Commit Graph

102 Commits

Author SHA1 Message Date
fang
26049a3da0
eyre: ignore facts directly after clog
When an application would send multiple facts during a single event, it
was possible for the first fact to trigger a clog, removing the
subscription and sending a quit, but then the second fact still getting
sent out at normal.

Here, we drop any facts for subscriptions we don't have registered in
state, which should only happen in the described case.
2020-10-24 11:45:21 +02:00
fang
5bebff3c38
eyre: kick subscriptions if fact conversion fails
This matches the behavior that gall uses for %watch-as subscriptions,
which eyre was using previously.
2020-10-19 19:17:58 +02:00
fang
1d4ee5a7b5
eyre: kick busy subscriptions if client not acking
In order to curb event queue growth when a client for whatever reason
isn't acking the events we send out, we implement a mechanism for
detecting such "clogging", and proactively kick subscriptions which are
adding too many events to the queue.

If the client hasn't sent an ack for ~s30, any subscription that accrues
more than 50 unacked %facts gets closed to prevent further buildup.

Upon reconnecting, the client will see %kick for the relevant
subscriptions and can open a new subscription as appropriate.

Includes a simple test for this behavior, and updates /app/dbug to be
able to display the newly tracked statistics.
2020-10-19 15:56:05 +02:00
fang
63b4fb3e19
eyre: simplify channel subscription storage
Instead of storing by "channel wire", store by request-id instead.
The channel wire was just the channel-id, request-id, and some cruft.
2020-10-19 00:48:18 +02:00
fang
7e5f29cfd2
eyre: convert facts to json manually
By doing a %watch instead of %watch-as %json for channel subscriptions,
we can hopefully make better use of noun deduplication, when storing
events in a channel's event queue until they get acked.
2020-10-18 16:31:35 +02:00
fang
8def1dbea8
eyre: store unacked events unserialized
Store the gall events from channel subscriptions as (vaseless) signs,
instead of serialized events. This should be smaller in memory, and
makes it more likely for noun deduplication to happen.

The cost is needing to reserialize upon channel reconnect, but this is
the less common case, and we don't expect it to be particularly slow.
2020-10-18 16:04:19 +02:00
Fang
c444806c3d
eyre: explicitly permit proposed request in cors
Instead of always providing a wildcard for the allowed methods and
headers, now echoes back the method and headers that the client asked
for, if any.

Fixes #3676.
2020-10-09 14:07:05 +02:00
fang
a1e43e02a0
eyre: prevent binding in reserved namespaces
Disallows registering bindings (through %connect and %serve) that would capture
traffic on paths starting with /~ (Eyre's) or /~_~ (runtime's, as of cc389c5).

Note that we don't touch +insert-binding, which is used by Eyre internally to
set up bindings in its own namespace.
2020-10-06 16:50:49 +02:00
fang
be1f4a5f6b
eyre: add authentication checker scry endpoint
Lets you check whether a specific Cookie header value string constitutes an
authenticated request.

/ex/=//=/authenticated/cookie/(scot %t 'cookie-string')

Intended for use in the runtime, for example with #3557.
2020-10-01 19:55:16 +02:00
fang
a37b728b86
Merge pull request #3565 from tylershuster/eyre-response-code
eyre: send 'no content' status with no content
2020-10-01 16:06:44 +02:00
Fang
0866d99c73
eyre: minimal CORS support
Adds a cors-registry to Eyre's state that tracks allowed and rejected
origins for the purposes of CORS request handling.

For preflight requests, generates a response in-line.
For simple requests, adds CORS headers onto whatever response is given.

See also:
https://groups.google.com/a/urbit.org/g/dev/c/bb82dwEJGzM/m/q2JjNSx5BwAJ
2020-09-30 15:54:15 +02:00
Tyler Brown Cifu Shuster
8a9534e0ac eyre: send 'no content' headers with no content 2020-09-24 21:07:07 -07:00
pkova
5902ef9a53 eyre: remove superfluous connection-state check
This was originally introduced by me in #1814 to address #1811. Eyre was not
canceling heartbeat timers on all relevant events making it easy to end
up with an infinite behn loop. This check allowed ships that entered an infinite
loop to recover, as per my comment at
https://github.com/urbit/urbit/pull/1814#discussion_r333477482. Otherwise it's
not necessary.
2020-09-24 17:50:42 +03:00
Fang
b06f8a0f9e
eyre: send %leave on %fact/ack for deleted channel
Ordinarily, eyre cleans up the relevant gall subscriptions whenever a
channel disappears. In yet unresolved erroneous behavior though, it may
leave a gall subscription open, despite wiping the channel from state.

Attempting to pass the response onto the deleted channel anyway results
in an %eyre-no-channel error later in the event. The volume of these
errors can degrade the user experience, as per #3196.

To resolve the annoyance (but not the underlying issue) we detect the
"subscription has no channel" case, and issue a %leave. Doing so
requires additional information in the wire, so we add that in,
refactoring the relevant wire building along the way.

Note that due to the wire requirements, this cannot resolve existing
cases. For that, we depend on bc929ba6d.
2020-08-27 14:16:46 +02:00
Caio Marcelo de Oliveira Filho
72b164ade2 eyre: Make %code-changed handling less chatty 2020-07-31 13:01:19 -07:00
Caio Marcelo de Oliveira Filho
df868e2c4f jael, eyre: Add a way to reset the web login code
Jael now stores a `step` that is combined with the original salt to
produce a new code.  A `%step` card is used to increment that value,
and effectively resetting the keys.  Because the first `step` is zero,
the first code is the same as before.

Eyre was changed to be notified with `%code-changed` so it can forget
old cookies, sessions and discard all the existing channels.

A new generator was added |code, that does both querying and
resetting the code

    |code             :: shows current code, step and help
    |code %reset      :: changes the code

The old +code generator still works correctly.
2020-07-31 11:35:48 -07:00
matildepark
2ea019850e
Merge pull request #3105 from urbit/mp/destub-ver
eyre: remove stubbed version text
2020-07-09 16:53:12 -04:00
Fang
fa32d711fa
eyre: remove channel.js
Userspace has, rightfully, taken over the task of serving a js client for
eyre's channel API.
2020-07-09 00:15:51 +02:00
Matilde Park
eef149d46d eyre: remove stubbed version text
In replicating a mockup, the residual 'version' for OS1 has overstayed
its welcome as a stub. This commit
removes it.
2020-07-07 23:41:37 -04:00
Philip Monk
935ffaaf23
eyre: give scry function to generators
In Ford Fusion, Clay builds generators but Dojo and Eyre run them.  Dojo
is already virtualized with a scry function, so +mule is fine, but Eyre
is not, so Eyre needs to use +mock and explicitly supply the scry
function.  This does that.  Fortunately, the produced result is simple
and easily clammable.

Fixes #3089
2020-07-02 23:30:17 -07:00
Philip Monk
37b9f854fd
eyre: give all args to generators
fixes #3082
2020-07-02 14:42:26 -07:00
Philip Monk
0301838f25
Merge remote-tracking branch 'origin/release/next-sys' into ford-fusion 2020-06-26 17:46:25 -07:00
Fang
3ecb6f7154
Merge branch 'release/next-sys' into m/eyre-kill-channels 2020-06-18 22:34:22 +02:00
Fang
4ab55893bc
eyre: slightly better error pages 2020-06-12 02:13:13 +02:00
Fang
3c168eddb4
gall: do mark conversion in +ap-peek
Attempt to convert the scry result to the mark that was asked for,
failing the scry (with ~) if the conversion fails.

Eyre's scry logic, then, can pass the requested mark directly into gall.
2020-06-12 02:11:08 +02:00
Fang
b870466977
eyre: only allow authenticated GET scry requests
Lacking any other permissioning mechanism, we must simply reject
unauthenticated HTTP-scry requests for now.
2020-06-12 00:57:25 +02:00
Fang
d20877e414
eyre: support %gx scries
Exposes a scry endpoint. Any requests made to the /app/scry.mark url
under the endpoint will scry into %app using a %gx scry, at the
/scry/noun path, and attempt to convert the scry result into the %mark,
before converting that into the %mime mark, and sending that as an http
response.
2020-06-11 01:45:05 +02:00
Fang
f1fab71d59
eyre: find sub-path for binding
In addition to producing the action bound for a given request, now also
produces the subset of the request url that comes _after_ the path at
which the binding has been established.

Will allow some bindings to more easily dispatch off the relevant part
of the url.
2020-06-11 01:42:21 +02:00
Fang
a4785458d1
eyre: don't lose redirect upon failing login
If we failed the password check, the login page served to us would never
include any redirect details, even if they were there in the original request.

Now we simply (attempt to) parse out the redirect field a little earlier.
2020-06-10 20:37:12 +02:00
Fang
0a32bcda35
Merge branch 'release/next-sys' into ford-fusion 2020-06-09 20:10:28 +02:00
Fang
90ef268a32
Merge branch 'release/next-sys' into m/eyre-kill-channels 2020-06-05 22:25:18 +02:00
Liam Fitzgerald
3ff99b0d7f Merge branch 'origin/lf/get-eyre-redirect' into release/next-sys 2020-06-05 10:41:15 +10:00
Fang
b54dc7cd34
eyre, zuse: expire channels with their sessions
Associates channels with the authentication sessions that opened them,
and deletes the channel when its associated session expires.

Also updates the debug dashboard to display channel counts per session.
2020-06-05 00:22:39 +02:00
Fang
68491420d2
eyre: refactor %delete to reuse timeout logic
Turns +on-channel-timeout into +discard-channel, which cleans up the
entirety of the channel, based on its current state. This allows us to
simplify the %delete channel request into a simple function call.
2020-06-05 00:20:06 +02:00
Liam Fitzgerald
b553d57c29 eyre: 303 redirect on successful login
Changes the HTTP status code of the redirect that occurs upon a
successful login from 307 to 303. 307 preserves the method of the
original request, so the redirected request is a POST. With the new SPA,
this causes a 404 as app/file-server validates the method of the
request, something that did not happen in earlier versions of landscape.
303 instead changes the method to always produce a GET request.
2020-06-04 15:09:00 +10:00
Fang
a66cfc31da
eyre: fake duct for on-load logout binding
Empty duct is considered not good.
2020-06-03 14:29:13 +02:00
Fang
6e3284feac
eyre: use 303 to redirect to login post-logout
This ensures the client sends a GET request, which is more appropriate.
2020-06-03 14:28:30 +02:00
Philip Monk
8b78f04dd3
Merge remote-tracking branch 'origin/master' into ford-fusion 2020-06-02 21:50:20 -07:00
Fang
4d93349402
eyre: provide logout endpoint
Set up, by default, on /~/logout.

Sending a POST request to this expires the current session and redirects
to the login page. If the "all" key is set in the request body, expires
all open sessions.
2020-06-03 01:40:32 +02:00
Fang
574b05a88a
Merge pull request #2959 from urbit/m/eyre-cookies
eyre: augmented cookie handling
2020-06-01 22:11:57 +02:00
Fang
750ff6e5e1
eyre: respect "forwarded" header from localhost
For request transparency, HTTP proxies may set the Forwarded header to
specify who the original requester is.

For requests from localhost only, we make Eyre respect the Forwarded
header, and adjust the handled ip address accordingly.

Note that we do not support X-Forwarded or other non-standard variants.
The header remains in the request, so server applications can handle
them as desired.

Fixes #2723.
2020-05-31 17:45:22 +02:00
Fang
63c26151a3
eyre: extend session duration on-use
When sending a response to an authenticated request, update the session
to last for +session-timeout again, and send an updated cookie to match.

Assuming the user makes an actual HTTP request at least once a week,
this will make sure they don't get logged out automatically. Simply
keeping a channel open, unfortunately, doesn't count.
2020-05-30 02:29:20 +02:00
Fang
a51d93326a
eyre: clean up old +load code
Removes pre-breach state adapter logic and touches up code style.
2020-05-29 15:33:22 +02:00
Fang
00e3159287
eyre: clear expired sessions/cookies from state
Instead of setting a timer for every session, we set a single expiry
timer when the first session is created. On the subsequent wake event,
we clear all cookies that have expired at that time, then set a timer
for when the next session expires.

This approach gives us flexibility wrt sessions going forward, allowing
extending or early deleting of sessions without having to care about the
related timers.

Note that in +load, we clear all existing sessions. We would start the
expiry timer flow there, but can't. Forcing the user to login again
post-ota once isn't the end of the world.
2020-05-29 15:28:44 +02:00
Fang
52ef23ccca
eyre, zuse: add scry interfaces for eyre state
Scries for getting out open connections, cookie sessions, and existing
channels.

Moves the involved types from eyre into zuse.
2020-05-22 23:55:17 +02:00
Ted Blackman
96264f7fa3 eyre: clarify common prints 2020-05-20 04:36:33 -04:00
Ted Blackman
9588542ed4 eyre: fix tests 2020-05-08 01:29:25 -04:00
Fang
664275c9f1
eyre: expose bindings through scry
Allows you to scry out all bound endpoints at /=bindings=.

Moves an internal type into zuse for easier external use.
2020-05-08 01:39:56 +02:00
Ted Blackman
a064afbd89 /sys: |mass works again 2020-05-07 04:51:08 -04:00
Ted Blackman
8fc787b0ca eyre: use ford-fusion; compiles, untested 2020-05-05 01:28:37 -04:00