fix(certificate): approved certificate is rejected until restart

Signed-off-by: Grigorii K. Shartsev <me@shgk.me>

Author: ShGKme

src/app/certificate.service.ts

@@ -5,6 +5,7 @@
 
 import type { BrowserWindow, Certificate } from 'electron'
 
+import { session } from 'electron'
 import { showCertificateTrustDialog } from '../certificate/certificate.window.ts'
 import { getAppConfig, setAppConfig } from './AppConfig.ts'
 
@@ -56,3 +57,50 @@ export async function promptCertificateTrust(window: BrowserWindow, details: Unt
 
 	return isAccepted
 }
+
+/**
+ * Verify certificate on a URL.
+ * Note: this function only exists due to Electron limitations.
+ * If a user accepts the certificate later than the request is rejected by timeout,
+ * Electron considers it rejected for 30 minutes or until the app restart.
+ * Issue: https://github.com/electron/electron/issues/47267
+ * And there is no way to reset the cache.
+ * Issue: https://github.com/electron/electron/issues/41448
+ * Thus the verification on the defaultSession cannot be used (at least for login).
+ * This function makes a single request in a new random session, to avoid verification caching.
+ * The actual result is stored in the application config.
+ *
+ * @param window - Parent browser window
+ * @param url - URL
+ */
+export async function verifyCertificate(window: BrowserWindow, url: string): Promise<boolean> {
+	const certificateVerifySession = session.fromPartition(`certificate:verify:${Math.random().toString(36).slice(2, 9)}`)
+
+	let verificationResolvers: PromiseWithResolvers<boolean> | undefined
+
+	certificateVerifySession.setCertificateVerifyProc(async (request, callback) => {
+		verificationResolvers = Promise.withResolvers()
+		// Use original result, failing the request
+		callback(-3)
+
+		const isAccepted = await promptCertificateTrust(window, {
+			host: request.hostname,
+			certificate: request.certificate,
+			error: request.verificationResult,
+		})
+		verificationResolvers.resolve(isAccepted)
+	})
+
+	try {
+		await certificateVerifySession.fetch(url, { bypassCustomProtocolHandlers: true })
+		// Successful request - no SSL errors
+		return true
+	} catch {
+		// SSL Error - handled by user prompt
+		if (verificationResolvers) {
+			return verificationResolvers.promise
+		}
+		// Some unexpected network error
+		return false
+	}
+}

src/authentication/renderer/AuthenticationApp.vue

@@ -84,6 +84,11 @@ async function login() {
 		return setError(t('talk_desktop', 'Invalid server address'))
 	}
 
+	// Check the certificate before actually sending a request
+	if (!await window.TALK_DESKTOP.verifyCertificate(serverUrl.value)) {
+		return setError(t('talk_desktop', 'Untrusted certificate'))
+	}
+
 	// Prepare to request the server
 	window.TALK_DESKTOP.disableWebRequestInterceptor()
 	appData.reset()

src/main.js

@@ -11,7 +11,7 @@ const { setupMenu } = require('./app/app.menu.js')
 const { loadAppConfig, getAppConfig, setAppConfig } = require('./app/AppConfig.ts')
 const { appData } = require('./app/AppData.js')
 const { registerAppProtocolHandler } = require('./app/appProtocol.ts')
-const { promptCertificateTrust } = require('./app/certificate.service.ts')
+const { verifyCertificate, promptCertificateTrust } = require('./app/certificate.service.ts')
 const { openChromeWebRtcInternals } = require('./app/dev.utils.ts')
 const { triggerDownloadUrl } = require('./app/downloads.ts')
 const { setupReleaseNotificationScheduler } = require('./app/githubReleaseNotification.service.js')
@@ -352,6 +352,8 @@ app.whenReady().then(async () => {
 
 	ipcMain.on('app:downloadURL', (event, url, filename) => triggerDownloadUrl(mainWindow, url, filename))
 
+	ipcMain.handle('certificate:verify', (event, url) => verifyCertificate(mainWindow, url))
+
 	// Click on the dock icon on macOS
 	app.on('activate', () => {
 		if (mainWindow && !mainWindow.isDestroyed()) {

src/preload.js

@@ -191,6 +191,13 @@ const TALK_DESKTOP = {
 	 * @param {boolean} isAccepted - Is the certificate accepted as trusted
 	 */
 	acceptCertificate: (isAccepted) => ipcRenderer.send('certificate:accept', isAccepted),
+	/**
+	 * Verify certificate on a URL
+	 *
+	 * @param {string} url - URL
+	 * @return {Promise<boolean>}
+	 */
+	verifyCertificate: (url) => ipcRenderer.invoke('certificate:verify', url),
 }
 
 // Set global window.TALK_DESKTOP