Authenticate requests between components

Use a randomly generated token to authenticate requests to the server for all
endpoints, including WebSockets.  The token is passed to the node server via
STDIN, which should sufficiently prevent eavesdropping.

Author: execjosh

Uebersicht/UBAppDelegate.m

@@ -32,10 +32,13 @@ @implementation UBAppDelegate {
     UBWidgetsStore* widgetsStore;
     UBWidgetsController* widgetsController;
     BOOL needsRefresh;
+    NSString *token;
 }
 
 @synthesize statusBarMenu;
 
+static const uint TOKEN_LENGTH_256_BITS = 32;
+
 - (void)applicationDidFinishLaunching:(NSNotification *)aNotification
 {
     needsRefresh = YES;
@@ -104,24 +107,49 @@ - (void)applicationDidFinishLaunching:(NSNotification *)aNotification
 
     // start server and load webview
     portOffset = 0;
+    token = generateToken(TOKEN_LENGTH_256_BITS);
     [self startUp];
 
     [self listenToWallpaperChanges];
 }
 
-- (NSDictionary*)fetchState
+- (void)fetchState:(void (^)(NSDictionary*))callback
 {
-    [[UBWebSocket sharedSocket] open:[self serverUrl:@"ws"]];
+    [[UBWebSocket sharedSocket] open:[self serverUrl:@"ws"]
+                               token:token];
+
     NSURL *urlPath = [[self serverUrl:@"http"] URLByAppendingPathComponent: @"state/"];
-    NSData *jsonData = [NSData dataWithContentsOfURL:urlPath];
-    NSError *error = nil;
-    NSDictionary *dataDictionary = [NSJSONSerialization
-        JSONObjectWithData: jsonData
-        options: NSJSONReadingMutableContainers
-        error: &error
-    ];
-    if (error) NSLog(@"%@", error);
-    return dataDictionary;
+    NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL:urlPath];
+    [request setValue:@"Übersicht" forHTTPHeaderField:@"Origin"];
+    [request setValue:[NSString stringWithFormat:@"token=%@", token] forHTTPHeaderField:@"Cookie"];
+    NSURLSessionDataTask *t = [[NSURLSession sharedSession] dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
+        if (error) {
+            NSLog(@"error loading state: %@", error);
+            dispatch_async(dispatch_get_main_queue(), ^{
+                callback(@{});
+            });
+            return;
+        }
+
+        NSError *jsonError = nil;
+        NSDictionary *dataDictionary = [NSJSONSerialization
+            JSONObjectWithData: data
+            options: NSJSONReadingMutableContainers
+            error: &jsonError
+        ];
+        if (jsonError) {
+            NSLog(@"error parsing state: %@", error);
+            dispatch_async(dispatch_get_main_queue(), ^{
+                callback(@{});
+            });
+            return;
+        }
+
+        dispatch_async(dispatch_get_main_queue(), ^{
+            callback(dataDictionary);
+        });
+    }];
+    [t resume];
 }
 
 - (void)startUp
@@ -132,10 +160,11 @@ - (void)startUp
     void (^handleData)(NSString*) = ^(NSString* output) {
         // note that these might be called several times
         if ([output rangeOfString:@"server started"].location != NSNotFound) {
-            [self->widgetsStore reset: [self fetchState]];
-            // this will trigger a render
-            [self->screensController syncScreens:self];
-
+            [self fetchState:^(NSDictionary* state) {
+                [self->widgetsStore reset: state];
+                // this will trigger a render
+                [self->screensController syncScreens:self];
+            }];
         } else if ([output rangeOfString:@"EADDRINUSE"].location != NSNotFound) {
             self->portOffset++;
         }
@@ -216,6 +245,20 @@ - (NSTask*)launchWidgetServer:(NSString*)widgetPath
 
     NSTask *task = [[NSTask alloc] init];
 
+    NSError *secretsErr = NULL;
+    NSData *secrets = [NSJSONSerialization dataWithJSONObject:@{
+        @"token": token,
+    } options:0 error:&secretsErr];
+    if (!secrets) {
+        NSLog(@"ERROR: %@", secretsErr);
+        return NULL;
+    }
+    NSPipe *inPipe = [NSPipe pipe];
+    NSFileHandle *fh = [inPipe fileHandleForWriting];
+    [fh writeData:secrets];
+    [fh closeFile];
+    [task setStandardInput:inPipe];
+
     [task setStandardOutput:[NSPipe pipe]];
     [task.standardOutput fileHandleForReading].readabilityHandler = ^(NSFileHandle *handle) {
         NSData *output = [handle availableData];
@@ -285,6 +328,7 @@ - (void)screensChanged:(NSDictionary*)screens
         [windowsController
             updateWindows:screens
             baseUrl: [self serverUrl: @"http"]
+            token:token
             interactionEnabled: preferences.enableInteraction
             forceRefresh: needsRefresh
         ];
@@ -444,6 +488,29 @@ void wallpaperSettingsChanged(
     }
 }
 
+/*!
+    @function generateToken
+
+    @abstract
+    Returns a base64-encoded @p NSString* of specified number of random bytes.
+
+    @param length
+    A reasonably large, non-zero number representing the length in bytes.
+    For example, a value of 32 would generate a 256-bit token.
+
+    @result Returns @p NSString* on success; panics on failure.
+*/
+NSString* generateToken(uint length) {
+    UInt8 buf[length];
+
+    int error = SecRandomCopyBytes(kSecRandomDefault, length, &buf);
+    if (error != errSecSuccess) {
+        panic("failed to generate token");
+    }
+
+    return [[NSData dataWithBytes:buf length:length] base64EncodedStringWithOptions:0];
+}
+
 #
 # pragma mark script support
 #

Uebersicht/UBWebSocket.h

@@ -12,7 +12,8 @@
 @interface UBWebSocket : NSObject <SRWebSocketDelegate>
 
 + (id)sharedSocket;
-- (void)open:(NSURL*)aUrl;
+- (void)open:(NSURL*)aUrl
+       token:(NSString*)aToken;
 - (void)close;
 - (void)send:(id)message;
 - (void)listen:(void (^)(id))listener;

Uebersicht/UBWebSocket.m

@@ -13,6 +13,7 @@ @implementation UBWebSocket {
     NSMutableArray* queuedMessages;
     SRWebSocket* ws;
     NSURL* url;
+    NSString *token;
 }
 
 
@@ -49,16 +50,26 @@ - (void)listen:(void (^)(id))listener
 }
 
 - (void)open:(NSURL*)aUrl
+       token:(NSString*)aToken
 {
     if (ws) {
         return;
     }
 
+    token = aToken;
     url = aUrl;
     NSMutableURLRequest* request = [NSMutableURLRequest requestWithURL:url];
     [request setValue:@"Übersicht" forHTTPHeaderField:@"Origin"];
     ws = [[SRWebSocket alloc] initWithURLRequest: request];
     ws.delegate = self;
+    ws.requestCookies = @[
+        [NSHTTPCookie cookieWithProperties:@{
+            NSHTTPCookieDomain: url.host,
+            NSHTTPCookiePath: @"/",
+            NSHTTPCookieName: @"token",
+            NSHTTPCookieValue: token,
+        }],
+    ];
     [ws open];
 }
 
@@ -76,7 +87,8 @@ - (void)reopen
 {
     [self close];
     if (url) {
-        [self open:url];
+        [self open:url
+             token:token];
     }
 }
 

Uebersicht/UBWebViewController.h

@@ -15,6 +15,7 @@
 
 - (id)initWithFrame:(NSRect)frame;
 - (void)load:(NSURL*)url;
+- (void)setToken:(NSString*)token;
 - (void)reload;
 - (void)redraw;
 - (void)destroy;

Uebersicht/UBWebViewController.m

@@ -14,6 +14,7 @@
 
 @implementation UBWebViewController {
     NSURL* url;
+    NSString *token;
 }
 
 @synthesize view;
@@ -44,7 +45,14 @@ - (void)load:(NSURL*)newUrl
         default:
             break;
     }
-    [(WKWebView*)view loadRequest:[NSURLRequest requestWithURL: url]];
+    NSMutableURLRequest* request = [NSMutableURLRequest requestWithURL:url];
+    [request setValue:@"Übersicht" forHTTPHeaderField:@"Origin"];
+    [(WKWebView*)view loadRequest:request];
+}
+
+- (void)setToken:(NSString*)newToken
+{
+    token = newToken;
 }
 
 - (void)reload
@@ -173,15 +181,23 @@ - (void)webView:(WKWebView *)sender
     [self handleWebviewLoadError:error];
 }
 
-
 - (void)webView: (WKWebView *)theWebView
     decidePolicyForNavigationAction: (WKNavigationAction*)action
     decisionHandler: (void (^)(WKNavigationActionPolicy))handler
 {
     if (!action.targetFrame.mainFrame) {
         handler(WKNavigationActionPolicyAllow);
     } else if ([action.request.URL isEqual: url]) {
-        handler(WKNavigationActionPolicyAllow);
+        NSHTTPCookie *c = [NSHTTPCookie cookieWithProperties:@{
+            NSHTTPCookieDomain: url.host,
+            NSHTTPCookiePath: @"/",
+            NSHTTPCookieName: @"token",
+            NSHTTPCookieValue: token,
+            @"HttpOnly": @"TRUE",
+        }];
+        [theWebView.configuration.websiteDataStore.httpCookieStore setCookie:c completionHandler:^{
+            handler(WKNavigationActionPolicyAllow);
+        }];
     } else if (action.navigationType == WKNavigationTypeLinkActivated) {
         [[NSWorkspace sharedWorkspace] openURL:action.request.URL];
         handler(WKNavigationActionPolicyCancel);

Uebersicht/UBWindow.h

@@ -26,6 +26,7 @@ typedef NS_ENUM(NSInteger, UBWindowType) {
 
 - (id)initWithWindowType:(UBWindowType)type;
 - (void)loadUrl:(NSURL*)url;
+- (void)setToken:(NSString*)token;
 - (void)reload;
 - (void)workspaceChanged;
 - (void)wallpaperChanged;

Uebersicht/UBWindow.m

@@ -62,6 +62,11 @@ - (void)loadUrl:(NSURL*)url
     [webViewController load:url];
 }
 
+- (void)setToken:(NSString*)token
+{
+    [webViewController setToken:token];
+}
+
 - (void)reload
 {
     [webViewController reload];

Uebersicht/UBWindowGroup.h

@@ -18,6 +18,7 @@ NS_ASSUME_NONNULL_BEGIN
 
 - (id)initWithInteractionEnabled:(BOOL)interactionEnabled;
 - (void)loadUrl:(NSURL*)Url;
+- (void)setToken:(NSString*)token;
 - (void)reload;
 - (void)close;
 - (void)setFrame:(NSRect)frame display:(BOOL)flag;

Uebersicht/UBWindowGroup.m

@@ -54,6 +54,12 @@ - (void)loadUrl:(NSURL*)url
     [background loadUrl: url];
 }
 
+- (void)setToken:(NSString*)token
+{
+    [foreground setToken:token];
+    [background setToken:token];
+}
+
 - (void)setFrame:(NSRect)frame display:(BOOL)flag
 {
     [foreground setFrame:frame display:flag];

Uebersicht/UBWindowsController.h

@@ -15,6 +15,7 @@ NS_ASSUME_NONNULL_BEGIN
 
 - (void)updateWindows:(NSDictionary*)screens
               baseUrl:(NSURL*)baseUrl
+                token:(NSString*)token
    interactionEnabled:(Boolean)interactionEnabled
          forceRefresh:(Boolean)forceRefresh;
 

Uebersicht/UBWindowsController.m

@@ -31,6 +31,7 @@ - (id)init
 
 - (void)updateWindows:(NSDictionary*)screens
               baseUrl:(NSURL*)baseUrl
+                token:(NSString*)token
    interactionEnabled:(Boolean)interactionEnabled
          forceRefresh:(Boolean)forceRefresh
 {
@@ -43,6 +44,7 @@ - (void)updateWindows:(NSDictionary*)screens
                 initWithInteractionEnabled: interactionEnabled
             ];
             [windows setObject:windowGroup forKey:screenId];
+            [windowGroup setToken:token];
             [windowGroup loadUrl: [self screenUrl:screenId baseUrl:baseUrl]];
         } else {
             windowGroup = windows[screenId];

server/server.coffee

@@ -2,15 +2,18 @@ parseArgs = require 'minimist'
 UebersichtServer = require './src/app.coffee'
 cors_proxy = require 'cors-anywhere'
 path = require 'path'
+fs = require 'fs'
 
 handleError = (err) ->
   console.log(err.message || err)
   throw err
 
 try
+  secrets = JSON.parse fs.readFileSync(process.stdin.fd, 'utf-8')
   args = parseArgs process.argv.slice(2)
   widgetPath = path.resolve(__dirname, args.d ? args.dir  ? './widgets')
   port = args.p ? args.port ? 41416
+  token = secrets.token ? "0987654321" # TODO check not empty
   settingsPath = path.resolve(__dirname, args.s ? args.settings ? './settings')
   publicPath = path.resolve(__dirname, './public')
   options =
@@ -21,6 +24,7 @@ try
     widgetPath,
     settingsPath,
     publicPath,
+    token,
     options,
     -> console.log 'server started on port', port
   )

server/src/SharedSocket.js

@@ -27,8 +27,8 @@ function handleError(err) {
   console.error(err);
 }
 
-exports.open = function open(url) {
-  ws = new WebSocket(url, ['ws'], {origin: 'Übersicht'});
+exports.open = function open(url, token) {
+  ws = new WebSocket(url, ['ws'], {origin: 'Übersicht', headers:{cookie:`token=${token}`}});
 
   if (ws.on) {
     ws.on('open', handleWSOpen);
@@ -63,4 +63,3 @@ exports.onOpen = function onOpen(listener) {
 exports.send = function send(data) {
   ws.send(data);
 };
-