]> git.ktnx.net Git - mobile-ledger.git/commitdiff
replace hard-coded basic HTTP authentication with triggered Authenticator
authorDamyan Ivanov <dam+mobileledger@ktnx.net>
Sat, 13 Jul 2019 05:38:37 +0000 (08:38 +0300)
committerDamyan Ivanov <dam+mobileledger@ktnx.net>
Sat, 13 Jul 2019 05:39:16 +0000 (08:39 +0300)
checks whether host name matches

avoids exposing authentication data to wifi portals

app/src/main/java/net/ktnx/mobileledger/App.java
app/src/main/java/net/ktnx/mobileledger/utils/NetworkUtil.java

index b6ae697f355409d9b1256b05b57174427d4b598b..920187e9fb54d98b69e0766ff097031ae0b53c7a 100644 (file)
@@ -23,12 +23,19 @@ import android.content.res.Configuration;
 import android.content.res.Resources;
 import android.database.sqlite.SQLiteDatabase;
 import android.preference.PreferenceManager;
+import android.util.Log;
 
 import net.ktnx.mobileledger.model.Data;
+import net.ktnx.mobileledger.model.MobileLedgerProfile;
 import net.ktnx.mobileledger.utils.Globals;
 import net.ktnx.mobileledger.utils.Logger;
 import net.ktnx.mobileledger.utils.MobileLedgerDatabase;
 
+import java.net.Authenticator;
+import java.net.MalformedURLException;
+import java.net.PasswordAuthentication;
+import java.net.URL;
+
 import static net.ktnx.mobileledger.ui.activity.SettingsActivity.PREF_KEY_SHOW_ONLY_STARRED_ACCOUNTS;
 
 public class App extends Application {
@@ -51,6 +58,30 @@ public class App extends Application {
                 (preference, value) -> Data.optShowOnlyStarred
                         .set(preference.getBoolean(PREF_KEY_SHOW_ONLY_STARRED_ACCOUNTS, false));
         p.registerOnSharedPreferenceChangeListener(handler);
+        Authenticator.setDefault(new Authenticator() {
+            @Override
+            protected PasswordAuthentication getPasswordAuthentication() {
+                MobileLedgerProfile p = Data.profile.getValue();
+                if ((p != null) && p.isAuthEnabled()) {
+                    try {
+                        final URL url = new URL(p.getUrl());
+                        final String requestingHost = getRequestingHost();
+                        final String expectedHost = url.getHost();
+                        if (requestingHost.equalsIgnoreCase(expectedHost))
+                            return new PasswordAuthentication(p.getAuthUserName(),
+                                    p.getAuthPassword().toCharArray());
+                        else Log.w("http-auth",
+                                String.format("Requesting host [%s] differs from expected [%s]",
+                                        requestingHost, expectedHost));
+                    }
+                    catch (MalformedURLException e) {
+                        e.printStackTrace();
+                    }
+                }
+
+                return super.getPasswordAuthentication();
+            }
+        });
     }
     private void updateMonthNames() {
         Resources rm = getResources();
index 28663b6601cbfb6a5aa67c9a3fdab70b95e66c24..c0802a4547b1f0668faf3810f4852f668155649f 100644 (file)
 
 package net.ktnx.mobileledger.utils;
 
-import android.util.Base64;
-
 import net.ktnx.mobileledger.model.MobileLedgerProfile;
 
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
-import java.nio.charset.StandardCharsets;
 
 import static net.ktnx.mobileledger.utils.Logger.debug;
 
@@ -38,15 +35,7 @@ public final class NetworkUtil {
         url += path;
         debug("network", "Connecting to " + url);
         HttpURLConnection http = (HttpURLConnection) new URL(url).openConnection();
-        if (use_auth) {
-            final String auth_user = profile.getAuthUserName();
-            final String auth_password = profile.getAuthPassword();
-            final byte[] bytes = (String.format("%s:%s", auth_user, auth_password))
-                    .getBytes(StandardCharsets.UTF_8);
-            final String value = Base64.encodeToString(bytes, Base64.DEFAULT);
-            http.setRequestProperty("Authorization", "Basic " + value);
-        }
-        http.setAllowUserInteraction(false);
+        http.setAllowUserInteraction(true);
         http.setRequestProperty("Accept-Charset", "UTF-8");
         http.setInstanceFollowRedirects(false);
         http.setUseCaches(false);