[sandstorm] Fixes oembed - Outbound server-side HTTP(s) request must use HackSession

RocketChat / Rocket.Chat

The communications platform that puts data protection first.

https://rocket.chat/

Other

40.19k stars 10.39k forks source link

[sandstorm] Fixes oembed - Outbound server-side HTTP(s) request must use HackSession #1330

Open Sing-Li opened 8 years ago

Sing-Li commented 8 years ago

Right now, oembed does not work because server-side outbound HTTP(s) requests are blocked by Sandstorm's wall-of-security.

Use the currently Sandstorm sanctioned HackSession to obtain an outbound HTTP(s) connection for oembed. (potentially implementing it 'natively' as the HTTP provider whenever the code is detected to be running in Sandstorm)

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Sing-Li commented 8 years ago

Example source code for obtaining the HackSession ... courtesy Sandstorm core team's @dwrensha

var capnp = require("capnp");

var SandstormHttpBridge =
    require("./sandstorm/sandstorm-http-bridge.capnp").SandstormHttpBridge;
var HackSessionContext =
    require("./sandstorm/hack-session.capnp").HackSessionContext;

var http = require('http');
http.createServer(function (req, res) {
  var sessionId = req.headers["x-sandstorm-session-id"];
  console.log("sessionId: " + sessionId);

  var conn = capnp.connect("unix:/tmp/sandstorm-api");
  var cap = conn.restore(null, SandstormHttpBridge);
  cap.getSessionContext(sessionId).then(function (response) {
    var hackSessionContext = response.context.castAs(HackSessionContext);
    return hackSessionContext.httpGet("https://sandstorm.io");
  }).then(function (response) {
    res.writeHead(200, {'Content-Type': response.mimeType});
    res.write(response.content);
    res.end();
  }).catch(function (e) {
    console.log("Error: " + e);
  });

}).listen(10000, '127.0.0.1');
console.log('Server running at http://127.0.0.1:10000/');

Sing-Li commented 8 years ago

How to add runtime variables to Sandstorm, and then detect at runtime that Rocket.Chat is operating under Sandstorm - courtesy Sandstorm core team's @kentonv

You can configure runtime environment variables is sandstorm-pkgdef.capnp. In fact your pkgdef already sets PATH this way here:

https://github.com/RocketChat/Rocket.Chat/blob/sandstorm-port-001/.sandstorm/sandstorm-pkgdef.capnp#L92

Newer versions of vagrant-spk also set SANDSTORM=1, but as your pkgdef was originally created before that change, you'll need to add in manually:

    (key = "SANDSTORM", value = "1")

You can then check for that at runtime to decide if you're in sandstorm, e.g.:

    if (process.env.SANDSTORM)

engelgabriel commented 8 years ago

Hi @pycapnp

How can we work together to get this fixed? @Sing-Li told me you were working on some ideas about how to make this easier. Can you share your thought with @rodrigok ?

jparyani commented 8 years ago

The solution Sing-Li described above using HackSession is the "old" way of handling outgoing requests in Sandstorm. We're currently working on a much more powerful method for granting capabilities to an app, dubbed the "inline powerbox". It will sit between the chat's text input box and the user, and as the user types things like URLs, it will fluidly grant a capability to the app to access the URL.

This should be ready within the next week or two, and I'll work with you guys to get it supported in Rocket.Chat after that.

Sing-Li commented 8 years ago

Awesome. @jparyani Can't wait to be one of the first to see the long anticipated 'Powerbox UI' in action!

engelgabriel commented 7 years ago

@jparyani any news on this?

jparyani commented 7 years ago

I believe @dwrensha is looking into adding push support which would entail getting outgoing HTTP working. After that's in place, it shouldn't be too much more work to get Oembeds working as well.