Open blackspherefollower opened 8 months ago
I think I've changed my mind in regards to the potential DoS risk: the likelihood of such an attack occurring is ridiculously low and could be simply mitigated by just disabling the WSDM. I do think that connecting devices should NOT automatically be enabled, so if Intiface were to get the ability to modify the blocklist on-the-fly, I think that this would be a very nice QoL tweak for anyone dealing with WSDs
So the new device config work allows us to basically share a mutable device config manager between the UI and whatever buttplug server is running. The native code running behind intiface's flutter UI acts as shared memory even when dart has different isolates happening (as required for app backgrounding). Real time updates should be possible now, so yeah, I'm willing to rethink this.
This PR is tracking the headache of having to update the user-config before a new websocket device can connect.
Right now, this simplistic change lets WS devices declare BTLE identifiers, but there's the potential that this could open things too much. As soon as a webpage can connect a device, it could spam the user-config file with new devices, even if they're not enabled by default (disabling new WS devices on connect is not implemented in this PR yet).
There's a trade-off between UX and security here, and whilst I tend to pick security I'm not sure that's the right choice here.
The prior conversation on Discord: