Questions about VAPID key and security

[asandikci]

Hi, first of all thanks for this excellent project! I want to ask a few things:

1. What is the VAPID? And what is the use-scenario for it?

2. When I set up VAPID key, the domain (molly-socket.domain.tld) that I've installed molly-socket is showing a qr code / link. What is that? This domain is public and accessible by anyone, is it OK?

3. Is this Molly Socket Server secure to use if both molly-socket domain (molly-socket.domain.tld) and push server domain (mypushserver.domain.tld) is known by anyone

my configs:

#...
allowed_endpoints = ['https://mypushserver.domain.tld/']
allowed_uuids = ['bla-bla-bla-bla-account-id-bla-bla-bla']
webserver = true
vapid_privkey = "mollysocket-vapid-gen-command-output-here"
#...

Lastly, are there anything that should I consider to make molly-socket/UnifiedPush mechanism more secure/private?

Thanks in Advance

[p1gp1g]

1. Voluntary Application Server Identification (VAPID) is a protocol defined by [RFC8292]. This is a mechanism based of cryptographic keypair to restrict the use of a push message subscription to a single application server.

UnifiedPush endpoints are capability URLs: the endpoint by itself is enough to do access control. But, to increase access control * and to follow webpush, VAPID has been introduced to UnifiedPush. Some distributor should support it soon, but more important, some distributor may required a VAPID key. That's why it has been introduced.

2. Yes, we are working on merging UP to the main flavor, and it will be done by scanning the qr code. It reflects the domain of your webserver and gives the VAPID public key.

3. Yes, no problem. Especially if you have restricted allowed uuids and endpoints so nobody can use your mollysocket server **

* For instance, you can share an endpoint to different server, and remove access to one by revoking its VAPID key. [RFC8292] https://www.rfc-editor.org/rfc/rfc8292

** Actually thanks for the head up: someone with 1. the mollysocket URL and 2. your account Id could be able to make your mollysocket connection fail. This is fixed with 1.5.2

[citizenserious]

I would add another question. I updated mollysocket from 1.2 to 1.5.2. (cargo)

I tried to run (mollysocket user): $ mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - - but I get a Failed to determine local credential host secret: Permission denied

when running: $ mollysocket vapid gen | sudo systemd-creds encrypt --name=ms_vapid -p - - it asks me for a password which was not originally set for the mollysocket user so I added one, which led to:

[sudo] password for mollysocket: 
mollysocket is not in the sudoers file.
This incident has been reported to the administrator.

Would it be right to add the mollysocket user to sudoers?

$ sudo visudo and add mollysocket ALL=(ALL) NOPASSWD: ALL at least for the creation of the key? That's what I did. I removed the mollysocket user from sudoers afterward.

What would be the right way to do this? Thanks it advance.

Edit: About updates in general. What is the right way to update mollysocket ?

I updated rust rustup update installed mollysocket again cargo install mollysocket and renewed the sample of the config file and systemd unit file. Is there any advice on how to do this according to best practices in the future? Or would it be possible for us to write a script for the process? Thanks again (:

[p1gp1g]

Do you use a system systemd unit or a user systemd unit ?

If you use a user systemd unit, then run:

$ mollysocket vapid gen | systemd-creds --user encrypt --name=ms_vapid -p - -

You should not add mollysocket user to systemd users, if you use system systemd unit, use root or another sudoer account

[p1gp1g]

About updates in general. What is the right way to update mollysocket ?

I updated rust rustup update installed mollysocket again cargo install mollysocket and renewed the sample of the config file and systemd unit file. Is there any advice on how to do this according to best practices in the future? Or would it be possible for us to write a script for the process? Thanks again (:

The systemd unit file don't have to be updated when using a config file, but if we want to use systemd-creds for that secret, it is required. So usually, an update with cargo works

[citizenserious]

Do you use a system systemd unit or a user systemd unit ?

If you use a user systemd unit, then run:

$ mollysocket vapid gen | systemd-creds --user encrypt --name=ms_vapid -p - -

You should not add mollysocket user to systemd users, if you use system systemd unit, use root or another sudoer account

I installed mollysocket as described in INSTALL.md so mollysocket.service runs with the mollysocket user:

mollysocket@nextcloud:~ $ systemctl status mollysocket
● mollysocket.service - MollySocket
     Loaded: loaded (/etc/systemd/system/mollysocket.service; enabled; preset: enabled)
     Active: active (running)

mollysocket@nextcloud:~ $ mollysocket vapid gen | systemd-creds --myuser encrypt --name=ms_vapid -p - -
systemd-creds: unrecognized option '--myuser'
thread 'main' panicked at std/src/io/stdio.rs:1117:9:
failed printing to stdout: Broken pipe (os error 32)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

mollysocket@nextcloud:~ $ mollysocket vapid gen | sudo systemd-creds encrypt --name=ms_vapid -p - -
[sudo] password for mollysocket: 
mollysocket is not in the sudoers file.
This incident has been reported to the administrator.

myuser@nextcloud:~ $ mollysocket vapid gen | sudo systemd-creds encrypt --name=ms_vapid -p - -
-bash: mollysocket: command not found
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
SetCredentialEncrypted=ms_vapid: \
        **removed**