search

asticode / astilectron

Electron app that provides an API over a TCP socket that allows executing Electron's method as well as capturing Electron's events
MIT License
285 stars 67 forks source link

Support wss:// as binding address #36

Open gjchentw opened 3 years ago

gjchentw commented 3 years ago

Currently astilectron uses tcp socket to bind other languages stack, but the data over this connection are easy to be sniffered and insecure for renderer passing data like password or tokens.

Maybe we can consider when start() with [tcp://]ip:port and use the classic tcp way, and when start() with something like wss://localhost[:port] , use ws to create a secured connection between clinet and language bindings.

Cheers.

asticode commented 3 years ago

@gjchentw this is a good idea, but who is handling the SSL handshake in this scenario ? And who generates the SSL certificate ?

gjchentw commented 3 years ago

Language binding side should start a wss server instead of a tcp server, therefore it should create self-signed certificate every time application launched. Go-astilectron for example, should achive this easily by using mkcert . And the electron js main process side, the astilectron, uses rejectUnauthorized to skip checking self-signed certificate and finished ssl handshaking:

var soc = new WebSocket("wss://localhost:9000", {
  protocolVersion: 8,
  origin: 'https://localhost:9000',
  rejectUnauthorized: false
});
gjchentw commented 3 years ago

@asticode for now I did a little work on my fork of astilectron and go-astilectron and they can work on websocket like wss://localhost:8443.

https://github.com/gjchentw/astilectron/blob/735b45b3de54e52e368d9d1d1c1d4eb3abea8a72/src/client.js

https://github.com/gjchentw/go-astilectron/blob/a0a6a02e7d51ab295a8266435d55311efa2161e0/astilectron.go

and use SocketType as an option in main.go:

    a, err := astilectron.New(l, astilectron.Options{
        AppName:           "Test",
        BaseDirectoryPath: "example",
        TCPPort:           &port,
        SocketType:        astilectron.SocketWSS,
//      SkipSetup:         true,
    })

The problem is, to make astilectron can use websocket, I added ws (https://github.com/websockets/ws/) as the only dependency in astilectron, and this makes example in go-astilectron not work due to ws is not provisioned properly. I'd like to hear advices from you and the community, maybe add new provisioner for ws, or try to implement websocket natively even it's seems more hard work to though.

Cheers.