If a session is closed, also kill off any associated
relays in progress. One exception, video port relay
in ESTABLISHED is left alone due to limitation, but
at least no new open.
This prevents sockets from opening up to the world that could be used
to connect to management interfaces directly, apart from the specific
requestors.
Web forward from popup context requires it be exempt from CSRF
protection. This is harmless (as all GET should be, but erring on side
of caution), so add it to the whitelist of CSRF skipping on a CSRF
enabled client session.
This has no functional difference, just a cosmetic
difference that does not give the erroneous impression
a logout actually occurred. This does mean that if a browser
disables cookies and uses the api explorer, there would
be an opportunity for a CSRF.
At some expense of convenience, make it difficult
for CSRF to succeed even against the API explorer
for most people. User/Password will now only be
accepted on hitting enter in the address bar rather
than following any link.
Regardless of whether the client uses it as a session id
or not, the fact remains a sessionid is assigned.
Pass the session id in the auth data even if the client
did not send it.
This makes the exceptions more self describing and simplifies httpapi and sockapi.
An important step to improve asynchttp conveyance of error data that would normally
be an http error in synchronous operation.
Enable a WebUI to request an auth token. This will allow it to indicate it is running in a browser and have the server implement protections such that
other software in the browser cannot send arbitrary requests into the server API.
This is implemented in a backward compatible fashion, allowing, for example, purely non-browser clients to ignore the CSRF protection as
it doesn't apply to that use case.
HTTP console API did not have a means to send break
or request session reopen. Rectify this discrepency
by adding an 'action' key to request certain console
specific actions. In retrospect, closing the session
should have just been an 'action', but leaving things
as-is.
It seems it is possible in some circumstance for the thread id to become stale,
perhaps due to a different threadid executing the code for some reason.
Just in case, ensure the same exact value that was added is later discarded.
This provides a method for client to request session be closed down. This provides more
immediate responsiveness to the client count when closing such a terminal. With this
both closing a single window and doing a 'logout' immediately impacts clientcount.
If something triggers a logout of session, immediately cut into long polling
console sessions that are relevant. This results in web client being able to
immediately detect a logout externally originated.
Provide a means for an http request to erase
it's own session's validity. Always return 200
to allow a client to send bogus credentials and
think they got success to forget the auth data in
the browser.
A javascript client running in browser may want
the standard authorization header suppressed.
This allows a client to block the default browser
authentication prompt.
Have httpapi recognize the difference and start a shellserver
session when appropriate. Next step will be to wire up enumeration of
current shellserver sessions, debug ssh.py traceback, delete on remote
close, and auto-delete when no client connected after some interval (e.g.
30 minutes).
If only one node was in given noderange, then
the httpapi response would not look similar in
structure to a multi-node response. Force even
single items in this special case to be an array
to allow easier javascript client code.
Establish a config file for certain configuration parameters that
control service startup and things that are best managed via out
of band configuration file and easiest to do with a restart. For
now, implement control of http service binding.
From Lucio Seki
