Support restricting device connections to the web endpoint #1881
Conversation
joshk
force-pushed
the
device-web-endpoint-restrictions
branch
2 times, most recently
from
527cc55 to
274bad9
Compare
joshk
force-pushed
the
device-web-endpoint-restrictions
branch
from
274bad9 to
b3c1205
Compare
| @@ -1,12 +1,19 @@ | |||
| defmodule NervesHub.Helpers.WebsocketConnectionError do | |||
| import Plug.Conn | |||
|
|
|||
| @message "no certificate pair or shared secrets connection settings were provided" | |||
| @no_auth_message "no certificate pair or shared secrets connection settings were provided" | |||
| @check_uri_message "incorrect uri used, please contact support" | |||
There was a problem hiding this comment.
can we get some configured URL info into this message so we can actually tell them the fix?
There was a problem hiding this comment.
Sure. Although, just so you know, slipstream doesn't show this message by default, which is a pity
| @@ -188,6 +198,14 @@ defmodule NervesHubWeb.DeviceSocket do | |||
| end | |||
| end | |||
|
|
|||
| defp check_source_enabled(source) do | |||
There was a problem hiding this comment.
I wonder if we should have an in-between mode for the transition that just throws a "wrong-endpoint" key in the device connection metadata or similar. And then we could show it to people.
Though we have few enough people that will be hit by it that we can essentially tell them and give them a deadline?
There was a problem hiding this comment.
Yeah, I wouldn't want to add too much extra complexity to this. Instead we can just send out a warning to current users, check our logs to make sure people are off, and then turn it off. I have no intention to turn this off yet.
This allows installations to disable shared secret device connections to web endpoints.
This is ideal for cases where you are running a devices endpoint and want to make sure all connections go there.