feat(auth): warn on insecure auth URLs

Signed-off-by: so5iso4ka <so5iso4ka@icloud.com>

Author: so5iso4ka

launcher/CMakeLists.txt

@@ -968,6 +968,9 @@ SET(LAUNCHER_SOURCES
     JavaCommon.h
     JavaCommon.cpp
 
+    UrlUtils.h
+    UrlUtils.cpp
+
     # GUI - paged dialog base
     ui/pages/BasePage.h
     ui/pages/BasePageContainer.h

launcher/UrlUtils.cpp

@@ -0,0 +1,11 @@
+#include "UrlUtils.h"
+
+bool UrlUtils::isLocalhost(const QUrl& url)
+{
+    return url.host() == "localhost" || url.host() == "127.0.0.1" || url.host() == "::1";
+}
+
+bool UrlUtils::isUnsafe(const QUrl& url)
+{
+    return !url.isEmpty() && url.scheme() == "http" && !isLocalhost(url);
+}

launcher/UrlUtils.h

@@ -0,0 +1,8 @@
+#pragma once
+
+#include <QUrl>
+
+namespace UrlUtils {
+bool isLocalhost(const QUrl& url);
+bool isUnsafe(const QUrl& url);
+}

launcher/ui/dialogs/CustomLoginDialog.cpp

@@ -16,10 +16,12 @@
 #include "CustomLoginDialog.h"
 #include "ui_CustomLoginDialog.h"
 
+#include <QMessageBox>
 #include <QPushButton>
 #include <QUrl>
 
 #include "Application.h"
+#include "UrlUtils.h"
 #include "net/Download.h"
 
 namespace {
@@ -108,6 +110,8 @@ void CustomLoginDialog::onUrlResolving()
         return;
     }
 
+    m_resolvedUrl = m_loginUrl;
+
     // modify url if header say so
     auto headers = m_requestTask->getRawHeaders();
     if (const auto it =
@@ -116,14 +120,20 @@ void CustomLoginDialog::onUrlResolving()
         it != headers.end()) {
         const QUrl location = QString::fromUtf8(it->second);
         if (location.isRelative()) {
-            m_loginUrl = m_requestTask->url().resolved(location);
+            m_resolvedUrl = m_requestTask->url().resolved(location);
         } else {
-            m_loginUrl = location;
+            m_resolvedUrl = location;
         }
     }
 
+    bool shouldContinue = showWarning();
+    if (!shouldContinue) {
+        emit onTaskFailed(tr("Aborted"));
+        return;
+    }
+
     // Setup the login task and start it
-    m_account = CustomAccount::createCustom(ui->userTextBox->text(), m_loginUrl.toString(QUrl::StripTrailingSlash),
+    m_account = CustomAccount::createCustom(ui->userTextBox->text(), m_resolvedUrl.toString(QUrl::StripTrailingSlash),
                                             ui->loginUrlTextBox->text(), ui->refreshUrlTextBox->text());
     m_loginTask = m_account->login(ui->passTextBox->text());
     connect(m_loginTask.get(), &Task::failed, this, &CustomLoginDialog::onTaskFailed);
@@ -143,6 +153,22 @@ void CustomLoginDialog::setUserInputsEnabled(bool enable)
     ui->buttonBox->setEnabled(enable);
 }
 
+bool CustomLoginDialog::showWarning()
+{
+    QString text = tr("You entered:\n%1\n"
+                      "Your login credentials will be sent to:\n%2\n"
+                      "Do you want to continue?")
+                       .arg(m_loginUrl.toString(), m_resolvedUrl.toString());
+
+    if (UrlUtils::isUnsafe(m_loginUrl) || UrlUtils::isUnsafe(m_resolvedUrl)) {
+        text.prepend(tr("Please note that http:// is not secure, and your login credentials may be intercepted.\n"));
+    }
+
+    auto answer = QMessageBox::question(this, tr("Warning"), text);
+
+    return answer == QMessageBox::Yes;
+}
+
 // Enable the OK button only when both textboxes contain something.
 void CustomLoginDialog::onTextBoxesChanged()
 {

launcher/ui/dialogs/CustomLoginDialog.h

@@ -38,6 +38,8 @@ class CustomLoginDialog : public QDialog {
 
     void setUserInputsEnabled(bool enable);
 
+    bool showWarning();
+
    protected slots:
     void accept();
 
@@ -58,4 +60,5 @@ class CustomLoginDialog : public QDialog {
     Task::Ptr m_loginTask;
     Net::Download::Ptr m_requestTask;
     QUrl m_loginUrl;
+    QUrl m_resolvedUrl;
 };

launcher/ui/dialogs/CustomLoginDialog.ui

@@ -6,8 +6,8 @@
    <rect>
     <x>0</x>
     <y>0</y>
-       <width>476</width>
-       <height>325</height>
+       <width>472</width>
+       <height>349</height>
    </rect>
   </property>
   <property name="sizePolicy">

launcher/ui/pages/global/APIPage.cpp

@@ -53,6 +53,7 @@
 #include "settings/SettingsObject.h"
 #include "tools/BaseProfiler.h"
 #include "ui/GuiUtil.h"
+#include "UrlUtils.h"
 
 APIPage::APIPage(QWidget* parent) : QWidget(parent), ui(new Ui::APIPage)
 {
@@ -174,16 +175,13 @@ void APIPage::applySettings()
         resourceURL.setPath(path);
     }
 
-    auto isLocalhost = [](const QUrl& url) { return url.host() == "localhost" || url.host() == "127.0.0.1" || url.host() == "::1"; };
-    auto isUnsafe = [isLocalhost](const QUrl& url) { return !url.isEmpty() && url.scheme() == "http" && !isLocalhost(url); };
-
     // Don't allow HTTP, since meta is basically RCE with all the jar files.
-    if (isUnsafe(metaURL)) {
+    if (UrlUtils::isUnsafe(metaURL)) {
         metaURL.setScheme("https");
     }
 
     // Also don't allow HTTP
-    if (isUnsafe(resourceURL)) {
+    if (UrlUtils::isUnsafe(resourceURL)) {
         resourceURL.setScheme("https");
     }