urbit
urbit copied to clipboard
urbit
eyre: add /~/name endpoint
One day we will have userspace permissioning, hopefully preventing evil software from performing evil deeds. This evil software could nevertheless distribute a frontend that steals the login cookie for a ship (XSS). This PR mitigates that risk by adding the HttpOnly attribute to the login cookie, preventing Javascript in the browser from accessing it.
There seems to be two ways of doing ship name discovery in the Urbit codebase. The first one is injecting window.ship through session.js like this, and the other is parsing the auth cookie like this. This PR adds the endpoint /~/name to eyre which responds with the @p of the running ship if the request is authenticated. I also included changes to http-api to account for not being able to parse the cookie anymore. This new endpoint could also replace the wonky session.js stuff but that change can safely be made later.
Style nit fixed, modified endpoint description in /sys/lull and Urbit.ts now tries parsing the cookie, using the new endpoint if that fails.
@Fang- and @arthyn - this looks like it has a failing test, I'd like to get this over the line and merged since you've both approved it and there was a lot of work here.
@Fang- I'm going to assign this one to you, can we get it passing and merged?
@pkova can you update this by resolving conflicts and updating the base branch? Then we can see where the tests are at and figure out how to finish this up.
This PR breaks backwards compatibility, so the next release we should be decrementing a kelvin. See here : https://github.com/urbit/urbit/issues/6342 .
@tadad https://github.com/urbit/urbit/pull/6324 <- the intent of the partial revert in that case was to not break backwards compatibility did you see that or is there still an issue?
my point is that the name endpoint also breaks backwards compatibility because it changes the type of a scry. In blog I do a ?- on the -.action:eyre which I scry from %e /=bindings=, which broke when this got merged into develop