8c96f636237b8771
Summary: This diff stubs all node modules when running in the browser, so that, albeit with a lot of errors and without plugins, the UI loads in a browser. To be continued in the rest of this diff
Reviewed By: antonk52
Differential Revision: D32665705
fbshipit-source-id: 4632e241f59c5b9712a41d01a26878afb01f69b5
Summary: Introduced an API that converts a filepath, relatively to the `desktop/static/` folder in a url that can be resolved by the render environment. This will generate `file://` urls in Electron, and root relative `/` urls in browser envs
Reviewed By: aigoncharov
Differential Revision: D32767427
fbshipit-source-id: 378da7709bcb19449873358a8703b9c5a5809c57
Summary: This diff makes most stuff that is read from the `os` package, and version info etc available from the `serverConfig` object, so that flipper-ui-core no longer needs the `os` package.
Reviewed By: passy
Differential Revision: D32694848
fbshipit-source-id: 93af1e95d898da9aaf351a6970b5a7652ee835c8
Summary: This diff makes plugin loading async, which we'd need in a browser env (either because we'd use `import()` or we need to fetch the source and than eval it), and deals with all the fallout of that
Reviewed By: timur-valiev
Differential Revision: D32669995
fbshipit-source-id: 73babf38a6757c451b8200c3b320409f127b8b5b
Summary:
This diff sets up the socket connection between flipper-browser and flipper-server, and verifies that the initial UI initialisation work (e.g. `get-config` command works). The initial RenderHost is initialised as well based on the config and browser APIs.
Note that flipper-ui-core itself isn't started yet, as that has still a plethora of node imports, so Metro will correctly refuse to bundle
Not in this diff
* remove Node usage from flipper-ui-core
* implement all RenderHost APIs
Reviewed By: aigoncharov
Differential Revision: D32644074
fbshipit-source-id: 2c8065caf0191771a3867b69a431ca50eeb7a5a3
Summary:
This sets up the metro bundler for flipper-server, to be able to serve the front end.
Note that this is a setup that is only relevant for development purposes
Done in this diff:
* setup metro
* setup fast refresh
* setup nodemon to be able to refresh on server changes
Not done in this diff
* Setup FlipperServerImpl in the flipper-server
* Load flipper-ui-core in flipper-ui-browser
* Load plugins
* Support options, env vars etc etc
* Make flipper-server stand alone (it is largely self contained, but still requires some static resources like theming)
Reviewed By: passy, aigoncharov
Differential Revision: D32626137
fbshipit-source-id: 47f580356ddf0993392d3b583082b187661727e9
Summary:
This diff introduces the packages necessary for Flipper decapitated.
* flipper-common: utilities & types shared between client, server, flipper-plugin
* flipper-server-core: all device & client management goes in here. Basically flipper's backend
* flipper-ui-core: all UI goes in here, as far as it doesn't depend on Electron
* desktop: the Electron app, will load server-core and ui-core, and glue them together, providing implementations for some electron specific stuff like dialgos
* flipper-server: A node process hosting flipper-server-core, that can be connected to over websockets. And probably can serve a browser version of the UI as well.
* flipper-ui-browser: thin wrapper around flipper-ui-core, providing some browser specific behavior / stubs.
* flipper-dump: (might remove later), but want to hack a quick and dirt flipper dump in here, as alternative way to test flipper-server-core.
This diff just creates the packages, but doesn't move any code, so it can be summarized as:
restoftheowl
Reviewed By: nikoant
Differential Revision: D30218646
fbshipit-source-id: 735598a1261a98e584f52504b5eba01ec0afa162
