flipperdevices / flipper-application-catalog

Flipper Application Catalog
614 stars 159 forks source link

FlipStore - v0.1 #527

Closed jblanked closed 2 weeks ago

jblanked commented 1 month ago

Application Submission

Extra Requirements

Author Checklist (Fill this out)

Reviewer Checklist (Don't fill this out)

jblanked commented 1 month ago

530 referencing these questions from: https://github.com/flipperdevices/flipper-application-catalog/pull/530#discussion_r1807433696

It is using https://catalog.flipperzero.one/api/v0/0/application?limit=500&is_latest_release_version=true&offset=0&sort_by=updated_at&sort_order=-1 to get the list of available apps, then it parses a simpler JSON format to send back to the Flipper.

For downloading apps, it sends a request to https://catalog.flipperzero.one/api/v0/application/version/{app_data["current_version"]["_id"]}/bundle to download the bundle.zip. Then it uses UFBT to compile the code located in the code folder. Then afterwards, it sends back the bytes of the .fap file to the Flipper

It's using the latest version always (well I assume those links will produce the latest versions each time).

It does currently save the apps to a custom folder within the apps called "FlipStore". I did my development on Unleashed and based off your comment, I'm assuming custom folders cannot be created in the apps directory on Official? If that's the case, I'll need to integrate the different app categories much much sooner than I planned.

Thank you again for taking the time to review the apps and provide feedback. I do plan on open-sourcing flipsocial.net and am more than happy to share/explain any code.

skotopes commented 1 month ago

I see.

Let me start with small excurse: from the beginning of the catalog development we realized it is going to be quite difficult child. Nature of the platform doesn't allow us to maintain stable API and we were forced to design it around idea that everything changes and often in major way. So we've made system that continuously builds apps against constantly changing set of SDKs and archives artifacts in a way that we can deliver apps to as many different firmware as possible. That plus installation manifests became catalog we know now. Taking in account all the complexity and in order to keep behavior among the companions consistent we intentionally left API private.

And that brings us to the present moment: in order for us to accept this PR you must implement everything that we did in companions. Otherwise you'll bring mess into their flow.

In general we can accept that and provide additional resources if needed. But that's going to be quite difficult journey.

Also I think that if we going to pull it off then we'll have to update wifi board firmware to provide seamless socket/web API on the system level, so no custom wifi board firmware will be needed. To be honest we've been thinking about it for a while and it is in our task backlog.

PS: list of things that companion apps implements:

jblanked commented 1 month ago

Thank you for providing such a detailed breakdown of the creation and maintenance of the API and SDK.

I agree that this is a challenging journey, and honestly, downloading apps was just the tip of the iceberg. By version 1.0, I aimed to facilitate downloading and updating system firmware.

If I'm permitted to proceed, I would greatly appreciate any help you can provide with this project, as well as any resources you could share. I hope that the FlipperHTTP flash is at least a step forward.

I'm open to making any changes or additions as needed.

I had a thought: if the API is maintained by your team, couldn't FlipStore continue to use it? Or, even simpler, just use UFBT to compile .faps from GitHub repositories?

Thanks again for your help, and I look forward to hopefully collaborating.

jblanked commented 1 month ago

My apologies, I didn't mean to close/delete the branch. I was doing some clean up.

jblanked commented 1 month ago

I just bumped the version to 0.2:

I also changed the endpoints for installing .fap files. Now, it directly uses the following URL: https://catalog.flipperzero.one/api/v0/application/version/%s/build/compatible?target=%s&api=%s.

We could give the user the option to change the target and api, or find a way to detect it automatically.

I look forward to your response and would like to thank you and your team again for your guidance and support.

noproto commented 3 weeks ago

In addition to what has been written on this issue, SSL/TLS verification by the HTTP library should never be used in bypass mode or users may be targeted by MITM attacks when installing apps (however unlikely - consider events like DEFCON).

jblanked commented 3 weeks ago

In addition to what has been written on this issue, SSL/TLS verification by the HTTP library should never be used in bypass mode or users may be targeted by MITM attacks when installing apps (however unlikely - consider events like DEFCON).

Understood, thanks for your input. If I remember correctly, I'd need to provide a certificate to use the client securely. I'll look into this and come up with a solution. Any feedback or suggestions are appreciated.