Enable secret storage (#6450)

* Remove unused dependency patch * Enable secret storage based on local storage * Remove unnecessary GitHub auth patch It works now without the patch.
coder · Sep 26, 2023 · a1131fa · a1131fa
1 parent 468cf5c
commit a1131fa
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 171 deletions.
diff --git a/patches/base-path.diff b/patches/base-path.diff
@@ -265,15 +265,35 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  	}
 
  	private startListening(): void {
-@@ -569,7 +570,7 @@ function readCookie(name: string): strin
+@@ -550,17 +551,6 @@ class WorkspaceProvider implements IWork
+ 	}
+ }
+
+-function readCookie(name: string): string | undefined {
+-	const cookies = document.cookie.split('; ');
+-	for (const cookie of cookies) {
+-		if (cookie.startsWith(name + '=')) {
+-			return cookie.substring(name.length + 1);
+-		}
+-	}
+-
+-	return undefined;
+-}
+-
+ (function () {
+
+ 	// Find config by checking for DOM
+@@ -569,8 +559,8 @@ function readCookie(name: string): strin
  	if (!configElement || !configElementAttribute) {
  		throw new Error('Missing web configuration element');
  	}
 -	const config: IWorkbenchConstructionOptions & { folderUri?: UriComponents; workspaceUri?: UriComponents; callbackRoute: string } = JSON.parse(configElementAttribute);
+-	const secretStorageKeyPath = readCookie('vscode-secret-key-path');
 +	const config: IWorkbenchConstructionOptions & { folderUri?: UriComponents; workspaceUri?: UriComponents; callbackRoute: string } = { ...JSON.parse(configElementAttribute), remoteAuthority: location.host }
- 	const secretStorageKeyPath = readCookie('vscode-secret-key-path');
++	const secretStorageKeyPath = (window.location.pathname + "/mint-key").replace(/\/\/+/g, "/");
  	const secretStorageCrypto = secretStorageKeyPath && ServerKeyedAESCrypto.supported()
  		? new ServerKeyedAESCrypto(secretStorageKeyPath) : new TransparentCrypto();
+
 Index: code-server/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts

diff --git a/patches/dependencies.diff b/patches/dependencies.diff
diff --git a/patches/github-auth.diff b/patches/github-auth.diff
diff --git a/patches/series b/patches/series
@@ -9,7 +9,6 @@ update-check.diff
 logout.diff
 store-socket.diff
 proxy-uri.diff
-github-auth.diff
 unique-db.diff
 local-storage.diff
 service-worker.diff

diff --git a/src/node/routes/vscode.ts b/src/node/routes/vscode.ts
@@ -1,5 +1,7 @@
 import { logger } from "@coder/logger"
+import * as crypto from "crypto"
 import * as express from "express"
+import { promises as fs } from "fs"
 import * as http from "http"
 import * as net from "net"
 import * as path from "path"
@@ -32,6 +34,7 @@ export class CodeServerRouteWrapper {
   private _wsRouterWrapper = WsRouter()
   private _socketProxyProvider = new SocketProxyProvider()
   public router = express.Router()
+  private mintKeyPromise: Promise<Buffer> | undefined
 
   public get wsRouter() {
     return this._wsRouterWrapper.router
@@ -66,6 +69,33 @@ export class CodeServerRouteWrapper {
     )
   }
 
+  private mintKey: express.Handler = async (req, res, next) => {
+    if (!this.mintKeyPromise) {
+      this.mintKeyPromise = new Promise(async (resolve) => {
+        const keyPath = path.join(req.args["user-data-dir"], "serve-web-key-half")
+        logger.debug(`Reading server web key half from ${keyPath}`)
+        try {
+          resolve(await fs.readFile(keyPath))
+          return
+        } catch (error: any) {
+          if (error.code !== "ENOENT") {
+            logError(logger, `read ${keyPath}`, error)
+          }
+        }
+        // VS Code wants 256 bits.
+        const key = crypto.randomBytes(32)
+        try {
+          await fs.writeFile(keyPath, key)
+        } catch (error: any) {
+          logError(logger, `write ${keyPath}`, error)
+        }
+        resolve(key)
+      })
+    }
+    const key = await this.mintKeyPromise
+    res.end(key)
+  }
+
   private $root: express.Handler = async (req, res, next) => {
     const isAuthenticated = await authenticated(req)
     const NO_FOLDER_OR_WORKSPACE_QUERY = !req.query.folder && !req.query.workspace
@@ -173,6 +203,7 @@ export class CodeServerRouteWrapper {
   constructor() {
     this.router.get("/", this.ensureCodeServerLoaded, this.$root)
     this.router.get("/manifest.json", this.manifest)
+    this.router.post("/mint-key", this.mintKey)
     this.router.all("*", ensureAuthenticated, this.ensureCodeServerLoaded, this.$proxyRequest)
     this._wsRouterWrapper.ws("*", ensureOrigin, ensureAuthenticated, this.ensureCodeServerLoaded, this.$proxyWebsocket)
   }