mirror of
https://github.com/immich-app/immich.git
synced 2025-07-15 20:38:26 +02:00
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403)
* Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com>
This commit is contained in:
parent
3a1e3e82e7
commit
f75d853e9a
8 changed files with 218 additions and 32 deletions
mobile/lib/utils
|
@ -1,16 +1,20 @@
|
|||
import 'dart:io';
|
||||
|
||||
import 'package:immich_mobile/domain/models/store.model.dart';
|
||||
import 'package:immich_mobile/entities/store.entity.dart';
|
||||
import 'package:immich_mobile/services/app_settings.service.dart';
|
||||
import 'package:logging/logging.dart';
|
||||
|
||||
class HttpSSLCertOverride extends HttpOverrides {
|
||||
static final Logger _log = Logger("HttpSSLCertOverride");
|
||||
final bool _allowSelfSignedSSLCert;
|
||||
final String? _serverHost;
|
||||
final SSLClientCertStoreVal? _clientCert;
|
||||
late final SecurityContext? _ctxWithCert;
|
||||
|
||||
HttpSSLCertOverride() : _clientCert = SSLClientCertStoreVal.load() {
|
||||
HttpSSLCertOverride(
|
||||
this._allowSelfSignedSSLCert,
|
||||
this._serverHost,
|
||||
this._clientCert,
|
||||
) {
|
||||
if (_clientCert != null) {
|
||||
_ctxWithCert = SecurityContext(withTrustedRoots: true);
|
||||
if (_ctxWithCert != null) {
|
||||
|
@ -47,28 +51,15 @@ class HttpSSLCertOverride extends HttpOverrides {
|
|||
|
||||
return super.createHttpClient(context)
|
||||
..badCertificateCallback = (X509Certificate cert, String host, int port) {
|
||||
AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;
|
||||
|
||||
// Check if user has allowed self signed SSL certificates.
|
||||
bool selfSignedCertsAllowed =
|
||||
Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);
|
||||
|
||||
bool isLoggedIn = Store.tryGet(StoreKey.currentUser) != null;
|
||||
|
||||
// Conduct server host checks if user is logged in to avoid making
|
||||
// insecure SSL connections to services that are not the immich server.
|
||||
if (isLoggedIn && selfSignedCertsAllowed) {
|
||||
String serverHost =
|
||||
Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;
|
||||
|
||||
selfSignedCertsAllowed &= serverHost.contains(host);
|
||||
if (_allowSelfSignedSSLCert) {
|
||||
// Conduct server host checks if user is logged in to avoid making
|
||||
// insecure SSL connections to services that are not the immich server.
|
||||
if (_serverHost == null || _serverHost.contains(host)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
if (!selfSignedCertsAllowed) {
|
||||
_log.severe("Invalid SSL certificate for $host:$port");
|
||||
}
|
||||
|
||||
return selfSignedCertsAllowed;
|
||||
_log.severe("Invalid SSL certificate for $host:$port");
|
||||
return false;
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue