Giter VIP home page Giter VIP logo

Comments (6)

yanokwa avatar yanokwa commented on July 22, 2024 1

They are visible from the Internet.

from build.

issa-tseng avatar issa-tseng commented on July 22, 2024

The JavaRosa documentation has a lot to say about not allowing http: https://bitbucket.org/javarosa/javarosa/wiki/AuthenticationAPI

I find it vanishingly unlikely that somebody will have a local server that is accessible from the Internet at large anyway?

from build.

yanokwa avatar yanokwa commented on July 22, 2024

My reading of the spec is that you should use HTTPS, but it isn't required.

The vast majority of local Aggregate servers (and there are a fair bit of those) I come across do not have HTTPS enabled. This is mostly because installing a SSL cert on Tomcat is a miserable task.

from build.

issa-tseng avatar issa-tseng commented on July 22, 2024

Question stands: are those servers visible from the internet, though, or are they likely to be behind a NAT?

from build.

issa-tseng avatar issa-tseng commented on July 22, 2024

PR #101 started on this ticket, but it still needs more work:

The request here is to allow both http and https server addresses, so there are quite a few spots that need adjustment:

  • The UI should neither assume http nor https, and allow either option, either via a <select> tag or via format validation with meaningful error text to the user.
  • The server currently assumes https.
  • I'd personally appreciate it if there were a security notice at the bottom (if you go with a <select>, ideally only show it if http is chosen) noting that the user's authentication credentials will be sent insecurely. Sample wording: "Warning: sending data to a non-HTTPS Aggregate server will mean your credentials and data are sent over the web insecurely."

I like that #101 left one example https and changed one to http.

from build.

trendspotter avatar trendspotter commented on July 22, 2024

Hi,
Sorry for the thread necromancy, but the unsecured HTTP is still not supported correctly enough. Currently, there is this in the code: https://github.com/opendatakit/build/blob/283da5840c7f83adf8228c558311266723b83fc1/server/odkbuild_server.rb#L252-L255
which forces http.use_ssl = true every time, resulting in OpenSSL handshake error on plain HTTP. It seems like an easy fix, but I have absolutely zero knowledge of ruby, so I don't dare to make one.

from build.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.