docs: add contribution guidelines

Author: chadsec1

CONTRIBUTING.md

@@ -0,0 +1,44 @@
+Contributing to Coldwire project is simple, and is no different than any other Free and Open-Source project: 
+
+Simply fork the repo, hack on the code, and do a pull request!
+
+**However**, some specific parts of **Coldwire** require *careful* thought before contributing changes
+
+
+## Protocol improvements and or adjustments
+Before hacking on our codebase to support a new protocol feature, or to improve an existing one.
+Coldwire depends on 2 seperate protocols: `Coldwire protocol`, and the `Strandlock protocol`
+
+you *should* first read the related protocol specification, and modify it to reflect what you wish to be added / improved upon.
+
+To summarize: Contributing major changes doesn't start with code, but with solid protocol improvements (that can be reasoned about), and that doesn't decrease our security posture (considering our threat model).
+
+
+## `browsers_headers.json`
+Before adding new entry, or modifying an existing one, please note that the *order* of the headers matters!
+**Do not** trust Developer tools on whatever browser you're using. The ordering of headers in a browser are not in the order that they are sent on the wire. Failure to do so, would actually create an even uniquer fingerprint of our users.
+
+Additionally, all headers names must be lowercase for interoperability with HTTP/2
+
+A very important note, is to **never** include any headers that may indicate to a server you're intending to receive compressed (gzip, etc) response!.
+
+Do not misunderstand, *include* the header (i.e. accept-encoding), but do not put in it actual encoding names. 
+
+Instead, Spam "Coldwire" until the string reaches the same length of the intended "accept-encoding". Truncate "Coldwire" string as needed.
+
+And lastly, please do not contribute obsecure browsers headers! Keep all additions to be popular, mainstream browsers.
+
+
+## Features that **will never be added**:
+Here are some features that we have decided against implementing after thoughtful consideration, as they overcomplicate the protocol, and increase the attack-surface in general:
+- Media parsing or sending in any of its forms (images, videos, SVGs, etc)
+- Text formating or markup languages support (rich text formating, etc.)
+- Multi-device support for the same account.
+- Open/Public groups
+- Voice, and video calls.
+- Voice messages
+- Compression support
+- Metadata-rich features (avatars, vanity server-side usernames, bios, delievery receipts, read receipts, online status, last seen status, user-created server authentication passwords)
+- Account recovery
+- Persistent chat history
+- Any "convenience" features that could impact security and or privacy (clickable URLs, keyboard hotkeys, keyboard shortscuts beyond the basic CTRL-C CTRL-V) 

assets/browsers_headers.json

@@ -0,0 +1,17 @@
+{
+    "Microsoft-Edge": {
+        "sec-ch-ua": "\"Not;A=Brand\";v=\"99\", \"Microsoft Edge\";v=\"139\", \"Chromium\";v=\"139\"",
+        "sec-ch-ua-mobile": "?0",
+        "sec-ch-ua-platform": "Windows",
+        "upgrade-insecure-requests": "1",
+        "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Edg/139.0.0.0",
+        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+        "sec-fetch-site": "none",
+        "sec-fetch-mode": "navigate",
+        "sec-fetch-user": "?1",
+        "sec-fetch-dest": "document",
+        "accept-encoding": "ColdWireColdWireColdWir",
+        "accept-language": "en-GB,en;q=0.9,en-US;q=0.8"
+    }
+    
+}

core/requests.py

@@ -80,7 +80,7 @@ def encode_file(name: str, filename: str, data: bytes, boundary: str, CRLF: str,
 
 
 
-def http_request(url: str, method: str, auth_token: str = None, metadata: dict = None, blob: bytes = None, longpoll: int = None) -> bytes:
+def http_request(url: str, method: str, auth_token: str = None, metadata: dict = None, headers: dict = None, blob: bytes = None, longpoll: int = None) -> bytes:
     if method.upper() not in ["POST", "GET", "PUT", "DELETE"]:
         raise ValueError(f"Invalid request method `{method}`")
 
@@ -113,22 +113,26 @@ def http_request(url: str, method: str, auth_token: str = None, metadata: dict =
             req = request.Request(
                 url,
                 data = body,
-                headers={"Content-Type": f"multipart/form-data; boundary={boundary}"},
+                headers={"content-type": f"multipart/form-data; boundary={boundary}"},
                 method = method.upper()
             )
 
         elif metadata:
             metadata = json.dumps(metadata).encode("utf-8")
             req = request.Request(url, data=metadata, method=method.upper())
-            req.add_header("Content-Type", "application/json")
+            req.add_header("content-type", "application/json")
         else:
             raise ValueError("Request method is POST/PUT but no metadata nor blob were given.")
 
     else:
         req = request.Request(url, method=method.upper())
 
+    if headers is not None:
+        for key, value in headers.items():
+            req.add_header(key, value)
+
     if auth_token is not None:
-        req.add_header("Authorization", "Bearer " + auth_token)
+        req.add_header("authorization", "Bearer " + auth_token)
 
 
     # NOTE: urllib raises a HTTPError for status code >= 400
@@ -143,32 +147,3 @@ def http_request(url: str, method: str, auth_token: str = None, metadata: dict =
 
 
 
-
-"""
-def http_request(url: str, method: str, auth_token: str = None, payload: dict = None, longpoll: int = -1) -> dict:
-    if payload:
-        payload = json.dumps(payload).encode()
-
-    if payload:
-        req = request.Request(url, data=payload, method=method.upper())
-        req.add_header("Content-Type", "application/json")
-    else:
-        req = request.Request(url, method=method.upper())
-    
-    if auth_token:
-        req.add_header("Authorization", "Bearer " + auth_token)
-
-    # NOTE: urllib raises a HTTPError for status code >= 400
-
-    try:
-        if longpoll == -1:
-            with request.urlopen(req) as response:
-                return json.loads(response.read().decode())
-        else:
-            with request.urlopen(req, timeout=longpoll) as response:
-                return json.loads(response.read().decode())
-    except urllib.error.HTTPError as e:
-        body = e.read().decode()
-        logger.error("We received error from server: %s", body)
-        raise Exception(body)
-"""

logic/smp.py

@@ -513,7 +513,6 @@ def smp_failure_notify_contact(user_data, user_data_lock, contact_id, ui_queue)
         )
     except Exception as e:
         logger.error("Failed to send SMP failure to contact (%s), either you are offline or the server is down. Error: %s", contact_id, str(e))
-        pass
 
 
 

ui/smp_question_window.py

@@ -7,7 +7,9 @@
         smp_step_4_answer_provided,
         smp_failure_notify_contact
 )
-
+from core.constants import (
+        SMP_QUESTION_MAX_LEN
+)
 class SMPQuestionWindow(tk.Toplevel):
     def __init__(self, master, contact_id, question):
         super().__init__(master)
@@ -21,10 +23,10 @@ def __init__(self, master, contact_id, question):
         self.configure(bg="black")
 
         # Question label
-        # :512 to ensure no weird visual effects or even bufferoverflows can be exploited in the underlying tkinter library.
+        # :SMP_QUESTION_MAX_LEN to ensure no weird visual effects or even bufferoverflows can be exploited in the underlying tkinter library.
         tk.Label(
             self,
-            text="Question: " + question[:512],
+            text="Question: " + question[:SMP_QUESTION_MAX_LEN],
             fg="white",
             bg="black",
             font=("Helvetica", 10),