Summary:
For Electron builds, use the same directory as certificates and keys.
For headless builds, then use the static directory.
Reviewed By: antonk52
Differential Revision: D45728515
fbshipit-source-id: 55a3b143a9289fed23e57cbf6b701a5e48d27332
Summary:
Until now, launching flipper-server with TCP would accept any incoming connection as long as it comes from the same origin (localhost) using web socket host origin verification.
This is not entirely secure as origin can be spoofed with tools like curl.
Our team created a security review and a proposal was written:
https://docs.google.com/document/d/16iXypCQibPiner061SoaQUFUY9tLVAEpkKfV_hUXI7c/
Effectively, Flipper can generate a token which is then used by the client to authenticate.
This diff contains the changes required to generate, obtain, and validate authentication tokens from clients connecting to flipper over TCP connections.
The token itself is a JWT token. JWT was chosen because it is a simple industry standard which offers three features which can immediately benefit us:
- Expiration handling. No need for Flipper to store this information anywhere.
- Payload. Payload can be used to push any data we deem relevant i.e. unix username.
- Signing. Signed and verified using the same server key pair which is already in place for certificate exchange.
Additionally, the token is stored in the Flipper static folder. This ensures that the browser and PWA clients have access to it.
Reviewed By: mweststrate
Differential Revision: D45179654
fbshipit-source-id: 6761bcb24f4ba30b67d1511cde8fe875158d78af
Summary: We have several folders Flipper uses that sometimes we forget to create before Flipper starts. With this diff we have a single place to initialise the necessary folder structure.
Reviewed By: lblasa
Differential Revision: D37036601
fbshipit-source-id: f945f2bfdfc6be24ba87bd4b13c7fcef3fd74451
