Implement message signing for Flutter #25
Conversation
…e signatures - untested
…ature is malformed - work put on hold
…t turns out Dart's HttpClient drops an automatic "Content-Length: 0"
…ever go out of bounds; Remove debug logging in prep for release;
…e host keys; Update SfBareItem.fromDynamic to remove dead code for int check; Clean up test cases by removing unused test
…gning synchronus (as it was) as we want it to be returning void not Future
…tructured fields/message signing
…d message signing components, for each method in the code.
...c/main/java/com/criticalblue/approov_service_flutter_httpclient/ApproovHttpClientPlugin.java
Show resolved
Hide resolved
|
|
||
| defaultConfig { | ||
| minSdkVersion 19 | ||
| minSdk 21 |
There was a problem hiding this comment.
Is this the same as everywhere else?
There was a problem hiding this comment.
This is automatically generated by Flutter initially, I had to update it to modern standards, minSdkVersion 21 is required for Flutter 3.10. We still support Android 5.0+ on SDK 21
| @try { | ||
| result([Approov getInstallMessageSignature:call.arguments[@"message"]]); | ||
| } | ||
| @catch (NSException *exception) { |
There was a problem hiding this comment.
Why are these the only methods to catch exceptions? What happens if you don't catch the exception here?
There was a problem hiding this comment.
That's because other methods are not throwing, so we don't expect anything to catch. If exception is not caught here it would most likely escape the plugin and crash the Flutter app.
We throw things such as:
StateError('install message signature empty');I think it makes sense to throw NSException here, we could just log and return but it doesn't seem right
| } | ||
|
|
||
| void setAlg(String value) { | ||
| _parameters['alg'] = SfBareItem.string(value); |
There was a problem hiding this comment.
'alg' and 'algorithm' should be the same value in your implementation. (I think algorithm should probably be removed). The SignatureParameters object shouldn't really know about the set of vaild algorithms either. That should be managed at a higher level (the default Approov message singing implementation - the same approach taken by okhttp). If this has been copied from the swift stuff, then I am a little concerned that we have different implementations betwee android and iOS.
There was a problem hiding this comment.
I've addressed it in the latest commit 722a3fa
Now it aligns with our other implementations.
…ecify whether Installation or Account message signing is used.
… the "alg" parameter so the Dart layer mirrors the OkHttp/URLSession behaviour and the parameter object stays algorithm-agnostic. Improved formatting of the code to be easier to read.
…layers to provide a clearer intent for account message signing. Now there is a clear distinction between account and installation message signing. Added revelant tests
Related to approov/core-project-approov#40