Authenticate requests between components

Use a randomly generated token to authenticate requests to the server for all
endpoints, including WebSockets.  This can be circumvented by inspecting the
command line of the process to discover the token; however, it is better than
nothing.

Author: execjosh

Uebersicht/UBAppDelegate.m

@@ -32,10 +32,13 @@ @implementation UBAppDelegate {
     UBWidgetsStore* widgetsStore;
     UBWidgetsController* widgetsController;
     BOOL needsRefresh;
+    NSString *token;
 }
 
 @synthesize statusBarMenu;
 
+static const uint TOKEN_LENGTH_256_BITS = 32;
+
 - (void)applicationDidFinishLaunching:(NSNotification *)aNotification
 {
     needsRefresh = YES;
@@ -104,24 +107,49 @@ - (void)applicationDidFinishLaunching:(NSNotification *)aNotification
 
     // start server and load webview
     portOffset = 0;
+    token = generateToken(TOKEN_LENGTH_256_BITS);
     [self startUp];
 
     [self listenToWallpaperChanges];
 }
 
-- (NSDictionary*)fetchState
+- (void)fetchState:(void (^)(NSDictionary*))callback
 {
-    [[UBWebSocket sharedSocket] open:[self serverUrl:@"ws"]];
+    [[UBWebSocket sharedSocket] open:[self serverUrl:@"ws"]
+                               token:token];
+
     NSURL *urlPath = [[self serverUrl:@"http"] URLByAppendingPathComponent: @"state/"];
-    NSData *jsonData = [NSData dataWithContentsOfURL:urlPath];
-    NSError *error = nil;
-    NSDictionary *dataDictionary = [NSJSONSerialization
-        JSONObjectWithData: jsonData
-        options: NSJSONReadingMutableContainers
-        error: &error
-    ];
-    if (error) NSLog(@"%@", error);
-    return dataDictionary;
+    NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL:urlPath];
+    [request setValue:@"Übersicht" forHTTPHeaderField:@"Origin"];
+    [request setValue:[NSString stringWithFormat:@"token=%@", token] forHTTPHeaderField:@"Cookie"];
+    NSURLSessionDataTask *t = [[NSURLSession sharedSession] dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
+        if (error) {
+            NSLog(@"error loading state: %@", error);
+            dispatch_async(dispatch_get_main_queue(), ^{
+                callback(@{});
+            });
+            return;
+        }
+
+        NSError *jsonError = nil;
+        NSDictionary *dataDictionary = [NSJSONSerialization
+            JSONObjectWithData: data
+            options: NSJSONReadingMutableContainers
+            error: &jsonError
+        ];
+        if (jsonError) {
+            NSLog(@"error parsing state: %@", error);
+            dispatch_async(dispatch_get_main_queue(), ^{
+                callback(@{});
+            });
+            return;
+        }
+
+        dispatch_async(dispatch_get_main_queue(), ^{
+            callback(dataDictionary);
+        });
+    }];
+    [t resume];
 }
 
 - (void)startUp
@@ -132,10 +160,11 @@ - (void)startUp
     void (^handleData)(NSString*) = ^(NSString* output) {
         // note that these might be called several times
         if ([output rangeOfString:@"server started"].location != NSNotFound) {
-            [self->widgetsStore reset: [self fetchState]];
-            // this will trigger a render
-            [self->screensController syncScreens:self];
-
+            [self fetchState:^(NSDictionary* state) {
+                [self->widgetsStore reset: state];
+                // this will trigger a render
+                [self->screensController syncScreens:self];
+            }];
         } else if ([output rangeOfString:@"EADDRINUSE"].location != NSNotFound) {
             self->portOffset++;
         }
@@ -243,6 +272,7 @@ - (NSTask*)launchWidgetServer:(NSString*)widgetPath
         @"-d", widgetPath,
         @"-p", [NSString stringWithFormat:@"%d", PORT + portOffset],
         @"-s", [[self getPreferencesDir] path],
+        @"-t", token,
         loginShell ? @"--login-shell" : @""
     ]];
 
@@ -285,6 +315,7 @@ - (void)screensChanged:(NSDictionary*)screens
         [windowsController
             updateWindows:screens
             baseUrl: [self serverUrl: @"http"]
+            token:token
             interactionEnabled: preferences.enableInteraction
             forceRefresh: needsRefresh
         ];
@@ -444,6 +475,29 @@ void wallpaperSettingsChanged(
     }
 }
 
+/*!
+    @function generateToken
+
+    @abstract
+    Returns a base64-encoded @p NSString* of specified number of random bytes.
+
+    @param length
+    A reasonably large, non-zero number representing the length in bytes.
+    For example, a value of 32 would generate a 256-bit token.
+
+    @result Returns @p NSString* on success; panics on failure.
+*/
+NSString* generateToken(uint length) {
+    UInt8 buf[length];
+
+    int error = SecRandomCopyBytes(kSecRandomDefault, length, &buf);
+    if (error != errSecSuccess) {
+        panic("failed to generate token");
+    }
+
+    return [[NSData dataWithBytes:buf length:length] base64EncodedStringWithOptions:0];
+}
+
 #
 # pragma mark script support
 #

Uebersicht/UBWebSocket.h

@@ -12,7 +12,8 @@
 @interface UBWebSocket : NSObject <SRWebSocketDelegate>
 
 + (id)sharedSocket;
-- (void)open:(NSURL*)aUrl;
+- (void)open:(NSURL*)aUrl
+       token:(NSString*)aToken;
 - (void)close;
 - (void)send:(id)message;
 - (void)listen:(void (^)(id))listener;

Uebersicht/UBWebSocket.m

@@ -13,6 +13,7 @@ @implementation UBWebSocket {
     NSMutableArray* queuedMessages;
     SRWebSocket* ws;
     NSURL* url;
+    NSString *token;
 }
 
 
@@ -49,16 +50,26 @@ - (void)listen:(void (^)(id))listener
 }
 
 - (void)open:(NSURL*)aUrl
+       token:(NSString*)aToken
 {
     if (ws) {
         return;
     }
 
+    token = aToken;
     url = aUrl;
     NSMutableURLRequest* request = [NSMutableURLRequest requestWithURL:url];
     [request setValue:@"Übersicht" forHTTPHeaderField:@"Origin"];
     ws = [[SRWebSocket alloc] initWithURLRequest: request];
     ws.delegate = self;
+    ws.requestCookies = @[
+        [NSHTTPCookie cookieWithProperties:@{
+            NSHTTPCookieDomain: url.host,
+            NSHTTPCookiePath: @"/",
+            NSHTTPCookieName: @"token",
+            NSHTTPCookieValue: token,
+        }],
+    ];
     [ws open];
 }
 
@@ -76,7 +87,8 @@ - (void)reopen
 {
     [self close];
     if (url) {
-        [self open:url];
+        [self open:url
+             token:token];
     }
 }
 

Uebersicht/UBWebViewController.h

@@ -15,6 +15,7 @@
 
 - (id)initWithFrame:(NSRect)frame;
 - (void)load:(NSURL*)url;
+- (void)setToken:(NSString*)token;
 - (void)reload;
 - (void)redraw;
 - (void)destroy;

Uebersicht/UBWebViewController.m

@@ -14,6 +14,7 @@
 
 @implementation UBWebViewController {
     NSURL* url;
+    NSString *token;
 }
 
 @synthesize view;
@@ -44,7 +45,14 @@ - (void)load:(NSURL*)newUrl
         default:
             break;
     }
-    [(WKWebView*)view loadRequest:[NSURLRequest requestWithURL: url]];
+    NSMutableURLRequest* request = [NSMutableURLRequest requestWithURL:url];
+    [request setValue:@"Übersicht" forHTTPHeaderField:@"Origin"];
+    [(WKWebView*)view loadRequest:request];
+}
+
+- (void)setToken:(NSString*)newToken
+{
+    token = newToken;
 }
 
 - (void)reload
@@ -173,15 +181,22 @@ - (void)webView:(WKWebView *)sender
     [self handleWebviewLoadError:error];
 }
 
-
 - (void)webView: (WKWebView *)theWebView
     decidePolicyForNavigationAction: (WKNavigationAction*)action
     decisionHandler: (void (^)(WKNavigationActionPolicy))handler
 {
     if (!action.targetFrame.mainFrame) {
         handler(WKNavigationActionPolicyAllow);
     } else if ([action.request.URL isEqual: url]) {
-        handler(WKNavigationActionPolicyAllow);
+        NSHTTPCookie *c = [NSHTTPCookie cookieWithProperties:@{
+            NSHTTPCookieDomain: url.host,
+            NSHTTPCookiePath: @"/",
+            NSHTTPCookieName: @"token",
+            NSHTTPCookieValue: token,
+        }];
+        [theWebView.configuration.websiteDataStore.httpCookieStore setCookie:c completionHandler:^{
+            handler(WKNavigationActionPolicyAllow);
+        }];
     } else if (action.navigationType == WKNavigationTypeLinkActivated) {
         [[NSWorkspace sharedWorkspace] openURL:action.request.URL];
         handler(WKNavigationActionPolicyCancel);

Uebersicht/UBWindow.h

@@ -26,6 +26,7 @@ typedef NS_ENUM(NSInteger, UBWindowType) {
 
 - (id)initWithWindowType:(UBWindowType)type;
 - (void)loadUrl:(NSURL*)url;
+- (void)setToken:(NSString*)token;
 - (void)reload;
 - (void)workspaceChanged;
 - (void)wallpaperChanged;

Uebersicht/UBWindow.m

@@ -62,6 +62,11 @@ - (void)loadUrl:(NSURL*)url
     [webViewController load:url];
 }
 
+- (void)setToken:(NSString*)token
+{
+    [webViewController setToken:token];
+}
+
 - (void)reload
 {
     [webViewController reload];

Uebersicht/UBWindowGroup.h

@@ -18,6 +18,7 @@ NS_ASSUME_NONNULL_BEGIN
 
 - (id)initWithInteractionEnabled:(BOOL)interactionEnabled;
 - (void)loadUrl:(NSURL*)Url;
+- (void)setToken:(NSString*)token;
 - (void)reload;
 - (void)close;
 - (void)setFrame:(NSRect)frame display:(BOOL)flag;

Uebersicht/UBWindowGroup.m

@@ -54,6 +54,12 @@ - (void)loadUrl:(NSURL*)url
     [background loadUrl: url];
 }
 
+- (void)setToken:(NSString*)token
+{
+    [foreground setToken:token];
+    [background setToken:token];
+}
+
 - (void)setFrame:(NSRect)frame display:(BOOL)flag
 {
     [foreground setFrame:frame display:flag];

Uebersicht/UBWindowsController.h

@@ -15,6 +15,7 @@ NS_ASSUME_NONNULL_BEGIN
 
 - (void)updateWindows:(NSDictionary*)screens
               baseUrl:(NSURL*)baseUrl
+                token:(NSString*)token
    interactionEnabled:(Boolean)interactionEnabled
          forceRefresh:(Boolean)forceRefresh;
 

Uebersicht/UBWindowsController.m

@@ -31,6 +31,7 @@ - (id)init
 
 - (void)updateWindows:(NSDictionary*)screens
               baseUrl:(NSURL*)baseUrl
+                token:(NSString*)token
    interactionEnabled:(Boolean)interactionEnabled
          forceRefresh:(Boolean)forceRefresh
 {
@@ -43,6 +44,7 @@ - (void)updateWindows:(NSDictionary*)screens
                 initWithInteractionEnabled: interactionEnabled
             ];
             [windows setObject:windowGroup forKey:screenId];
+            [windowGroup setToken:token];
             [windowGroup loadUrl: [self screenUrl:screenId baseUrl:baseUrl]];
         } else {
             windowGroup = windows[screenId];

server/server.coffee

@@ -11,6 +11,7 @@ try
   args = parseArgs process.argv.slice(2)
   widgetPath = path.resolve(__dirname, args.d ? args.dir  ? './widgets')
   port = args.p ? args.port ? 41416
+  token = "#{args.t}" ? "0987654321" # TODO random generation, check not empty
   settingsPath = path.resolve(__dirname, args.s ? args.settings ? './settings')
   publicPath = path.resolve(__dirname, './public')
   options =
@@ -21,6 +22,7 @@ try
     widgetPath,
     settingsPath,
     publicPath,
+    token,
     options,
     -> console.log 'server started on port', port
   )

server/src/SharedSocket.js

@@ -27,8 +27,8 @@ function handleError(err) {
   console.error(err);
 }
 
-exports.open = function open(url) {
-  ws = new WebSocket(url, ['ws'], {origin: 'Übersicht'});
+exports.open = function open(url, token) {
+  ws = new WebSocket(url, ['ws'], {origin: 'Übersicht', headers:{cookie:`token=${token}`}});
 
   if (ws.on) {
     ws.on('open', handleWSOpen);
@@ -63,4 +63,3 @@ exports.onOpen = function onOpen(listener) {
 exports.send = function send(data) {
   ws.send(data);
 };
-

server/src/app.coffee

@@ -11,6 +11,8 @@ WidgetBundler = require('./WidgetBundler.js')
 Settings = require('./Settings')
 StateServer = require('./StateServer')
 ensureSameOrigin = require('./ensureSameOrigin')
+ensureToken = require('./ensureToken')
+validateTokenCookie = require('./validateTokenCookie')
 disallowIFraming = require('./disallowIFraming')
 CommandServer = require('./command_server.coffee')
 serveWidgets = require('./serveWidgets')
@@ -24,7 +26,7 @@ resolveWidget = require('./resolveWidget')
 dispatchToRemote = require('./dispatch')
 listenToRemote = require('./listen')
 
-module.exports = (port, widgetPath, settingsPath, publicPath, options, callback) ->
+module.exports = (port, widgetPath, settingsPath, publicPath, token, options, callback) ->
   options ||= {}
 
   # global store for app state
@@ -74,6 +76,7 @@ module.exports = (port, widgetPath, settingsPath, publicPath, options, callback)
   middleware = connect()
     .use(disallowIFraming)
     .use(ensureSameOrigin(allowedOrigin))
+    .use(ensureToken(token))
     .use(CommandServer(widgetPath, options.loginShell))
     .use(StateServer(store))
     .use(serveWidgets(bundler, widgetPath))
@@ -90,9 +93,9 @@ module.exports = (port, widgetPath, settingsPath, publicPath, options, callback)
       messageBus = MessageBus(
         server: server,
         verifyClient: (info) ->
-          info.origin == allowedOrigin || info.origin == 'Übersicht'
+          (info.origin == allowedOrigin || info.origin == 'Übersicht') && validateTokenCookie(token, info.req.headers.cookie)
       )
-      sharedSocket.open("ws://#{host}:#{port}")
+      sharedSocket.open("ws://#{host}:#{port}", token)
       callback?()
     catch e
       server.emit('error', e)

server/src/ensureSameOrigin.js

@@ -1,6 +1,6 @@
 module.exports = function ensureSameOrgin(origin) {
   const fromSameOrigin = (req) => {
-    return req.method == 'GET' ||
+    return req.method === 'GET' ||
       (req.headers.origin && req.headers.origin === origin);
   }