search

rvdleun / onoffice

The open-source Virtual Office, powered by WebVR
https://onoffice.app
GNU General Public License v3.0
119 stars 15 forks source link

use https #16

Closed morriswinkler closed 4 years ago

morriswinkler commented 5 years ago

please start supporting https and use it by default, i guess i don't need to explain why.

rvdleun commented 4 years ago

Given that the app isn't working anymore on Android and iOS(likely due to devicemotion events not being fired), but also to be future-proof, this is currently my highest priority. Unfortunately, having very little experience with this, it's also a bit of a learning experience.

Getting the server to host https isn't too big a problem. Unfortunately, it does cause ERR_CERT_AUTHORITY_INVALID errors, and I don't think there is a valid way around this. I'm thinking of allowing the user to toggle if he wants to use SSL or not, and if he does, add an explanation to the instructions why this message pops up. It is not the cleanest solution, but I don't know of a way around it.

The biggest issue lies with the fact that the app is currently reliant on websockets to send messages back and forth(The WebRTC signals and actions like centering or resizing the screen). However, I have done some prototyping and testing this evening, and I think I've found a way that can make this work. Instead of sending the messages via websockets(or socket.io), I'll send the messages via WebRTC instead. In hindsight, I probably should have done this from the start.

All-in-all, I do admit that everything feels a bit hackish and I'm probably mishandling how things are meant to run on the Web. One other option I have been considering is moving a lot of the functionality online to Heroku. Like, host a signalling server there, along with the client as a PWA. This way, I could have proper certificates.

However, one of the main reasons why I turned On/Office into an Electron application(Aside from having to track the cursor position) was that I didn't want users to be dependent off of services that I host. I want to avoid a situation where On/Office will stop working if I am ever forced to close down a server. The application should be as standalone as possible.

All-in-all... a fun challenge, and I'm not entirely certain if I'm approaching it correctly. Will try to seek out some additional advice for this.

rvdleun commented 4 years ago

After doing some hefty refactoring, I've merged code into the develop branch that adds an option to serve everything via HTTPS. I still have some issues left, so won't be creating an official release any time soon. Biggest one is that the certificate that I'm currently using is only valid for one month. I'll setup a certificate that is more long-lived soon. And I also want to add instructions for why the user is getting an error about the certificate.

Still, if interested in trying it out, new builds with the https feature are available at: https://github.com/rvdleun/onoffice/blob/develop/DEVELOPMENT.md#build

rvdleun commented 4 years ago

Implemented with https://github.com/rvdleun/onoffice/pull/22