Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(prusalink): increase nonce valid period #3371

Merged
merged 2 commits into from
Dec 4, 2023
Merged

fix(prusalink): increase nonce valid period #3371

merged 2 commits into from
Dec 4, 2023

Conversation

pyrho
Copy link
Contributor

@pyrho pyrho commented Oct 18, 2023

The initial valid period for the HTTP Digest Auth nonce was too low (at 5 seconds).
This make it impossible to log into PrusaLink when using Safari, a saner value of 300 (chosen because it's Apache's default value) does not hinder security and fixes the issue with Safari-based browsers (macOS, ipadOS, iOS).

See #3287 and prusa3d/Prusa-Link-Web#386 for more details.

pyrho
pyrho commented Oct 18, 2023
View reviewed changes
lib/WUI/nhttp/req_parser.cpp
@@ -297,13 +297,11 @@ bool RequestParser::nonce_valid(uint64_t nonce_to_check) const {
uint32_t random = static_cast<uint32_t>(nonce_to_check >> 32);
uint32_t time = nonce_to_check & 0xffffffff;
uint32_t age = ticks_s() - time;
// Make valid period for POST and PUT longer, to avoid infinit uploading
// loops if nonce get stale for upload request.
uint32_t max_valid_age = has_body(method) ? http::extended_valid_nonce_period : http::valid_nonce_period;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ternary is no longer needed with a max_valid_age of 300.

pyrho
pyrho commented Oct 18, 2023
View reviewed changes
src/common/http/types.h
// can cause an infinit upload loop, if the browser does not read errors
// before sending the whole body.
static const uint32_t valid_nonce_period = 5;
static const uint32_t extended_valid_nonce_period = 8;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The extended_valid_nonce_period variable is no longer needed, since the only value used in now 300.

This was referenced Nov 25, 2023
Closed
Closed
@pyrho @vorner
fix(prusalink): increase nonce valid period
931f578 
The initial valid period for the HTTP Digest Auth nonce was too low (at
5 seconds).
This make it impossible to log into PrusaLink when using Safari, a
saner value of 300 (chosen because it's Apache's default value) does not
hinder security and fixes the issue with Safari-based browsers (macOS,
ipadOS, iOS).

See prusa3d#3287 for more
details.
@vorner
Copy link
Contributor

vorner commented Dec 4, 2023

Thank you for finding the cause (I'd still tend to claim the root cause is on safari's side, since the RFC claims the client may wish to retry with new nonce without reprompting the user…).

I'm going to rebase to get rid of conflicts and fix the tests, then accept it.

@pyrho
Copy link
Contributor Author

pyrho commented Dec 4, 2023

Thank you for finding the cause (I'd still tend to claim the root cause is on safari's side, since the RFC claims the client may wish to retry with new nonce without reprompting the user…).

I'm going to rebase to get rid of conflicts and fix the tests, then accept it.

Great news, thank you for moving this forward 👌

@vorner vorner merged commit 15d5ae0 into prusa3d:master Dec 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vorner vorner vorner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pyrho @vorner