Commit Graph

159 Commits

Author SHA1 Message Date
fang
3ca993df07
eyre: clog exclusively for %facts
Eyre's clog logic was a tad inconsistent about "only facts" vs "not poke-acks".
This makes it consistently say "only facts" when it comes to clog-related logic.
Yes, in theory this means %watch-acks and %kicks can build up endlessly, but
those should take up negligible space compared to %facts.

Should fix any oddball cases of crashes here that #3835 didn't already catch.
2020-11-10 22:06:28 +01:00
fang
c992e4ce9d
eyre: forego <atom> in favor of (scow %aura atom)
Pretty-printing is expensive, yet we do it whenever we construct the cookie
string, at least once (but usually twice) per authenticated request.

Here we call out the the specific to-tape functions we need, instead of relying
on the pretty-printer for converting... tapes to tapes, among other things.  
The primary gains come from the cookie-related instances, we update the others
mostly for good style.

For the "receive request and immediately send response" case, that is processed
synchronously within eyre (ie, client sends channel ack), speeds thing up by
roughly 55%.
2020-11-04 01:02:11 +01:00
fang
a35cad457a
Merge pull request #3830 from urbit/m/respect-forwarded-more
eyre: respect protocol from Forwarded header
2020-10-31 00:38:41 +01:00
fang
f8a2235d6e
Merge pull request #3835 from urbit/m/silent-subs
eyre: ignore facts directly after clog
2020-10-29 22:13:04 +01:00
fang
42229657ca
eyre: respect protocol from Forwarded header
If the Forwarded header specifies the original connection is secure,
update the flag to reflect that, regardless of whether the connection
directly to the urbit was made securely.
2020-10-29 14:24:24 +01:00
fang
93475aa756
eyre: remove fact-without-subscription printf 2020-10-26 15:52:39 +01:00
fang
26049a3da0
eyre: ignore facts directly after clog
When an application would send multiple facts during a single event, it
was possible for the first fact to trigger a clog, removing the
subscription and sending a quit, but then the second fact still getting
sent out at normal.

Here, we drop any facts for subscriptions we don't have registered in
state, which should only happen in the described case.
2020-10-24 11:45:21 +02:00
fang
b92cfdb242
eyre: produce moves in correct order
Because storing in reverse order means producing in reverse reverse
order.

The tests didn't catch this because they, too, were infected with the
"reverse moves" meme.
2020-10-24 01:48:51 +02:00
fang
5bebff3c38
eyre: kick subscriptions if fact conversion fails
This matches the behavior that gall uses for %watch-as subscriptions,
which eyre was using previously.
2020-10-19 19:17:58 +02:00
fang
1d4ee5a7b5
eyre: kick busy subscriptions if client not acking
In order to curb event queue growth when a client for whatever reason
isn't acking the events we send out, we implement a mechanism for
detecting such "clogging", and proactively kick subscriptions which are
adding too many events to the queue.

If the client hasn't sent an ack for ~s30, any subscription that accrues
more than 50 unacked %facts gets closed to prevent further buildup.

Upon reconnecting, the client will see %kick for the relevant
subscriptions and can open a new subscription as appropriate.

Includes a simple test for this behavior, and updates /app/dbug to be
able to display the newly tracked statistics.
2020-10-19 15:56:05 +02:00
fang
63b4fb3e19
eyre: simplify channel subscription storage
Instead of storing by "channel wire", store by request-id instead.
The channel wire was just the channel-id, request-id, and some cruft.
2020-10-19 00:48:18 +02:00
fang
7e5f29cfd2
eyre: convert facts to json manually
By doing a %watch instead of %watch-as %json for channel subscriptions,
we can hopefully make better use of noun deduplication, when storing
events in a channel's event queue until they get acked.
2020-10-18 16:31:35 +02:00
fang
8def1dbea8
eyre: store unacked events unserialized
Store the gall events from channel subscriptions as (vaseless) signs,
instead of serialized events. This should be smaller in memory, and
makes it more likely for noun deduplication to happen.

The cost is needing to reserialize upon channel reconnect, but this is
the less common case, and we don't expect it to be particularly slow.
2020-10-18 16:04:19 +02:00
Fang
c444806c3d
eyre: explicitly permit proposed request in cors
Instead of always providing a wildcard for the allowed methods and
headers, now echoes back the method and headers that the client asked
for, if any.

Fixes #3676.
2020-10-09 14:07:05 +02:00
fang
a1e43e02a0
eyre: prevent binding in reserved namespaces
Disallows registering bindings (through %connect and %serve) that would capture
traffic on paths starting with /~ (Eyre's) or /~_~ (runtime's, as of cc389c5).

Note that we don't touch +insert-binding, which is used by Eyre internally to
set up bindings in its own namespace.
2020-10-06 16:50:49 +02:00
fang
be1f4a5f6b
eyre: add authentication checker scry endpoint
Lets you check whether a specific Cookie header value string constitutes an
authenticated request.

/ex/=//=/authenticated/cookie/(scot %t 'cookie-string')

Intended for use in the runtime, for example with #3557.
2020-10-01 19:55:16 +02:00
fang
a37b728b86
Merge pull request #3565 from tylershuster/eyre-response-code
eyre: send 'no content' status with no content
2020-10-01 16:06:44 +02:00
Fang
0866d99c73
eyre: minimal CORS support
Adds a cors-registry to Eyre's state that tracks allowed and rejected
origins for the purposes of CORS request handling.

For preflight requests, generates a response in-line.
For simple requests, adds CORS headers onto whatever response is given.

See also:
https://groups.google.com/a/urbit.org/g/dev/c/bb82dwEJGzM/m/q2JjNSx5BwAJ
2020-09-30 15:54:15 +02:00
Tyler Brown Cifu Shuster
8a9534e0ac eyre: send 'no content' headers with no content 2020-09-24 21:07:07 -07:00
pkova
5902ef9a53 eyre: remove superfluous connection-state check
This was originally introduced by me in #1814 to address #1811. Eyre was not
canceling heartbeat timers on all relevant events making it easy to end
up with an infinite behn loop. This check allowed ships that entered an infinite
loop to recover, as per my comment at
https://github.com/urbit/urbit/pull/1814#discussion_r333477482. Otherwise it's
not necessary.
2020-09-24 17:50:42 +03:00
Fang
b06f8a0f9e
eyre: send %leave on %fact/ack for deleted channel
Ordinarily, eyre cleans up the relevant gall subscriptions whenever a
channel disappears. In yet unresolved erroneous behavior though, it may
leave a gall subscription open, despite wiping the channel from state.

Attempting to pass the response onto the deleted channel anyway results
in an %eyre-no-channel error later in the event. The volume of these
errors can degrade the user experience, as per #3196.

To resolve the annoyance (but not the underlying issue) we detect the
"subscription has no channel" case, and issue a %leave. Doing so
requires additional information in the wire, so we add that in,
refactoring the relevant wire building along the way.

Note that due to the wire requirements, this cannot resolve existing
cases. For that, we depend on bc929ba6d.
2020-08-27 14:16:46 +02:00
Caio Marcelo de Oliveira Filho
72b164ade2 eyre: Make %code-changed handling less chatty 2020-07-31 13:01:19 -07:00
Caio Marcelo de Oliveira Filho
df868e2c4f jael, eyre: Add a way to reset the web login code
Jael now stores a `step` that is combined with the original salt to
produce a new code.  A `%step` card is used to increment that value,
and effectively resetting the keys.  Because the first `step` is zero,
the first code is the same as before.

Eyre was changed to be notified with `%code-changed` so it can forget
old cookies, sessions and discard all the existing channels.

A new generator was added |code, that does both querying and
resetting the code

    |code             :: shows current code, step and help
    |code %reset      :: changes the code

The old +code generator still works correctly.
2020-07-31 11:35:48 -07:00
matildepark
2ea019850e
Merge pull request #3105 from urbit/mp/destub-ver
eyre: remove stubbed version text
2020-07-09 16:53:12 -04:00
Fang
fa32d711fa
eyre: remove channel.js
Userspace has, rightfully, taken over the task of serving a js client for
eyre's channel API.
2020-07-09 00:15:51 +02:00
Matilde Park
eef149d46d eyre: remove stubbed version text
In replicating a mockup, the residual 'version' for OS1 has overstayed
its welcome as a stub. This commit
removes it.
2020-07-07 23:41:37 -04:00
Philip Monk
935ffaaf23
eyre: give scry function to generators
In Ford Fusion, Clay builds generators but Dojo and Eyre run them.  Dojo
is already virtualized with a scry function, so +mule is fine, but Eyre
is not, so Eyre needs to use +mock and explicitly supply the scry
function.  This does that.  Fortunately, the produced result is simple
and easily clammable.

Fixes #3089
2020-07-02 23:30:17 -07:00
Philip Monk
37b9f854fd
eyre: give all args to generators
fixes #3082
2020-07-02 14:42:26 -07:00
Philip Monk
0301838f25
Merge remote-tracking branch 'origin/release/next-sys' into ford-fusion 2020-06-26 17:46:25 -07:00
Fang
3ecb6f7154
Merge branch 'release/next-sys' into m/eyre-kill-channels 2020-06-18 22:34:22 +02:00
Fang
4ab55893bc
eyre: slightly better error pages 2020-06-12 02:13:13 +02:00
Fang
3c168eddb4
gall: do mark conversion in +ap-peek
Attempt to convert the scry result to the mark that was asked for,
failing the scry (with ~) if the conversion fails.

Eyre's scry logic, then, can pass the requested mark directly into gall.
2020-06-12 02:11:08 +02:00
Fang
b870466977
eyre: only allow authenticated GET scry requests
Lacking any other permissioning mechanism, we must simply reject
unauthenticated HTTP-scry requests for now.
2020-06-12 00:57:25 +02:00
Fang
d20877e414
eyre: support %gx scries
Exposes a scry endpoint. Any requests made to the /app/scry.mark url
under the endpoint will scry into %app using a %gx scry, at the
/scry/noun path, and attempt to convert the scry result into the %mark,
before converting that into the %mime mark, and sending that as an http
response.
2020-06-11 01:45:05 +02:00
Fang
f1fab71d59
eyre: find sub-path for binding
In addition to producing the action bound for a given request, now also
produces the subset of the request url that comes _after_ the path at
which the binding has been established.

Will allow some bindings to more easily dispatch off the relevant part
of the url.
2020-06-11 01:42:21 +02:00
Fang
a4785458d1
eyre: don't lose redirect upon failing login
If we failed the password check, the login page served to us would never
include any redirect details, even if they were there in the original request.

Now we simply (attempt to) parse out the redirect field a little earlier.
2020-06-10 20:37:12 +02:00
Fang
0a32bcda35
Merge branch 'release/next-sys' into ford-fusion 2020-06-09 20:10:28 +02:00
Fang
90ef268a32
Merge branch 'release/next-sys' into m/eyre-kill-channels 2020-06-05 22:25:18 +02:00
Liam Fitzgerald
3ff99b0d7f Merge branch 'origin/lf/get-eyre-redirect' into release/next-sys 2020-06-05 10:41:15 +10:00
Fang
b54dc7cd34
eyre, zuse: expire channels with their sessions
Associates channels with the authentication sessions that opened them,
and deletes the channel when its associated session expires.

Also updates the debug dashboard to display channel counts per session.
2020-06-05 00:22:39 +02:00
Fang
68491420d2
eyre: refactor %delete to reuse timeout logic
Turns +on-channel-timeout into +discard-channel, which cleans up the
entirety of the channel, based on its current state. This allows us to
simplify the %delete channel request into a simple function call.
2020-06-05 00:20:06 +02:00
Liam Fitzgerald
b553d57c29 eyre: 303 redirect on successful login
Changes the HTTP status code of the redirect that occurs upon a
successful login from 307 to 303. 307 preserves the method of the
original request, so the redirected request is a POST. With the new SPA,
this causes a 404 as app/file-server validates the method of the
request, something that did not happen in earlier versions of landscape.
303 instead changes the method to always produce a GET request.
2020-06-04 15:09:00 +10:00
Fang
a66cfc31da
eyre: fake duct for on-load logout binding
Empty duct is considered not good.
2020-06-03 14:29:13 +02:00
Fang
6e3284feac
eyre: use 303 to redirect to login post-logout
This ensures the client sends a GET request, which is more appropriate.
2020-06-03 14:28:30 +02:00
Philip Monk
8b78f04dd3
Merge remote-tracking branch 'origin/master' into ford-fusion 2020-06-02 21:50:20 -07:00
Fang
4d93349402
eyre: provide logout endpoint
Set up, by default, on /~/logout.

Sending a POST request to this expires the current session and redirects
to the login page. If the "all" key is set in the request body, expires
all open sessions.
2020-06-03 01:40:32 +02:00
Fang
574b05a88a
Merge pull request #2959 from urbit/m/eyre-cookies
eyre: augmented cookie handling
2020-06-01 22:11:57 +02:00
Fang
750ff6e5e1
eyre: respect "forwarded" header from localhost
For request transparency, HTTP proxies may set the Forwarded header to
specify who the original requester is.

For requests from localhost only, we make Eyre respect the Forwarded
header, and adjust the handled ip address accordingly.

Note that we do not support X-Forwarded or other non-standard variants.
The header remains in the request, so server applications can handle
them as desired.

Fixes #2723.
2020-05-31 17:45:22 +02:00
Fang
63c26151a3
eyre: extend session duration on-use
When sending a response to an authenticated request, update the session
to last for +session-timeout again, and send an updated cookie to match.

Assuming the user makes an actual HTTP request at least once a week,
this will make sure they don't get logged out automatically. Simply
keeping a channel open, unfortunately, doesn't count.
2020-05-30 02:29:20 +02:00
Fang
a51d93326a
eyre: clean up old +load code
Removes pre-breach state adapter logic and touches up code style.
2020-05-29 15:33:22 +02:00
Fang
00e3159287
eyre: clear expired sessions/cookies from state
Instead of setting a timer for every session, we set a single expiry
timer when the first session is created. On the subsequent wake event,
we clear all cookies that have expired at that time, then set a timer
for when the next session expires.

This approach gives us flexibility wrt sessions going forward, allowing
extending or early deleting of sessions without having to care about the
related timers.

Note that in +load, we clear all existing sessions. We would start the
expiry timer flow there, but can't. Forcing the user to login again
post-ota once isn't the end of the world.
2020-05-29 15:28:44 +02:00
Fang
52ef23ccca
eyre, zuse: add scry interfaces for eyre state
Scries for getting out open connections, cookie sessions, and existing
channels.

Moves the involved types from eyre into zuse.
2020-05-22 23:55:17 +02:00
Ted Blackman
96264f7fa3 eyre: clarify common prints 2020-05-20 04:36:33 -04:00
Ted Blackman
9588542ed4 eyre: fix tests 2020-05-08 01:29:25 -04:00
Fang
664275c9f1
eyre: expose bindings through scry
Allows you to scry out all bound endpoints at /=bindings=.

Moves an internal type into zuse for easier external use.
2020-05-08 01:39:56 +02:00
Ted Blackman
a064afbd89 /sys: |mass works again 2020-05-07 04:51:08 -04:00
Ted Blackman
8fc787b0ca eyre: use ford-fusion; compiles, untested 2020-05-05 01:28:37 -04:00
Michael Hartl
3e203634e3 Fix spelling of "existent" 2020-04-06 08:18:22 -07:00
Luke Champine
b3d78b5d71
eyre: Remove leading sig from password placeholder 2020-03-30 13:32:21 -04:00
Logan Allen
bd947421ca eyre: upon login redirect parameter being empty, redirect to / 2020-03-09 17:16:43 -07:00
Joe Bryan
67cef638c4 Merge branch 'master' into arvo-errors
* master: (484 commits)
  king: Slight CLI cleanup and fix test build.
  king: Add command-line flags to configure HTTP and HTTPS ports.
  groups: reduce metadata updates, removal
  chat: reducer handles metadata removal
  groups: exclude group metadata from channels list
  groups: set and surface group name metadata
  groups: remove dummy 'share' flow, 'default' group
  contacts: rename, migrate '~contacts' to '~groups'
  sh/release: rename vere release tarballs
  vere: patch version bump (v0.10.3 -> v0.10.4.rc1) [ci skip]
  pills: updated brass and solid
  chat: pull room contacts from associated group
  chat: spell 'permanent' correctly
  eyre: remove padding from 'access' input
  chat: only delete metadata for a chat if you created it
  chat: settings inputs add borders on focus
  vere: disables gc on |mass in the daemon process
  chat: remove console.log from metadataAction
  chat: style fixes during review, use metadata-hook
  chat: edit description, color settings
  ...
2020-03-05 11:56:49 -08:00
Matilde Park
dd402e315f eyre: remove padding from 'access' input 2020-03-03 19:52:04 -05:00
Joe Bryan
53d9798cda vane: prints error notifications where not handled 2020-02-26 16:56:17 -08:00
Joe Bryan
4cae84d9ac vane: downcast all error notifications to %crud 2020-02-26 16:56:17 -08:00
Joe Bryan
df970ed417 arvo: passes errors to all vanes 2020-02-26 16:56:17 -08:00
Matilde Park
12b2d4756e eyre: add dark mode styling to sign-in 2020-02-21 21:56:25 -05:00
Isaac Visintainer
00a9eb9eab Merge branch 'master' into os1-rc 2020-02-19 16:04:21 -08:00
Matilde Park
7a530d1001 eyre: amend "purchase an id" link to urbit.org 2020-02-11 15:27:08 -05:00
Matilde Park
662661e316 eyre: add new os1 login screen 2020-02-10 23:24:16 -05:00
Fang
717e2310be
eyre: remove potentially noisy printf
It's perfectly sane for gall (apps) to send quits to subscriptions
incoming from the web.
2020-02-05 18:20:43 +01:00
Ted Blackman
0bee77ce8e
/sys: use +harden on vane tasks
Uses Zuse's previously unused +harden helper function to streamline
+task unwrapping in vanes.

(Arguably, in landlocked vanes like Ford, we should crash if we get a
%soft task, since no events should be coming in directly from the
outside.)
2020-01-27 09:53:53 +04:00
Fang
fcf1846b6f
various: remove trailing whitespace 2020-01-03 22:06:42 +01:00
Philip Monk
769a1c96af
eyre: turn sigpam into flog
This error is mostly harmless, but it does indicate we aren't cleaning
up our subscriptions properly.  This lets you silence with |knob.

fixes #2088
2019-12-14 00:49:23 -08:00
Philip Monk
956a3c7420
eyre: add instructions to login page 2019-12-05 12:31:42 -08:00
Philip Monk
6a406e6b29
gall: mall -> gall 2019-11-18 20:36:21 -08:00
Philip Monk
9862dccc0e
mall: age -> app 2019-11-18 19:28:59 -08:00
Philip Monk
607a2c0ac6
eyre: fix tests 2019-11-13 19:41:56 -08:00
Philip Monk
5fd75edcc6
eyre: change id format 2019-11-13 14:07:37 -08:00
Philip Monk
a1b928488d
eyre: remove eyre-id from eyre's state 2019-11-13 01:45:04 -08:00
Philip Monk
cc94abf717
eyre: cancel subscriptions more aggressively 2019-11-13 01:21:14 -08:00
Philip Monk
4a6e98a558
mall, eyre: refactor server apps to be stateless 2019-11-13 00:38:35 -08:00
Philip Monk
47e3b260d5
eyre: subscribe to apps for responses
This removes the %http-response special case from gall.  In its place,
we implement a subscription regime with the following steps:

- Agent sends %connect to Eyre
- Eyre pokes agent with %handle-http-response, including unique eyre-id
- Agent passes %start-watching to Eyre with eyre-id and unique app-id
- Eyre subscribes to agent on /http-response/app-id
- Agent produces a %http-response-header fact followed by 0 or more
  %http-response-data facts and possibly a %http-response-cancel fact
- Agent produces a %kick to close the subscription, which Eyre
  interprets as completion of the message.

This works when there is data.  There is currently a bug where if the
response has no data in total (as in the case of a naked 404), no
response will be sent.

This also includes lib/http-handler, which implements a convenient
interface for agents that want to respond immediately with all the data.
This lets them avoid carrying extra state to keep track of pending
requests.

This should really have access to your state and the ability to change
it.  Perhaps a more minimalist design would be better: just keep track
of the requests, then hand it off to +on-watch when eyre is ready to
receive responses.  It's not clear how to pass in the request data in
+on-watch.
2019-11-12 23:37:38 -08:00
Philip Monk
7c4316fce4
mall: refactor gift/sign/task types
+on-agent now takes a +sign:agent:mall, which doesn't include spurious
options.  Similarly, +task:agent:mall is smaller.
2019-11-08 17:35:24 -08:00
Philip Monk
43be7737d6
mall: rename agent arms 2019-11-07 00:19:58 -08:00
Philip Monk
0e2da1e130
mall: convert lanaguage-server 2019-11-04 23:47:27 -08:00
Philip Monk
82513c27fc
Merge branch 'master' into philip/mall-real 2019-11-04 19:35:24 -08:00
Anton Dyudin
78d10f30cd
eyre: fix wire=path terminology 2019-10-25 16:04:29 -07:00
pkova
92cc039155 eyre: fix missing cancel-heartbeat-move cases 2019-10-10 20:59:39 +03:00
pkova
a019c2079e eyre: add channel \n heartbeat every 20 seconds 2019-10-07 03:11:11 +03:00
Isaac Visintainer
e9c639464b eyre: changed cookie format 2019-10-04 15:06:01 -07:00
Joe Bryan
1e9cc07649 eyre: close channels in response to memory pressure 2019-10-01 15:04:03 -07:00
Joe Bryan
3dd9bd7111 arvo: wires up %trim memory-pressure event stubs 2019-09-27 13:02:11 -07:00
Philip Monk
b79dead5f8
spider: convert example-fetch to imp 2019-09-27 10:40:22 -07:00
Logan Allen
9a62a04042
eyre: better error handling in channel js 2019-09-27 16:30:53 +04:00
Jared Tobin
0bd06fe210
Merge branch 'jt-gall-refactor' (#1668)
* jt-gall-refactor: (76 commits)
  gall: fix issue id in comment
  pills: update solid
  gall: handle foreign coup success
  gall: only print peek bad result if bad
  gall: add basic test harness
  pills: update solid, brass, ivory
  gall: fix obvious nest-failing tisdot
  gall: change '-state' to '-core' for +mo and +ap
  zuse, gall: deprecate 'club'
  zuse, gall, eyre: deprecate 'cush'
  zuse, gall, eyre, dojo: deprecate 'cuft'
  gall: remove slam-related printfs
  gall: remove deprecated 'mak' from 'agents'
  gall: use less vertical spacing throughout
  gall: add comment re: unpopulated wex
  gall: use less vertical separation when wuthepping
  gall: fix whitespace
  gall: don't define 'move' as a pair
  gall: don't give faces to tags
  gall: gut some unused stuff
  ...
2019-08-29 19:05:25 -02:30
pkova
814ac7a4f9 eyre: make auth cookie live for one week 2019-08-28 22:40:20 +03:00
Jared Tobin
38efc5e902
zuse, gall, eyre: deprecate 'cush'
Replaces with 'internal-task'.
2019-08-22 12:33:24 -02:30
Jared Tobin
ef99074304
zuse, gall, eyre, dojo: deprecate 'cuft'
Replaces it with the more informative name 'internal-gift'.
2019-08-22 12:33:24 -02:30
Matilde Park
a6fe81f950 Monospace ship name in eyre 2019-08-08 17:16:45 -04:00
Elliot Glaysher
36b8902fad Fix ~zod crash by fixing how %eyre handles app cancels.
When we ask an app to run a %handle-http-cancel event, we don't
actually care about the return value or even if it errors. The
cancel event is purely informative. Likewise, because we cause
cancels on restart of urbit, they cannot expose crashes to the
system. Otherwise, an app with an open connection but a broken
or non-existent cancel handler can prevent your ship from
coming back up.
2019-07-25 14:12:44 -07:00