Add https support for xmage.today

magefree / mage

Magic Another Game Engine

http://xmage.today

MIT License

1.9k stars 774 forks source link

Add https support for xmage.today #12492

Closed JayDi85 closed 1 month ago

JayDi85 commented 4 months ago

Must support both http and https links for compatibility with old launchers (config.json).

artemiswkearney commented 4 months ago

If old launchers keep downloading over HTTP, that's still a security risk, especially if it's silent with no indicator that it should be changed. I'm not sure where the launcher gets its web user agent implementation, or if it'd respond properly to a 301 redirect to HTTPS followed by a Strict-Transport-Security header; another option could be to serve an xmage "update" over HTTP with a message that informs users of the security concerns and tells them where/how to modify config.json.

JayDi85 commented 4 months ago

Redirects must work fine on old launchers.

Possible problems with java certificates, see example in #9135. Maybe launcher must be modified same way as main client app (with custom cacert file). Or maybe not. Old launcher works fine with https links already. Maybe it’s os or java version problem. Or maybe not actual anymore (if you try to run in too old java installations). Need research.

artemiswkearney commented 4 months ago

I'm not sure what Java version people tend to run the launcher with. I launch it with my OS Java, so it should have up-to-date certs, but maybe some people are running it with the old version that it installs after the first run.

alexander-novo commented 4 months ago

The launcher doesn't install a different java version - just downloads it to run the client/server with it from the launcher. So people must have some version of Java installed separately.

I suspect most users are probably using whatever version of Java they installed for things like Minecraft ages ago.

JayDi85 commented 1 month ago

https://xmage.today migrated to https.

Old launcher had some problems:

redirects in files downloads are fine;
redirects in config reads are fail due unsupported code -- it require some workarounds with nginx and http to allow non-secure access for a config.json location https://github.com/magefree/Launcher/commit/623adfd63151b0667f15a6656cfa9a25de44a2c4
different home settings works fine (example: xmage.today or beta.xmage.today).

Current site fully compatible with any launchers and homes.

Current default home: https://xmage.today

artemiswkearney commented 1 month ago

Even after changing the home setting, I still see this in the launcher's logs:

New version of XMage available
Downloading XMage from http://beta.xmage.today/files/mage-update_1.4.54-dev_2024-09-25_13-04.zip

JayDi85 commented 1 month ago

Yes, I know, download links will be upgraded with next release. It works fine.

вс, 29 сент. 2024 г., 11:07 Artemis Kearney @.***>:

Even after changing the home setting, I still see this in the launcher's logs:

New version of XMage available Downloading XMage from http://beta.xmage.today/files/mage-update_1.4.54-dev_2024-09-25_13-04.zip

— Reply to this email directly, view it on GitHub https://github.com/magefree/mage/issues/12492#issuecomment-2381139344, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB7VEXPZDCFEO47W5VTMBG3ZY6RMRAVCNFSM6AAAAABJTHIF6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBRGEZTSMZUGQ . You are receiving this because you modified the open/close state.Message ID: @.***>