fix(drive): rollback uploads, tighten validation, dedupe helpers

Author: dazzling-no-more

Dockerfile.drive-node

@@ -18,10 +18,11 @@
 # refresh token, chmod 0600) into the same dir on successful OAuth.
 
 # ---- builder ------------------------------------------------------------
-# Need >= 1.85 for the edition2024 stabilization that time-macros (and a
-# few other transitive deps in our lockfile) now require. `rust:1` always
-# points at the latest 1.x stable — fine for a build image we throw away.
-FROM rust:1-slim-bookworm AS builder
+# Pin the Rust toolchain so a future `rust:1` retag (or a transitive dep
+# bumping its MSRV) can't silently break this image. Need >= 1.85 for
+# the edition2024 stabilization that time-macros and a few other
+# transitive deps in our lockfile now require; bump deliberately.
+FROM rust:1.85-slim-bookworm AS builder
 WORKDIR /src
 
 # `ring` (TLS backend) needs a C compiler + assembler. Everything else is

README.md

@@ -338,7 +338,11 @@ Tune `drive_idle_timeout_secs` (default 300) upward if you tunnel long-poll HTTP
 
 ### Onboarding a non-technical user (Android)
 
-Once one device has finished OAuth, you can hand the configured state to another via QR or text — no Cloud Console steps required on the receiving end. In the Drive section: **Share Drive setup** → **Show QR + payload** → copy / send the `mhrv-rs-setup://...` link via WhatsApp / Telegram / SMS. The recipient pastes the link, scans the QR, picks the QR image from their gallery, or just taps the link if their messenger linkifies it. The bundle includes the OAuth refresh token, so they don't run their own consent flow — they share the sharer's Google identity for `drive.file` scope.
+Once one device has finished OAuth, you can hand the configured state to another via QR or text — no Cloud Console steps required on the receiving end. In the Drive section: **Share Drive setup** → **Show QR + payload** → copy / send the `mhrv-rs-setup://import/...` link via WhatsApp / Telegram / SMS. The recipient pastes the link, scans the QR, picks the QR image from their gallery, or just taps the link if their messenger linkifies it. The bundle includes the OAuth refresh token, so they don't run their own consent flow — they share the sharer's Google identity for `drive.file` scope.
+
+> **Read this before you share.** The setup blob bundles the OAuth `client_secret` AND a long-lived refresh token. Anything that can read the QR / link — a chat backup, a screenshot synced to cloud, a compromised device — gets the same `drive.file` access this app has, indefinitely. There is no per-recipient revoke: the only way to invalidate a leaked share is to rotate (or delete) the OAuth client in Google Cloud Console, which also kicks every device you've already onboarded with that client. Treat the share like a long-lived password: keep the recipient list small, prefer scanning camera-to-camera over messengers, and rotate the OAuth client on a schedule if the same identity is shared widely.
+>
+> If you want per-device revocation without a Cloud Console round-trip, do the OAuth flow separately on each device instead of using setup-share — refresh tokens minted from independent consent flows can be revoked one at a time from your Google Account's "Third-party apps with account access" page.
 
 Caveat: the **sharer** still needs an unfiltered path to `accounts.google.com` for the initial OAuth dance, since the consent page opens in their system browser. If your network blocks Google Accounts, do the initial OAuth on a different network (mobile data, friend's Wi-Fi) and then share the resulting setup. Recipients aren't bound by this — they get the refresh token via the QR.
 

android/app/src/main/AndroidManifest.xml

@@ -61,17 +61,19 @@
                 <category android:name="android.intent.category.BROWSABLE" />
                 <data android:scheme="mhrv-rs" />
             </intent-filter>
-            <!-- Drive setup deep link: tapping mhrv-rs-setup://... in
-                 WhatsApp / Telegram / SMS opens the app and offers to
-                 import the bundled credentials + refresh token. Distinct
-                 scheme so the recipient is asked to confirm a different
-                 (credential-bearing) payload than the regular config
-                 share. -->
+            <!-- Drive setup deep link: tapping
+                 mhrv-rs-setup://import/<base64> in WhatsApp / Telegram /
+                 SMS opens the app and offers to import the bundled
+                 credentials + refresh token. Distinct scheme + fixed
+                 host="import" so a foreign URL like
+                 `mhrv-rs-setup://attacker.example/...` doesn't trigger
+                 the import flow; the trust prompt is the second line
+                 of defence. -->
             <intent-filter>
                 <action android:name="android.intent.action.VIEW" />
                 <category android:name="android.intent.category.DEFAULT" />
                 <category android:name="android.intent.category.BROWSABLE" />
-                <data android:scheme="mhrv-rs-setup" />
+                <data android:scheme="mhrv-rs-setup" android:host="import" />
             </intent-filter>
         </activity>
 

android/app/src/main/java/com/therealaleph/mhrv/ConfigStore.kt

@@ -298,8 +298,13 @@ object ConfigStore {
      *  + refresh token so a recipient can connect with no manual OAuth.
      *  Different from [HASH_PREFIX] because the payload includes secrets,
      *  the recipient flow needs to write extra files, and we don't want
-     *  to silently fall through to the regular config import path. */
-    private const val DRIVE_SETUP_PREFIX = "mhrv-rs-setup://"
+     *  to silently fall through to the regular config import path.
+     *
+     *  The fixed `import/` host narrows the deep-link surface: the
+     *  AndroidManifest filter requires `android:host="import"`, so a
+     *  foreign URL like `mhrv-rs-setup://attacker.example/...` won't
+     *  even reach the trust prompt. */
+    private const val DRIVE_SETUP_PREFIX = "mhrv-rs-setup://import/"
 
     /** Filename inside the app's filesDir where imported credentials are
      *  written. Must match what the regular Drive import flow uses, so
@@ -437,7 +442,14 @@ object ConfigStore {
     /** Read the on-disk credentials + token files and bundle them with
      *  the user's Drive config knobs into a shareable string. Returns
      *  null when there's nothing to share (no credentials imported, or
-     *  no token cached yet — the sharer has to complete OAuth first). */
+     *  no token cached yet — the sharer has to complete OAuth first).
+     *
+     *  Caller is responsible for showing a destructive-action warning
+     *  before producing the QR. The bundle contains the OAuth
+     *  `client_secret` and a long-lived refresh token; anyone with the
+     *  QR (or a backup of the chat that delivered it) keeps `drive.file`
+     *  access until the sharer rotates the OAuth client in Google
+     *  Cloud Console. There is no per-recipient revoke. */
     fun encodeDriveSetup(ctx: Context, cfg: MhrvConfig): String? {
         if (cfg.driveCredentialsPath.isBlank()) return null
         val credsFile = File(cfg.driveCredentialsPath)
@@ -540,19 +552,10 @@ object ConfigStore {
             tokenFile.writeText(JSONObject().apply {
                 put("refresh_token", setup.refreshToken)
             }.toString())
-            // Best-effort 0600. Android's FileProvider sandbox already
-            // walls /data/user/0/<pkg>/files/ off from other apps, so
-            // this is belt-and-braces.
-            runCatching {
-                credsFile.setReadable(false, false)
-                credsFile.setReadable(true, true)
-                credsFile.setWritable(false, false)
-                credsFile.setWritable(true, true)
-                tokenFile.setReadable(false, false)
-                tokenFile.setReadable(true, true)
-                tokenFile.setWritable(false, false)
-                tokenFile.setWritable(true, true)
-            }
+            // No setReadable/setWritable dance: Android's per-app
+            // sandbox under /data/user/0/<pkg>/files/ already walls
+            // these files off from other apps. The previous gymnastics
+            // were no-ops on every Android version we support.
             base.copy(
                 mode = Mode.GOOGLE_DRIVE,
                 driveCredentialsPath = credsFile.absolutePath,

android/app/src/main/res/values-fa/strings.xml

@@ -130,7 +130,7 @@
     <string name="btn_drive_setup_import">وارد کردن</string>
     <string name="help_drive_scan_setup">اگر کسی QR تنظیمات Drive را با شما به اشتراک گذاشته، اینجا اسکن کنید. برنامه credentials و توکن OAuth را می‌نویسد، folder_id را تنظیم می‌کند و فقط کافی است Connect را بزنید — نیازی به Google Cloud Console یا مرورگر نیست.</string>
     <string name="dialog_drive_share_title">اشتراک‌گذاری تنظیمات Drive</string>
-    <string name="dialog_drive_share_warning">این QR شامل client secret و refresh token شما است. هر کس آن را اسکن کند به همان مقدار دسترسی به Drive شما خواهد داشت که این برنامه دارد. فقط با افراد قابل اعتماد به اشتراک بگذارید.</string>
+    <string name="dialog_drive_share_warning">این QR شامل client secret و refresh token شما است. هر کس آن را اسکن کند — یا بعداً در پشتیبان چت، اسکرین‌شات یا دستگاه آلوده پیدا کند — همان دسترسی `drive.file` این برنامه را خواهد داشت و تا زمانی که OAuth client را در Google Cloud Console عوض نکنید نگه می‌دارد (که این دستگاه را هم خارج می‌کند). امکان لغو دسترسی فقط برای یک گیرنده وجود ندارد. آن را مثل یک رمز عبور بلندمدت در نظر بگیرید و فقط با افراد قابل اعتماد به اشتراک بگذارید.</string>
     <string name="dialog_drive_share_unavailable">هنوز چیزی برای اشتراک‌گذاری وجود ندارد — ابتدا روی این دستگاه OAuth را تکمیل کنید (دکمهٔ احراز Google Drive).</string>
     <string name="dialog_drive_share_qr_too_large">حجم بسته برای QR زیاد است. از دکمه‌های کپی / ارسال برای فرستادن متن استفاده کنید.</string>
     <string name="dialog_drive_setup_scan_prompt">QR تنظیمات Drive را اسکن کنید</string>

android/app/src/main/res/values/strings.xml

@@ -145,7 +145,7 @@
     <string name="btn_drive_setup_import">Import</string>
     <string name="help_drive_scan_setup">If someone shared a Drive setup QR with you, scan it here. The app will write their credentials and OAuth token, set the folder ID, and you can tap Connect — no Google Cloud Console or browser steps needed.</string>
     <string name="dialog_drive_share_title">Share Drive setup</string>
-    <string name="dialog_drive_share_warning">This QR contains your OAuth client secret AND your Drive refresh token. Anyone who scans it gets the same access to your Drive that this app has. Only share with people you trust.</string>
+    <string name="dialog_drive_share_warning">This QR contains your OAuth client secret AND your Drive refresh token. Anyone who scans it — or later finds it in a chat backup, screenshot, or compromised device — gets the same `drive.file` access this app has, and keeps it until you rotate the OAuth client in Google Cloud Console (which also kicks THIS device). There is no way to revoke a single recipient. Treat it like a long-lived password and only share with people you trust.</string>
     <string name="dialog_drive_share_unavailable">Nothing to share yet — finish OAuth on this device first (Authorize Google Drive button).</string>
     <string name="dialog_drive_share_qr_too_large">Setup payload is too large for a QR code. Use the Copy / Send buttons to share the text instead.</string>
     <string name="dialog_drive_setup_scan_prompt">Scan a Drive setup QR</string>

src/bin/ui.rs

@@ -153,11 +153,6 @@ struct UiState {
     /// Result of the most recent `DriveCompleteAuth`. `Ok(token_path)` on
     /// success, `Err(message)` otherwise.
     drive_auth_result: Option<Result<String, String>>,
-    /// Whether the Drive client is the one currently held in `active`
-    /// on the background thread. Independent from `running` because the
-    /// drive client doesn't go through ProxyServer / DomainFronter, so
-    /// the stats panel stays empty while it runs.
-    drive_running: bool,
 }
 
 #[derive(Clone, Debug)]
@@ -294,6 +289,12 @@ struct FormState {
     drive_poll_ms: u64,
     drive_flush_ms: u64,
     drive_idle_timeout_secs: u64,
+    /// Round-tripped from config.json so a hand-edited override
+    /// survives a save. Not surfaced as a UI control; `0` means "use
+    /// built-in default" (currently 8). Hidden because the right value
+    /// is dictated by the user's network and Drive quota — operators
+    /// who care can edit config.json directly.
+    drive_storage_concurrency: usize,
 }
 
 #[derive(Clone, Debug)]
@@ -385,6 +386,7 @@ fn load_form() -> (FormState, Option<String>) {
             drive_poll_ms: c.drive_poll_ms,
             drive_flush_ms: c.drive_flush_ms,
             drive_idle_timeout_secs: c.drive_idle_timeout_secs,
+            drive_storage_concurrency: c.drive_storage_concurrency,
         }
     } else {
         FormState {
@@ -421,6 +423,7 @@ fn load_form() -> (FormState, Option<String>) {
             drive_poll_ms: 500,
             drive_flush_ms: 300,
             drive_idle_timeout_secs: 300,
+            drive_storage_concurrency: 0,
         }
     };
     (form, load_err)
@@ -601,6 +604,7 @@ impl FormState {
             drive_poll_ms: self.drive_poll_ms,
             drive_flush_ms: self.drive_flush_ms,
             drive_idle_timeout_secs: self.drive_idle_timeout_secs,
+            drive_storage_concurrency: self.drive_storage_concurrency,
         })
     }
 }
@@ -671,12 +675,18 @@ struct ConfigWire<'a> {
     drive_flush_ms: u64,
     #[serde(skip_serializing_if = "is_zero_u64")]
     drive_idle_timeout_secs: u64,
+    #[serde(skip_serializing_if = "is_zero_usize")]
+    drive_storage_concurrency: usize,
 }
 
 fn is_zero_u64(v: &u64) -> bool {
     *v == 0
 }
 
+fn is_zero_usize(v: &usize) -> bool {
+    *v == 0
+}
+
 fn is_false(b: &bool) -> bool {
     !*b
 }
@@ -759,6 +769,11 @@ impl<'a> From<&'a Config> for ConfigWire<'a> {
             } else {
                 0
             },
+            drive_storage_concurrency: if c.mode == "google_drive" {
+                c.drive_storage_concurrency
+            } else {
+                0
+            },
         }
     }
 }
@@ -2222,12 +2237,27 @@ fn pick_credentials_file() -> Option<String> {
             $f = New-Object System.Windows.Forms.OpenFileDialog; \
             $f.Filter = 'JSON files (*.json)|*.json|All files (*.*)|*.*'; \
             if ($f.ShowDialog() -eq 'OK') { Write-Output $f.FileName }";
-        let out = std::process::Command::new("powershell")
-            .args(["-NoProfile", "-Command", script])
-            .output()
-            .ok()?;
-        let s = String::from_utf8_lossy(&out.stdout).trim().to_string();
-        if s.is_empty() { None } else { Some(s) }
+        // Try PowerShell 7 (`pwsh`) first, then Windows PowerShell. Some
+        // hardened images ship only one or the other, so falling through
+        // both lets the dialog work regardless. The script is identical
+        // for both interpreters.
+        for exe in &["pwsh", "powershell"] {
+            let Ok(out) = std::process::Command::new(exe)
+                .args(["-NoProfile", "-Command", script])
+                .output()
+            else {
+                continue;
+            };
+            if !out.status.success() {
+                continue;
+            }
+            let s = String::from_utf8_lossy(&out.stdout).trim().to_string();
+            if s.is_empty() {
+                return None;
+            }
+            return Some(s);
+        }
+        None
     }
     #[cfg(target_os = "macos")]
     {
@@ -2325,7 +2355,6 @@ fn background_thread(shared: Arc<Shared>, rx: Receiver<Cmd>) {
                             let mut s = shared2.state.lock().unwrap();
                             s.running = true;
                             s.started_at = Some(Instant::now());
-                            s.drive_running = true;
                         }
                         let port = cfg.socks5_port.unwrap_or(cfg.listen_port + 1);
                         push_log(
@@ -2341,7 +2370,6 @@ fn background_thread(shared: Arc<Shared>, rx: Receiver<Cmd>) {
                         st.running = false;
                         st.started_at = None;
                         st.proxy_active = false;
-                        st.drive_running = false;
                         push_log(&shared2, "[ui] drive client stopped");
                     });
                     active = Some((handle, fronter_slot, shutdown_tx));

src/config.rs

@@ -224,6 +224,13 @@ pub struct Config {
     /// default of 15 s was too aggressive for real protocols.
     #[serde(default = "default_drive_idle_timeout_secs")]
     pub drive_idle_timeout_secs: u64,
+    /// Max concurrent in-flight Drive uploads/downloads. `0` (default)
+    /// uses the built-in [`drive_tunnel::STORAGE_CONCURRENCY`] of 8.
+    /// Bump up if you have a fat pipe and many sessions; HTTP/2
+    /// multiplexes everything onto one TLS connection so the cost of
+    /// raising this is just a few more in-flight streams.
+    #[serde(default)]
+    pub drive_storage_concurrency: usize,
 }
 
 fn default_fetch_ips_from_api() -> bool {
@@ -315,9 +322,14 @@ impl Config {
                     "drive_poll_ms and drive_flush_ms must be greater than 0".into(),
                 ));
             }
-            if self.drive_idle_timeout_secs == 0 {
+            // Floor at 15s to match the UI sliders. Lower values
+            // force-close real protocols (TLS, long-poll HTTP, idle
+            // WebSockets) on every flush and were previously only
+            // rejected at zero — a hand-edited `config.json` could
+            // still set 1 and silently break every connection.
+            if self.drive_idle_timeout_secs < 15 {
                 return Err(ConfigError::Invalid(
-                    "drive_idle_timeout_secs must be greater than 0".into(),
+                    "drive_idle_timeout_secs must be at least 15".into(),
                 ));
             }
             // The id is concatenated unsanitised into Drive filenames and
@@ -496,6 +508,30 @@ mod tests {
         assert_eq!(cfg.drive_idle_timeout_secs, 300);
     }
 
+    #[test]
+    fn rejects_google_drive_idle_timeout_below_floor() {
+        // Validator floor is 15s — below it a hand-edited config could
+        // set 1 and force-close every session on each flush. Verify both
+        // 0 and a low-but-positive value are rejected, and exactly 15
+        // is accepted.
+        let mk = |idle: u64| {
+            format!(
+                "{{\"mode\":\"google_drive\",\"drive_credentials_path\":\"c.json\",\"drive_idle_timeout_secs\":{}}}",
+                idle
+            )
+        };
+        for bad in [0u64, 1, 14] {
+            let cfg: Config = serde_json::from_str(&mk(bad)).unwrap();
+            assert!(
+                cfg.validate().is_err(),
+                "drive_idle_timeout_secs = {} should reject",
+                bad
+            );
+        }
+        let cfg: Config = serde_json::from_str(&mk(15)).unwrap();
+        cfg.validate().expect("15s should be accepted");
+    }
+
     #[test]
     fn rejects_google_drive_client_id_with_special_chars() {
         let s = r#"{