Chore/master to develop (#2104)

* Fix - js injection in message input (#1943)

* use notarytool for macos notarization

* Secure backend socket.io from other applications that can access localhost i.e. browser (#1940)

* secure socket IO connection with token and origin, transform token from main.ts to backend and state manager

* Add authorization headers to socketio android notifications client

* Secure socketIO connection on iOS

* Extend lastKnownPort to lastKnownSocketIOData on android

* Handle socketIOSecret for iOS lifecycle event

* feat: getRandomValues and concept for validating options on backend

* fix: use secure crypto for ios socketio secret

---------

Co-authored-by: Vin Kabuki <[email protected]>
Co-authored-by: siepra <[email protected]>

* feat: notifier component #1980

* feat: use mailto for support address #1980

* fix: building mobile package #1980

* Publish

 - @quiet/[email protected]
 - @quiet/[email protected]
 - [email protected]
 - [email protected]
 - [email protected]
 - @quiet/[email protected]
 - @quiet/[email protected]

* fix: pass team id for notarization

* chore: abort build on notarization failure (#2081)

* chore: deactivate 'breaking changes warning' for mobile and desktop #2097 #2096

* fix: use default websocket port in case of none

---------

Co-authored-by: Kacper Michalik <[email protected]>
Co-authored-by: Vin Kabuki <[email protected]>
Co-authored-by: Kacper-RF <[email protected]>
Co-authored-by: siepra <[email protected]>
Co-authored-by: Wiktor Sieprawski <[email protected]>
Co-authored-by: [email protected] <[email protected]>

.github/workflows/desktop-build.yml

@@ -138,8 +138,9 @@ jobs:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
           CSC_KEY_PASSWORD: ${{ secrets.MAC_CSC_KEY_PASSWORD }}
           CSC_LINK: ${{ secrets.MAC_CSC_LINK }}
-          APPLEID: ${{ secrets.APPLE_ID }}
-          APPLEIDPASS: ${{ secrets.APPLE_ID_PASS }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PASS: ${{ secrets.APPLE_ID_PASS }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           USE_HARD_LINKS: false

packages/backend/CHANGELOG.md

@@ -193,6 +193,7 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 
 # [1.10.0-alpha.0](https://github.com/TryQuiet/backend/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-08-29)
+## [1.9.5](https://github.com/TryQuiet/backend/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-11-09)
 
 **Note:** Version bump only for package @quiet/backend
 

packages/backend/src/backendManager.ts

@@ -8,8 +8,10 @@ import { ConnectionsManagerService } from './nest/connections-manager/connection
 import { TorControl } from './nest/tor/tor-control.service'
 import { torBinForPlatform, torDirForPlatform } from './nest/common/utils'
 import initRnBridge from './rn-bridge'
-
+import { INestApplicationContext } from '@nestjs/common'
 import logger from './nest/common/logger'
+import { OpenServices, validateOptions } from './options'
+
 const log = logger('backendManager')
 
 const program = new Command()
@@ -25,21 +27,13 @@ program
   .option('-a, --appDataPath <string>', 'Path of application data directory')
   .option('-d, --socketIOPort <number>', 'Socket io data server port')
   .option('-r, --resourcesPath <string>', 'Application resources path')
+  .option('-scrt, --socketIOSecret <string>', 'socketIO secret')
 
 program.parse(process.argv)
 const options = program.opts()
 
 console.log('options', options)
 
-interface OpenServices {
-  torControlPort?: any
-  socketIOPort?: any
-  httpTunnelPort?: any
-  authCookie?: any
-}
-
-import { INestApplicationContext } from '@nestjs/common'
-
 export const runBackendDesktop = async () => {
   const isDev = process.env.NODE_ENV === 'development'
 
@@ -48,11 +42,14 @@ export const runBackendDesktop = async () => {
   // @ts-ignore
   global.crypto = webcrypto
 
+  validateOptions(options)
+
   const resourcesPath = isDev ? null : options.resourcesPath.trim()
 
   const app = await NestFactory.createApplicationContext(
     AppModule.forOptions({
       socketIOPort: options.socketIOPort,
+      socketIOSecret: options.socketIOSecret,
       torBinaryPath: torBinForPlatform(resourcesPath),
       torResourcesPath: torDirForPlatform(resourcesPath),
       torControlPort: await getPort(),
@@ -87,7 +84,7 @@ export const runBackendDesktop = async () => {
   })
 }
 
-export const runBackendMobile = async (): Promise<any> => {
+export const runBackendMobile = async () => {
   // Enable triggering push notifications
   process.env['BACKEND'] = 'mobile'
   process.env['CONNECTION_TIME'] = (new Date().getTime() / 1000).toString() // Get time in seconds
@@ -97,6 +94,7 @@ export const runBackendMobile = async (): Promise<any> => {
   const app: INestApplicationContext = await NestFactory.createApplicationContext(
     AppModule.forOptions({
       socketIOPort: options.dataPort,
+      socketIOSecret: options.socketIOSecret,
       httpTunnelPort: options.httpTunnelPort ? options.httpTunnelPort : null,
       torAuthCookie: options.authCookie ? options.authCookie : null,
       torControlPort: options.controlPort ? options.controlPort : await getPort(),

packages/backend/src/nest/app.module.ts

@@ -32,7 +32,7 @@ import { Server as SocketIO } from 'socket.io'
 import { StorageModule } from './storage/storage.module'
 import { IpfsModule } from './ipfs/ipfs.module'
 import { Level } from 'level'
-import { getCors } from './common/utils'
+import { verifyToken } from '@quiet/common'
 
 @Global()
 @Module({
@@ -94,10 +94,40 @@ export class AppModule {
             _app.use(cors())
             const server = createServer(_app)
             const io = new SocketIO(server, {
-              cors: getCors(),
+              cors: {
+                origin: '127.0.0.1',
+                allowedHeaders: ['authorization'],
+                credentials: true,
+              },
               pingInterval: 1000_000,
               pingTimeout: 1000_000,
             })
+            io.engine.use((req, res, next) => {
+              const authHeader = req.headers['authorization']
+              if (!authHeader) {
+                console.error('No authorization header')
+                res.writeHead(401, 'No authorization header')
+                res.end()
+                return
+              }
+
+              const token = authHeader && authHeader.split(' ')[1]
+              if (!token) {
+                console.error('No auth token')
+                res.writeHead(401, 'No authorization token')
+                res.end()
+                return
+              }
+
+              if (verifyToken(options.socketIOSecret, token)) {
+                next()
+              } else {
+                console.error('Wrong basic token')
+                res.writeHead(401, 'Unauthorized')
+                res.end()
+              }
+            })
+
             return { server, io }
           },
           inject: [EXPRESS_PROVIDER],
@@ -122,7 +152,7 @@ export class AppModule {
         },
         {
           provide: LEVEL_DB,
-          useFactory: (dbPath: string) => new Level<string, any>(dbPath, { valueEncoding: 'json' }),
+          useFactory: (dbPath: string) => new Level<string, unknown>(dbPath, { valueEncoding: 'json' }),
           inject: [DB_PATH],
         },
       ],

packages/backend/src/nest/types.ts

@@ -5,6 +5,7 @@ import { Server as SocketIO } from 'socket.io'
 export class ConnectionsManagerTypes {
   options: Partial<ConnectionsManagerOptions>
   socketIOPort: number
+  socketIOSecret: string
   httpTunnelPort?: number
   torAuthCookie?: string
   torControlPort?: number

packages/backend/src/options.ts

@@ -0,0 +1,32 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+import commander from 'commander'
+
+export interface OpenServices {
+  torControlPort?: any
+  socketIOPort?: any
+  socketIOSecret?: any
+  httpTunnelPort?: any
+  authCookie?: any
+}
+
+interface Options {
+  platform?: any
+  dataPath?: any
+  dataPort?: any
+  torBinary?: any
+  authCookie?: any
+  controlPort?: any
+  httpTunnelPort?: any
+  appDataPath?: string
+  socketIOPort?: number
+  resourcesPath?: string
+  socketIOSecret: string
+}
+
+// concept
+export const validateOptions = (_options: commander.OptionValues) => {
+  const options = _options as Options
+  if (!options.socketIOSecret) {
+    throw new Error('socketIOSecret is missing in options')
+  }
+}

packages/common/CHANGELOG.md

@@ -5,10 +5,6 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 ## [2.0.2-alpha.1](https://github.com/TryQuiet/quiet/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-11-14)
 
-**Note:** Version bump only for package @quiet/common
-
-
-
 
 
 ## [2.0.2-alpha.0](https://github.com/TryQuiet/quiet/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-10-26)
@@ -107,9 +103,17 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 
 
+# [1.9.0-alpha.0](/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-08-29)
+
+
+## [1.8.2](https://github.com/TryQuiet/quiet/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-11-09)
+
+**Note:** Version bump only for package @quiet/common
+
+
+
 
 
-# [1.9.0-alpha.0](/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-08-29)
 ## [1.8.1](https://github.com/TryQuiet/quiet/compare/@quiet/[email protected]...@quiet/[email protected]) (2023-09-15)
 
 **Note:** Version bump only for package @quiet/common