fix(mobile): Remote video playback and asset download on Android with mTLS (#16403)

* Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com>
2025-07-13 20:38:46 +02:00 · 2025-05-08 15:45:11 +02:00 · 2025-05-08 15:45:11 +02:00 · f75d853e9a
commit f75d853e9a
parent 3a1e3e82e7
8 changed files with 218 additions and 32 deletions
--- a/mobile/lib/utils/http_ssl_options.dart
+++ b/mobile/lib/utils/http_ssl_options.dart
@ -0,0 +1,47 @@
+import 'dart:io';
+
+import 'package:flutter/services.dart';
+import 'package:immich_mobile/domain/models/store.model.dart';
+import 'package:immich_mobile/entities/store.entity.dart';
+import 'package:immich_mobile/services/app_settings.service.dart';
+import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
+import 'package:logging/logging.dart';
+
+class HttpSSLOptions {
+  static const MethodChannel _channel = MethodChannel('immich/httpSSLOptions');
+
+  static void apply() {
+    AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;
+    bool allowSelfSignedSSLCert =
+        Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);
+    _apply(allowSelfSignedSSLCert);
+  }
+
+  static void applyFromSettings(bool newValue) {
+    _apply(newValue);
+  }
+
+  static void _apply(bool allowSelfSignedSSLCert) {
+    String? serverHost;
+    if (allowSelfSignedSSLCert && Store.tryGet(StoreKey.currentUser) != null) {
+      serverHost = Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;
+    }
+
+    SSLClientCertStoreVal? clientCert = SSLClientCertStoreVal.load();
+
+    HttpOverrides.global =
+        HttpSSLCertOverride(allowSelfSignedSSLCert, serverHost, clientCert);
+
+    if (Platform.isAndroid) {
+      _channel.invokeMethod("apply", [
+        allowSelfSignedSSLCert,
+        serverHost,
+        clientCert?.data,
+        clientCert?.password,
+      ]).onError<PlatformException>((e, _) {
+        final log = Logger("HttpSSLOptions");
+        log.severe('Failed to set SSL options', e.message);
+      });
+    }
+  }
+}