Support specifying a client certificate for mTLS auth #688
Conversation
|
Hey @tinsukE - thanks for taking the time to put this together. Let me read up on mTLS and do some thinking about whether I want to take this on in the app. While many FreshRSS users are undoubtedly savvy with this type of thing, I believe there are also users who just use public instances of FreshRSS where custom certs shouldn't really be an issue. |
|
Oh, I think I jumped the gun and created the PR without raising an issue first and explaining why it'd be a good idea! I'll do that. And indeed, public instances shouldn't have to worry about this. It could work as a GitHub SSH key even so, though. But yes, it is more useful for a private instance of FreshRSS/Any other service with a Reader API, as an additional security layer when exposing it on the internet. |
|
Implements #697 |
Using a reverse-proxy with mTLS (client authentication) is a decent way to expose your self-hosted services on the internet.
This PR adds support for using a certificate that's installed in your Android device.
The changes are largely based on:
An optional client certificate can be selected when adding self-hosted accounts (FreshRSS and Reader).
The code uses the default system Keychain to pick a certificate, and only its alias (label) is saved, to be later used in the OkHttp SSL stack. Note that the OkHttp changes only affect client certificates, so the app should behave the same in regards to server certificates.
I considered letting the user select/change a certificate on
UpdateLoginViewModel(which is shown when authentication fails during regular app usage, right?), but I don't think it is necessary.I'm comfortable with the logic changes, but I don't have experience with Compose, so my code there can be sub-optimal.