chore: drop old client support (#14369)

2026-02-15 05:37:32 +00:00 · 2026-02-05 02:49:33 +08:00
parent de29e8300a
commit 403f16b404
103 changed files with 3293 additions and 997 deletions
--- a/packages/frontend/apps/electron/src/main/deep-link.ts
+++ b/packages/frontend/apps/electron/src/main/deep-link.ts
@@ -88,7 +88,9 @@ async function handleAffineUrl(url: string) {

    if (
      !method ||
-      (method !== 'magic-link' && method !== 'oauth') ||
+      (method !== 'magic-link' &&
+        method !== 'oauth' &&
+        method !== 'open-app-signin') ||
      !payload
    ) {
      logger.error('Invalid authentication url', url);
--- a/packages/frontend/apps/electron/src/main/security-restrictions.ts
+++ b/packages/frontend/apps/electron/src/main/security-restrictions.ts
@@ -2,35 +2,7 @@ import { app } from 'electron';

 import { anotherHost, mainHost } from './constants';
 import { openExternalSafely } from './security/open-external';
-
-const extractRedirectTarget = (rawUrl: string) => {
-  try {
-    const parsed = new URL(rawUrl);
-    const redirectUri = parsed.searchParams.get('redirect_uri');
-    if (redirectUri) {
-      return redirectUri;
-    }
-
-    if (parsed.hash) {
-      const hash = parsed.hash.startsWith('#')
-        ? parsed.hash.slice(1)
-        : parsed.hash;
-
-      const queryIndex = hash.indexOf('?');
-      if (queryIndex !== -1) {
-        const hashParams = new URLSearchParams(hash.slice(queryIndex + 1));
-        const hashRedirect = hashParams.get('redirect_uri');
-        if (hashRedirect) {
-          return hashRedirect;
-        }
-      }
-    }
-
-    return null;
-  } catch {
-    return null;
-  }
-};
+import { validateRedirectProxyUrl } from './security/redirect-proxy';

 app.on('web-contents-created', (_, contents) => {
  const isInternalUrl = (url: string) => {
@@ -80,17 +52,18 @@ app.on('web-contents-created', (_, contents) => {
        console.error('[security] Failed to open external URL:', error);
      });
    } else if (url.includes('/redirect-proxy')) {
-      const redirectTarget = extractRedirectTarget(url);
-      if (redirectTarget) {
-        openExternalSafely(redirectTarget).catch(error => {
-          console.error('[security] Failed to open external URL:', error);
-        });
-      } else {
+      const result = validateRedirectProxyUrl(url);
+      if (!result.allow) {
        console.warn(
-          '[security] Blocked redirect proxy with missing redirect target:',
-          url
+          `[security] Blocked redirect proxy: ${result.reason}`,
+          result.redirectTarget ?? url
        );
+        return { action: 'deny' };
      }
+
+      openExternalSafely(result.redirectTarget).catch(error => {
+        console.error('[security] Failed to open external URL:', error);
+      });
    }
    // Prevent creating new window in application
    return { action: 'deny' };
--- a/packages/frontend/apps/electron/src/main/security/redirect-proxy.ts
+++ b/packages/frontend/apps/electron/src/main/security/redirect-proxy.ts
@@ -0,0 +1,84 @@
+import { isAllowedRedirectTarget } from '@toeverything/infra/utils';
+
+import { buildType, isDev } from '../config';
+
+const API_BASE_BY_BUILD_TYPE: Record<typeof buildType, string> = {
+  stable: 'https://app.affine.pro',
+  beta: 'https://insider.affine.pro',
+  internal: 'https://insider.affine.pro',
+  canary: 'https://affine.fail',
+};
+
+function resolveCurrentHostnameForRedirectAllowlist() {
+  const devServerBase = process.env.DEV_SERVER_URL;
+  const base =
+    isDev && devServerBase
+      ? devServerBase
+      : (API_BASE_BY_BUILD_TYPE[buildType] ?? API_BASE_BY_BUILD_TYPE.stable);
+
+  try {
+    return new URL(base).hostname;
+  } catch {
+    return 'app.affine.pro';
+  }
+}
+
+export function extractRedirectTarget(rawUrl: string) {
+  try {
+    const parsed = new URL(rawUrl);
+    const redirectUri = parsed.searchParams.get('redirect_uri');
+    if (redirectUri) {
+      return redirectUri;
+    }
+
+    if (parsed.hash) {
+      const hash = parsed.hash.startsWith('#')
+        ? parsed.hash.slice(1)
+        : parsed.hash;
+
+      const queryIndex = hash.indexOf('?');
+      if (queryIndex !== -1) {
+        const hashParams = new URLSearchParams(hash.slice(queryIndex + 1));
+        const hashRedirect = hashParams.get('redirect_uri');
+        if (hashRedirect) {
+          return hashRedirect;
+        }
+      }
+    }
+
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+export type RedirectProxyValidationResult =
+  | {
+      allow: true;
+      redirectTarget: string;
+    }
+  | {
+      allow: false;
+      reason: 'missing_redirect_target' | 'untrusted_redirect_target';
+      redirectTarget?: string;
+    };
+
+export function validateRedirectProxyUrl(
+  rawUrl: string
+): RedirectProxyValidationResult {
+  const redirectTarget = extractRedirectTarget(rawUrl);
+  if (!redirectTarget) {
+    return { allow: false, reason: 'missing_redirect_target' };
+  }
+
+  const currentHostname = resolveCurrentHostnameForRedirectAllowlist();
+  if (!isAllowedRedirectTarget(redirectTarget, { currentHostname })) {
+    return {
+      allow: false,
+      reason: 'untrusted_redirect_target',
+      redirectTarget,
+    };
+  }
+
+  return { allow: true, redirectTarget };
+}
--- a/packages/frontend/apps/electron/src/main/security/url-safety.ts
+++ b/packages/frontend/apps/electron/src/main/security/url-safety.ts
@@ -0,0 +1,117 @@
+import * as dns from 'node:dns/promises';
+import { BlockList, isIP } from 'node:net';
+
+const ALLOWED_PROTOCOLS = new Set(['http:', 'https:']);
+const BLOCKED_IPS = new BlockList();
+const ALLOWED_IPV6 = new BlockList();
+
+function stripZoneId(address: string) {
+  const idx = address.indexOf('%');
+  return idx === -1 ? address : address.slice(0, idx);
+}
+
+// Use Node's built-in BlockList (Electron 39 ships with Node 22.x).
+for (const [network, prefix] of [
+  ['0.0.0.0', 8],
+  ['10.0.0.0', 8],
+  ['127.0.0.0', 8],
+  ['169.254.0.0', 16],
+  ['172.16.0.0', 12],
+  ['192.168.0.0', 16],
+  ['100.64.0.0', 10], // CGNAT
+  ['224.0.0.0', 4], // multicast
+  ['240.0.0.0', 4], // reserved (includes broadcast)
+] as const) {
+  BLOCKED_IPS.addSubnet(network, prefix, 'ipv4');
+}
+
+BLOCKED_IPS.addAddress('::', 'ipv6');
+BLOCKED_IPS.addAddress('::1', 'ipv6');
+BLOCKED_IPS.addSubnet('ff00::', 8, 'ipv6'); // multicast
+BLOCKED_IPS.addSubnet('fc00::', 7, 'ipv6'); // unique local
+BLOCKED_IPS.addSubnet('fe80::', 10, 'ipv6'); // link-local
+ALLOWED_IPV6.addSubnet('2000::', 3, 'ipv6'); // global unicast
+
+function extractEmbeddedIPv4FromIPv6(address: string): string | null {
+  if (!address.includes('.')) {
+    return null;
+  }
+  const idx = address.lastIndexOf(':');
+  if (idx === -1) {
+    return null;
+  }
+  const tail = address.slice(idx + 1);
+  return isIP(tail) === 4 ? tail : null;
+}
+
+function isBlockedIpAddress(address: string): boolean {
+  const ip = stripZoneId(address);
+  const family = isIP(ip);
+  if (family === 4) {
+    return BLOCKED_IPS.check(ip, 'ipv4');
+  }
+  if (family === 6) {
+    const embeddedV4 = extractEmbeddedIPv4FromIPv6(ip);
+    if (embeddedV4) {
+      return isBlockedIpAddress(embeddedV4);
+    }
+    if (!ALLOWED_IPV6.check(ip, 'ipv6')) {
+      return true;
+    }
+    return BLOCKED_IPS.check(ip, 'ipv6');
+  }
+  return true;
+}
+
+async function resolveHostAddresses(hostname: string): Promise<string[]> {
+  const lowered = hostname.toLowerCase();
+  if (lowered === 'localhost' || lowered.endsWith('.localhost')) {
+    return ['127.0.0.1', '::1'];
+  }
+
+  const results = await dns.lookup(hostname, { all: true, verbatim: true });
+  return results.map(r => r.address);
+}
+
+export async function resolveAndValidateUrlForPreview(
+  rawUrl: string
+): Promise<{ url: URL; address: string }> {
+  let url: URL;
+  try {
+    url = new URL(rawUrl);
+  } catch {
+    throw new Error('Invalid URL');
+  }
+
+  if (!ALLOWED_PROTOCOLS.has(url.protocol)) {
+    throw new Error('Disallowed URL protocol');
+  }
+
+  if (url.username || url.password) {
+    throw new Error('URL must not include credentials');
+  }
+
+  if (!url.hostname) {
+    throw new Error('Missing hostname');
+  }
+
+  if (isIP(url.hostname)) {
+    if (isBlockedIpAddress(url.hostname)) {
+      throw new Error('Blocked IP address');
+    }
+    return { url, address: url.hostname };
+  }
+
+  const addresses = await resolveHostAddresses(url.hostname);
+  if (!addresses.length) {
+    throw new Error('Unresolvable hostname');
+  }
+
+  for (const addr of addresses) {
+    if (isBlockedIpAddress(addr)) {
+      throw new Error('Blocked IP address');
+    }
+  }
+
+  return { url, address: addresses[0] };
+}
--- a/packages/frontend/apps/electron/src/main/ui/handlers.ts
+++ b/packages/frontend/apps/electron/src/main/ui/handlers.ts
@@ -6,6 +6,7 @@ import { isMacOS } from '../../shared/utils';
 import { persistentConfig } from '../config-storage/persist';
 import { logger } from '../logger';
 import { openExternalSafely } from '../security/open-external';
+import { resolveAndValidateUrlForPreview } from '../security/url-safety';
 import type { WorkbenchViewMeta } from '../shared-state-schema';
 import { MenubarStateKey, MenubarStateSchema } from '../shared-state-schema';
 import { globalStateStorage } from '../shared-storage/storage';
@@ -37,6 +38,13 @@ import { getOrCreateCustomThemeWindow } from '../windows-manager/custom-theme-wi
 import { getChallengeResponse } from './challenge';
 import { uiSubjects } from './subject';

+const EMPTY_OBJECT = Object.freeze({
+  title: undefined,
+  description: undefined,
+  icon: undefined,
+  image: undefined,
+});
+
 const TraySettingsState = {
  $: globalStateStorage.watch<MenubarStateSchema>(MenubarStateKey).pipe(
    map(v => MenubarStateSchema.parse(v ?? {})),
@@ -127,6 +135,13 @@ export const uiHandlers = {
    }
  },
  getBookmarkDataByLink: async (_, link: string) => {
+    try {
+      // Basic validation up-front to prevent SSRF (including redirects).
+      await resolveAndValidateUrlForPreview(link);
+    } catch {
+      return EMPTY_OBJECT;
+    }
+
    if (
      (link.startsWith('https://x.com/') ||
        link.startsWith('https://www.x.com/') ||
@@ -135,8 +150,9 @@ export const uiHandlers = {
      link.includes('/status/')
    ) {
      // use api.fxtwitter.com
-      link =
-        'https://api.fxtwitter.com/status/' + /\/status\/(.*)/.exec(link)?.[1];
+      const statusId = /\/status\/(\d+)/.exec(link)?.[1];
+      if (!statusId) return EMPTY_OBJECT;
+      link = `https://api.fxtwitter.com/status/${statusId}`;
      try {
        const { tweet } = (await fetch(link).then(res => res.json())) as any;
        return {
@@ -161,7 +177,20 @@ export const uiHandlers = {
          'User-Agent':
            'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36',
        },
-        followRedirects: 'follow',
+        followRedirects: 'manual',
+        handleRedirects: (_baseUrl: string, forwardedUrl: string) => {
+          try {
+            // Only allow http(s) redirects and re-validate before following.
+            const u = new URL(forwardedUrl);
+            return u.protocol === 'http:' || u.protocol === 'https:';
+          } catch {
+            return false;
+          }
+        },
+        resolveDNSHost: async (url: string) => {
+          const { address } = await resolveAndValidateUrlForPreview(url);
+          return address;
+        },
      }).catch(() => {
        return {
          title: '',
--- a/packages/frontend/apps/electron/src/main/windows-manager/authentication.ts
+++ b/packages/frontend/apps/electron/src/main/windows-manager/authentication.ts
@@ -1,5 +1,5 @@
 export interface AuthenticationRequest {
-  method: 'magic-link' | 'oauth';
+  method: 'magic-link' | 'oauth' | 'open-app-signin';
  payload: Record<string, any>;
  server?: string;
 }