Fixed eslint warnings
Fixing tests that failed
Added unit tests for ARD authentication
Fixed an issue with the ARD rfb version number in the unit tests
Fixed issue with username/password lengths
Username and password lengths are now capped at 63 characters each. Improved code for sign bit on public key bytes.
UTF Encoder username and password before packing it
Change UTF encoding to encode the username and password before packing it to prevent it from being expanded beyond the allowed size. Public key is truncated to proper key length.
Replaced forge with web crypto for ARD authentication
Changed the way in which the async methods are handled, added unit tests to verify ARD encryption output.
Update .eslintignore
These are used via CSS, which means the browser doesn't load them until
an element actually gets those CSS rules. There can be some delay to
this loading which causes visual glitches. By preloading we can make
sure those images are cached and ready when the status bar appears.
This space that was added here was added to the parsed value of the
query variable. This broke any comparisons with the value, for example
"myvar=true" resulted in a value of "true ".
This was broken by f796b05e42
The commit also adds unit tests for webutil.getConfigVar() that will
detect problems like this in the future.
Now that we use ResizeObserver we know that we require more modern
browsers. The most notable ones here are Firefox and Safari.
With regards to Firefox, while the desktop version has had support
since 69, the Android app requires 79. At the time of writing the
current ESR of Firefox is 78, but the concept of ESR doesn't seem to
exist for Android.
The Safari 13 requirement means we no longer support for example iPhone
5S or the 4th generation of the iPad. These are devices from 2013~2014.
Passing parameters as part of the fragment could be considered
benifical from a security or privacy standpoint when compared to query
string parameters. The URL fragment parameters are not sent to the
server.
Hooking in to the underlying WebSocket after it has been created no
longer works, so clean things up and use the new method of passing an
existing object to the RFB constructor.
We need to do this in order to safely attach to existing WebSocket
objects. There may be message events already pending so we must set up
our event handlers before returning.
This means we will now throw errors instead of generating "disconnect"
events on problems as the caller no longer has the opportunity to set up
event handlers.
This might have been the correct approach from the start as it mimics
how e.g. the WebSocket constructor works.
We don't know if the caller is prepared to receive those events right
now as normally they would get them on a fresh new stack later. We also
can't delay delivery since then we might deliver the event after any
pending "message" events.
Better to push the problem one layer up to the caller, which now needs
to be more aware of the state of the WebSocket object it is trying to
use.
This is an error that presents itself with RTCDataChannel's, I suspect this could not
happen with a pre-existing WebSocket.
If the remote connection creates a data channel then the local (VNC) side gets a channel
created callback. It may also be the case that in that very same tick the socket is also
opened and buffered data received. This meant that (in my tests) about 1/3 of the time
noVNC would fail to respond to the initial message from the server because it was received
and subsequently not handled during that initial tick.
Also made the documentation reflect this new behaviour and document the existing behaviour.
Most places that check for the presence / absence of credentials compare
them against `undefined`, except the one for Plain authentication.
This change makes the very last place to use the same pattern (instead
of checking for falsiness) for consistency. Additionally, there are ways
to configure PAM to accept empty passwords, so it's possible for a user
to legitimately send an empty string as password.
This work is originally by Ryan Castner <castner.rr@gmail.com> and
submitted as a PR here https://github.com/novnc/noVNC/pull/1362
Architecturally it is much the same except it doesn't rename a lot
of variables to make this more reviewable. It also avoids unrelated
changes such as replacing .onclose with an event listener, which
caused numerous test failures.
It also adds in ppoffice's fix to initialise the buffers.
Like the original author I don't have enough time available to
refactor this project to the new style event listeners.
Review cleanup for RTCDataChannel support (see below)
* More descriptive error when url or channel not set.
* Moved websocket property check to WebSock.
This had unintended consequences in the tests that required some
fixup. Mostly due to some tests not always passing FakeWebsocket.
FakeWebsocket also needs to set the listeners to null to be compatible
with what is in thw browser and expected by the property check code.
The property check code now also takes into account class prototypes
for test compatibility.
* Removed unreachable code.
* Reverted comment.
* Cleanup raw channel reference in rfb on websock close.
* Use readyState to check whether a socket is open rather than assuming.
* Updated RFB constructor documentation
Removed an unused boolean passed to attach
Some people have longer passwords than 256 characters (hooray for
password managers!). Server implementations also allow longer passwords:
TigerVNC allows up to 1024 characters.