First version of TLS-only mode

See #962
8 years ago · adf2c3955e
parent d87a2cdfff
commit adf2c3955e
2 changed files with 22 additions and 5 deletions
--- a/index.html
+++ b/index.html
@ -55,10 +55,10 @@
    <div ng-hide="connected" class="container">
      <h2>
        <img alt="logo" src="assets/img/glowing-bear.svg">
-        <span>Glowing Bear</span>
+        <span>Glowing Bear<span style="display:inline" ng-show="show_tls_warning"> for local networks</span></span>
        <small>WeeChat web frontend</small>
      </h2>
-      <div class="alert alert-warning" ng-show="show_tls_warning" ng-cloak><strong>You're using Glowing Bear over an unencrypted connection (http://). This is not recommended!</strong> We recommend using our secure hosted version at <a href="https://www.glowing-bear.org/">https://www.glowing-bear.org/</a>, or <a href="https://latest.glowing-bear.org/">https://latest.glowing-bear.org</a> for the latest development version. If your relay is on your local network, that is unfortunately impossible, but be aware of the implications.</div>
+      <div class="alert alert-warning" ng-show="show_tls_warning" ng-cloak><strong>You're using Glowing Bear over an unencrypted connection (http://). This is dangerous for relays outside your local network!</strong> You can only connect to localhost and IP addresses on this instance. We recommend using our secure hosted version at <a href="https://www.glowing-bear.org/">https://www.glowing-bear.org/</a> to connect to a remote WeeChat instance.</div>
      <div class="alert alert-danger" ng-show="errorMessage" ng-cloak>
        <strong>Connection error</strong> The client was unable to connect to the WeeChat relay
      </div>
@ -66,7 +66,7 @@
        <strong>Secure connection error</strong> A secure connection with the WeeChat relay could not be initiated. This is most likely because your browser does not trust your relay's certificate. Please read the encryption instructions below!
      </div>
      <div class="alert alert-danger" ng-show="securityError" ng-cloak>
-        <strong>Secure connection error</strong> Unable to connect to unencrypted relay when you are connecting to Glowing Bear over HTTPS. Please use an encrypted relay or load the page without using HTTPS.
+        <strong>Secure connection error</strong> Cannot connect to unencrypted relay over the internet. Please use an encrypted relay. Only local IP addresses are permitted on insecure connections.
      </div>
      <div class="panel-group accordion">
        <div class="panel" data-state="active" ng-show=false>
@ -131,8 +131,13 @@
                  </div>
                  <div class="checkbox">
                    <label class="control-label" for="ssl">
-                      <input type="checkbox" id="ssl" ng-model="settings.ssl">
-                      Encryption. <strong>Strongly recommended!</strong> Need help? Check below.
+                      <input type="checkbox" id="ssl" ng-model="settings.ssl" disabled>
+                      <span ng-show="settings.ssl">
+                        Encryption. <strong>Required!</strong> Need help? Check below.
+                      </span>
+                      <span ng-show="!settings.ssl">
+                        <strong>Encryption disabled.</strong> Only limited hosts accessible.
+                      </span>
                    </label>
                  </div>
                </div>
--- a/js/glowingbear.js
+++ b/js/glowingbear.js
@ -651,6 +651,18 @@ weechat.controller('WeechatCtrl', ['$rootScope', '$scope', '$store', '$timeout',


    $scope.connect = function() {
+        // check tls requirements
+        if ($scope.show_tls_warning) {
+            // adapted from https://stackoverflow.com/a/34529037/3793885, which
+            // is adapted from O'Reillys Regular Expressions Cookbook, 2nd Ed.
+            var ip_regex = /((^localhost$)|(^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?$))/;
+            if (!ip_regex.test(settings.host)) {
+                // refuse to connect
+                $rootScope.securityError = true;
+                return;
+            }
+        }
+
        notifications.requestNotificationPermission();
        $rootScope.sslError = false;
        $rootScope.securityError = false;