Files

Lorenzo Blasa 238f40f55d Mandate auth token to connect over TCP

Summary:
Until now, launching flipper-server with TCP would accept any incoming connection as long as it comes from the same origin (localhost) using web socket host origin verification.

This is not entirely secure as origin can be spoofed with tools like curl.

Our team created a security review and a proposal was written:
https://docs.google.com/document/d/16iXypCQibPiner061SoaQUFUY9tLVAEpkKfV_hUXI7c/

Effectively, Flipper can generate a token which is then used by the client to authenticate.

This diff contains the changes required to generate, obtain, and validate authentication tokens from clients connecting to flipper over TCP connections.

The token itself is a JWT token. JWT was chosen because it is a simple industry standard which offers three features which can immediately benefit us:

- Expiration handling. No need for Flipper to store this information anywhere.
- Payload. Payload can be used to push any data we deem relevant i.e. unix username.
- Signing. Signed and verified using the same server key pair which is already in place for certificate exchange.

Additionally, the token is stored in the Flipper static folder. This ensures that the browser and PWA clients have access to it.

Reviewed By: mweststrate

Differential Revision: D45179654

fbshipit-source-id: 6761bcb24f4ba30b67d1511cde8fe875158d78af

2023-05-05 07:52:13 -07:00

.vscode

Add config for vscode-jest extension

2022-07-07 07:50:14 -07:00

app

Bump react-refresh from 0.11.0 to 0.14.0 in /desktop (#4540 )

2023-03-24 04:04:16 -07:00

babel-transformer

Bump @emotion/babel-plugin from 11.10.2 to 11.10.6 in /desktop (#4554 )

2023-03-24 04:04:16 -07:00

doctor

Dep bump

2023-01-25 04:35:09 -08:00

eslint-plugin-flipper

Allow relative import from package root inside of top-level fb folder

2023-03-28 02:16:43 -07:00

eslint-rules

Update copyright headers from Facebook to Meta

2021-12-27 14:31:45 -08:00

examples

Prepare flipper-headless-demo for publishing

2022-05-23 08:06:18 -07:00

flipper-common

Pipe through --updater/--no-updater flag for flipper.exe (#4277 )

2022-11-15 03:23:55 -08:00

flipper-dump

Dep bump

2023-01-25 04:35:09 -08:00

flipper-frontend-core

Don't die on timeout on fetching plugins

2023-04-06 03:20:42 -07:00

flipper-plugin

Make fliters non-exclusive

2023-04-28 12:19:45 -07:00

flipper-plugin-core

Make DataView report window changes

2023-04-06 10:10:34 -07:00

flipper-server

Mandate auth token to connect over TCP

2023-05-05 07:52:13 -07:00

flipper-server-client

Mandate auth token to connect over TCP

2023-05-05 07:52:13 -07:00

flipper-server-companion

Expose isConnected and currentUser

2023-04-04 05:26:31 -07:00

flipper-server-core

Mandate auth token to connect over TCP

2023-05-05 07:52:13 -07:00

flipper-ui-browser

Mandate auth token to connect over TCP

2023-05-05 07:52:13 -07:00

flipper-ui-core

Demote unhelpful "Network Error" from axios to warning

2023-04-17 05:06:50 -07:00

patches

Fix node-fetch bundling

2022-05-30 03:41:33 -07:00

pkg

Back out "Bump @oclif/command from 1.8.16 to 1.8.22 in /desktop"

2023-03-24 06:13:54 -07:00

pkg-lib

Bump metro-minify-terser from 0.70.2 to 0.75.0 in /desktop (#4493 )

2023-02-09 03:22:18 -08:00

plugin-lib

Bump algoliasearch from 4.13.0 to 4.14.3 in /desktop (#4521 )

2023-02-16 06:33:32 -08:00

plugins

Remove focus mode when frame no longer contains previously focused mode

2023-05-03 06:24:07 -07:00

scripts

Revamp newScript detailed view

2023-04-28 12:19:45 -07:00

static

Mandate auth token to connect over TCP

2023-05-05 07:52:13 -07:00

test-utils

Rename first batch for '.ts' files to '.tsx' in doctor, static and test-utils

2022-01-28 08:32:19 -08:00

themes

Revert adding ui-debugger css into the main bundle

2022-10-26 06:30:55 -07:00

tsc-root

Create flipper-server-client package

2022-10-31 04:26:43 -07:00

types

Remove babel transforms for flipper-server

2022-09-15 10:02:19 -07:00

.eslintignore

Remove default plugin entrypoints for hot-reloading

2022-09-15 10:02:19 -07:00

.eslintrc.js

Configure eslint to prevent imports from nested paths of externally provided modules

2022-09-26 09:42:33 -07:00

.gitignore

Remove default plugin entrypoints for hot-reloading

2022-09-15 10:02:19 -07:00

.npmignore

Move desktop-related code to "desktop" subfolder (#872 )

2020-03-14 14:35:17 -07:00

.npmrc

setup engines to stop people from using npm

2022-06-15 07:37:54 -07:00

.prettierrc.json

Upgrade prettier rules

2021-09-27 08:25:20 -07:00

.yarnrc

Move desktop-related code to "desktop" subfolder (#872 )

2020-03-14 14:35:17 -07:00

jest.config.js

Revamp newScript detailed view

2023-04-28 12:19:45 -07:00

jest.resolver.js

Update copyright headers from Facebook to Meta

2021-12-27 14:31:45 -08:00

package.json

Flipper Release: v0.190.0

2023-04-26 05:30:21 -07:00

README.md

Set up Flipper decapitated packages

2021-10-08 01:33:03 -07:00

ts-node

Update copyright headers from Facebook to Meta

2021-12-27 14:31:45 -08:00

ts-node.cmd

Update copyright headers from Facebook to Meta

2021-12-27 14:31:45 -08:00

tsconfig.base.json

do not strip comments with tsc

2023-03-29 06:19:26 -07:00

tsconfig.json

Clean up flipper-ui-core deps

2021-12-17 10:04:23 -08:00

yarn.flipper-server.lock

Fix flipper server prod build

2022-09-15 10:02:19 -07:00

yarn.lock

Mandate auth token to connect over TCP

2023-05-05 07:52:13 -07:00

README.md

Flipper Desktop

This folder contains everything to run the Flipper 'Desktop', that is, the UI which you use to interact with the device / app under debug.

Packages provided here:

flipper-common: utilities & types shared between client, server, flipper-plugin
flipper-server-core: all device & client management goes in here. Basically flipper's backend
flipper-ui-core: all UI goes in here, as far as it doesn't depend on Electron
flipper-ui-electron: the Electron app, will load server-core and ui-core, and glue them together, providing implementations for some electron * specific stuff like dialgos
flipper-server: A node process hosting flipper-server-core, that can be connected to over websockets. And probably can serve a browser version of the UI as well.
flipper-ui-browser: thin wrapper around flipper-ui-core, providing some browser specific behavior / stubs.
flipper-dump: (might remove later), but want to hack a quick and dirt flipper dump in here, as alternative way to test flipper-server-core.
flipper-plugin: The flipper SDK used by plugins. Exposes all API's that can be used by plugins
pkg: CLI tool to manage building flipper plugins
pkg-lib
plugin-lib
babel-transformer
doctor
eslint-plugin-flipper

Packages overview

flipper-ui-electron:
   - flipper-server-core (directly embedded)
   - flipper-ui-core
       - plugins (prebundled)
   - plugins (installable)
       - flipper-plugin

flipper-server
   - flipper-server-core
   - flipper-ui-browser (served by webserver)
       - flipper-ui-core (communicates using WebSocket with server-core)
           - plugins (prebundled)
   - plugins (installable)?

flipper-dump
   - flipper-server-core