pmusolino / Wormholy

iOS network debugging, like a wizard 🧙‍♂️
MIT License
2.34k stars 188 forks source link

fix: authentication challenge handling to fix ssl pinning issue #108

Closed percivalwcy closed 3 years ago

percivalwcy commented 3 years ago

Modify the urlSession delegate for didReceive challenge to be more of an "observer", rather than returning a disposition of .useCredentials. If there are existing SSL Pinning code, this change will honour it by passing along the completionHandler from the sender's challenge to any custom authentication challenge handling code implemented.

The sender in the challenge does not implement some functions (potentially an Apple bug). Therefore, we need to create a custom sender that implements those functions. We then need to wrap it up in a new authentication challenge, and notify the client.

fixes #62

pmusolino commented 3 years ago

Thank you @percivalwcy for this great contribution! Can you explain how I can test it?

percivalwcy commented 3 years ago

@pmusolino to test it, it would be simply creating a project with URLSession, and implementing the URLSessionDataDelegate protocol. In particular, implementing the urlSession:didReceive:completion function. Perhaps just return a .cancelAuthenticationChallenge in the completionHandler? That would just reject every network call. Then importing the existing Wormholy version would load the URL since it's returning .useCredential. Then swap with this branch of Wormholy version - the URL should not load since it should respect the importing app's urlSession:didReceive:completion logic.