search

amugofjava / anytime_podcast_player

Simple, easy to use Podcast player app written in Flutter and Dart.
BSD 3-Clause "New" or "Revised" License
403 stars 101 forks source link

Accept HTTP connection ? #62

Closed Chralu closed 1 year ago

Chralu commented 2 years ago

Is your feature request related to a problem? Please describe. Some RSS provide http URLs (without SSL) to download audio files.

In that case, clicking on the episode download button does nothing (on iOS). Whereas stream reading episodes works perfectly.

Describe the solution you'd like As audio file downloading is not risked, maybe we should accept HTTP connections.

amugofjava commented 2 years ago

Hi @Chralu,

Do you have a couple of example podcasts or URLs I can try to reproduce this?

Thanks.

Chralu commented 2 years ago

Hi @amugofjava ,

thanks to you for that great app :)

You can reproduce that issue with http://www.zqsd.fr/zqsd.xml I'll look for a fix this afternoon.

Actually, IMHO it reveals another small issue : shouldn't we show a information toast when download fails ?

amugofjava commented 2 years ago

Thanks @Chralu - glad you like the app.

Yes, a download failed toast would be useful. On Android failed downloads are shown in the notification panel; but, on iOS it does not.

Chralu commented 2 years ago

Current code status

On iOS info.plist, we are using both NSAllowsArbitraryLoads and NSAllowsArbitraryLoadsForMedia.

According to official documentation,

NSAllowsArbitraryLoadsForMedia

A Boolean value indicating whether all App Transport Security restrictions are disabled for requests made using the AV Foundation framework. ... In iOS 10 and later and in macOS 10.12 and later, if you include this key with any value, then App Transport Security ignores the value of the NSAllowsArbitraryLoads key, instead using that key’s default value of NO.

NSAllowsArbitraryLoads

A Boolean value indicating whether App Transport Security restrictions are disabled for all network connections.

Solutions

Authorizing HTTP for all network connections

This is what's done on Android (see network_security_config.xml).

To me, we could accept non-SSL communications to download audio files. However it might be risky to accept non-SSL for all http communications.

Forcing HTTPS and eventually fail gracefully

  1. When parsing episodes, we could replace http scheme by https.
  2. If downloading/playback fails on network error, we display a message "A "

If we refuse non-SSL connections, user should be clearly informed : "Episode download failed : URL is invalid"

What do you think about it ?

amugofjava commented 2 years ago

Those two values were set as part of the setup of the just_audio plugin; however, looking at the docs you have posted I read that as NSAllowsArbitraryLoadsForMedia disables NSAllowsArbitraryLoads. I will do some testing with the two flags.

Chralu commented 1 year ago

Hi, this issue is problematic for my daily use of anytime podcast.

I made a PR to enforce systematic https usage. If that solution doesn't suit the project, I can make another PR to accept non-http connections on iOS.

@amugofjava What do you think about that ?

amugofjava commented 1 year ago

Longer term it would be better to force https across all connections, but the approach I would like to take is to store all urls as is, and force https upon usage. I am also thinking about the extension code. It's personal preference, but the forceHttps method feels more like and extension to the url functions rather than String.

There is also an issue with the downloader when an https url redirects to an http one (the BBC seem to have several podcasts that do this) which I am also considering, but I'll raise another issue for this.

As this is a causing you issues I will merge #95 PR for now and come back to this.