In order to make use of the crypto-primitives crate from the web client
we now generate wasm file using wasm-pack and included these steps into
the dev and webapp build process.
In order to test the behavior we also made use of the exported primitives from the Ed255519Facade
Also adds test for the Ed25519 exported functions.
tuta#2102, tuta#2099, tuta#2098
Co-authored-by: hec <hec@tutao.de>
Co-authored-by: bedhub <bedhub@users.noreply.github.com>
- Introduce Proof-of-Work Captcha to prevent mass signups.
- The PoW captcha executes when the user begins entering information into the sign-up form.
- The progressDialog will appear if the PoW captcha is not solved when the user clicks the "Next" button.
- Update SystemModel to v134
Co-authored-by: nig <nig@tutao.de>
Co-authored-by: toj<toj@tutao.de>
Refactor our instance deserialization/serialization pipeline, both on
TypeScript and on Rust [sdk] to use typeId and attributeIds instead of
typeNames and attributeNames. We furthermore ignore cardinalities
on associations until the instance layer and always
store associations as arrays. This commit introduces **eventual
consistency** on the client, i.e. we are from now on always storing data
in the newest schema format (activeApplicationVersionsForWritingSum)
which ensures that all data is already available on the client after
updating the client to a newer version. This removes the need for
offline migrations on the client and also removes backward migrations
on the server. Furthermore, the server model types are now available
on the client, retrievable through the ApplicationTypesFacade. This is
our first step towards FastSync.
Co-authored-by: nig <nig@tutao.de>
Co-authored-by: abp <abp@tutao.de>
Co-authored-by: jomapp <17314077+jomapp@users.noreply.github.com>
Co-authored-by: map <mpfau@users.noreply.github.com>
Co-authored-by: sug <sug@tutao.de>
Co-authored-by: Kinan <104761667+kibibytium@users.noreply.github.com>
Adapt the tests to work with the new format of loading the fallback and
the wasm files. This commit also fixes the ESBuild function to correctly
resolve the fallback and generate it.
Remove the hardcoded make command and add the option to use a provided
command instead of make. Also adds the possibility to provide env vars
and a working dir for Wasm generation.
This commit adds the generation of a JavaScript transpile for the Liboqs
and Argon2 WebAssembly files. This is done through wasm2js that's
builtin on emcc.
WASM/JS fallbacks use the same interface and reduce the extra type
casting once initialized.
Co-authored-by: wec43 <wec@tutao.de>
Co-authored-by: paw <paw-hub@users.noreply.github.com>
* according to rollups type definitions, the output option property is
ignored by rollup.rollup, so it moved to bundle.write
* we don't use commonjs deps in the desktop bundle anymore, so the
commonjs plugin can go away from DesktopBuilder
[build] remove some unnecessary rollup plugins
[build] unify the native plugins
[build] vendor keytar
[build] vendor better-sqlite3 deps and restrict module resolution
it's now checked in and can be updated with buildSrc/updateLibs.js
close#4213
Allow deriving keys with it if the server requests it, but do not use it
by default to create new keys.
tutadb#1559
Co-authored-by: @vitoreiji, @paw-hub, @charlag
Building packages is a part of most build invocations. Our old approach
during dev builds was to
1. Invoke npm once to run build-packages
2. Invoke npm per each package to run tsc.
Unfortunately, npm is very slow. Additionally, the old approach was
leading to tsc re-checking some packages multiple times because of
dependencies between them. This would only worsen with time.
In our new approach we
1. invoke tsc only once
2. try to avoid invoking npm as much as possible
Unfortunately there is still one case where we invoke npx because we
can't be sure that the location of node_modules/.bin is stable as we
are sometimes used as a package. Without this we could reduce the time
even further.
The Problem:
When you receive an email with an embedded svg like this:
```svg
<svg
version="1.1"
baseProfile="full"
xmlns="http://www.w3.org/2000/svg"
>
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"/>
<script type="text/javascript">
alert(localStorage.getItem("tutanotaConfig"));
</script>
</svg>
```
then
* drag the image up into the URL bar or
* right click - open in new tab - then click on the URL and hit enter
it will execute javascript in the context of tutanota. The above PoC
will display the "tutanotaConfig" local storage.
Just opening in a new tab doesn't trigger the javascript, due to a CSP
policy, but loading it via either of the above two methods does.
The fix:
* sanitize inline svg after loading them:
+ parse the xml file and get the svg node
+ reserialize it
+ sanitize it with DOMPurify
+ add an xml declaration back to the result and use that for display
* we can sanitize and return only the first svg element from the parsed
tree because more than one svg element per document is invalid anyway.
* we only support utf-8 svg documents because there's a lot of encodings
and we don't want to risk letting through unsanitized svg due to not
being able to decode/parse it.
* any files with type image/svg+xml that don't parse as a utf-8 svg are
replaced with an empty byte array before display.
1. Change getVersion() in nativeLibraryProvider to handle curious
`npm list` behavior.
2. Reorganize rollup plugins so that admin client can import our helper
plugins without importing rollup plugins from node_modules. This makes
it more resilient when we link against local tutanota-3 (libs hoisted
to upper level will not be found across the symlink).
3. Change LaunchHtml to not rely on mithril for the same reason.
This commit not only sets up the build for windows on jenkins,
it also consolidates how we get prebuilt binaries for native modules i.e. keytar and better-sqlite3
and generally has some refactorings
Compiling keytar in postinstall is problematic because we need node-gyp
to successfully finish installation. Because of that it is hard to
depend on tutanota-3 (e.g. in admin client).
Doing this on demand avoids the issue.
