Commit Graph

818 Commits

Author SHA1 Message Date
Scott Lamb
3bc410b417 prepare v0.7.3 2022-03-22 14:56:15 -07:00
Scott Lamb
4c9aa93fdf check WebSocket origin
This fixes a real cross-site WebSocket hijacking (CSWSH) vulnerability.
If the attacker knows the URL of an NVR installation this user is
authenticated to and the UUID of a camera, and can trick the user into
visiting their webpage, they can grab the live stream. At least there's
some entropy in the camera UUID, but it was never intended to be a
secret.
2022-03-22 14:51:12 -07:00
Scott Lamb
307a3884a0 drop ffmpeg support
* switch the config interface over to use Retina and make the test
  button honor rtsp_transport = udp.

* adjust the threading model of the Retina streaming code.

  Before, it spawned a background future that read from the runtime and
  wrote to a channel. Other calls read from this channel.

  After, it does work directly from within the block_on calls (no
  channels).

  The immediate motivation was that the config interface didn't have
  another runtime handy. And passing in a current thread runtime
  deadlocked. I later learned this is a difference between
  Runtime::block_on and Handle::block_on. The former will drive IO and
  timers; the latter will not.

  But this is also more efficient to avoid so many thread hand-offs.
  Both the context switches and the extra spinning that
  tokio appears to do as mentioned here:
  https://github.com/scottlamb/retina/issues/5#issuecomment-871971550

  This may not be the final word on the threading model. Eventually
  I may not have per-stream writing threads at all. But I think it will
  be easier to look at this after getting rid of the separate
  `moonfire-nvr config` subcommand in favor of a web interface.

* in tests, read `.mp4` files via the `mp4` crate rather than ffmpeg.
  The annoying part is that this doesn't parse edit lists; oh well.

* simplify the `Opener` interface. Formerly, it'd take either a RTSP
  URL or a path to a `.mp4` file, and they'd share some code because
  they both sometimes used ffmpeg. Now, they're totally different
  libraries (`retina` vs `mp4`). Pull the latter out to a `testutil`
  module with a different interface that exposes more of the `mp4`
  stuff. Now `Opener` is just for RTSP.

* simplify the h264 module. It had a lot of logic to deal with Annex B.
  Retina doesn't use this encoding.

Fixes #36
Fixes #126
2022-03-18 13:22:47 -07:00
Scott Lamb
be3a5b200e prepare v0.7.2 2022-03-16 18:31:12 -07:00
Scott Lamb
319d7c3e1d move perms to proper spot in config 2022-03-16 18:31:07 -07:00
Scott Lamb
e9ac61f15c allow omitting permissions in config 2022-03-16 17:51:49 -07:00
Scott Lamb
4addf3c90c npm upgrade 2022-03-16 15:46:42 -07:00
Scott Lamb
f4d5784176 fix config file syntax in guide (#133) 2022-03-16 15:43:23 -07:00
Scott Lamb
f18b58613c improve the guide's docker script
This addresses the `"docker run" requires at least 1 argument.` error
described in #205 and clarifies some comments.
2022-03-16 12:47:00 -07:00
Scott Lamb
ae8fbaff83 add screenshot for selecting guide ver 2022-03-16 12:35:57 -07:00
Scott Lamb
892427592e tweak config format (#133)
* switch from json to toml.
  I think this will be more user-friendly. It allows comments and has
  less punctuation. Fewer surprises than yaml (which has e.g. the
  "Norway problem"). I might have stayed with JSON if I could see a
  good serde json library that allows comments, but hson is unmaintained
  and serde-json strictly follows the spec.

* switch from camelCase to snake_case. Seems more idiomatic for TOML
  and matches the Rust source.

* forbid unknown keys. Better to spot errors sooner.

* rename "trust_forward_hdrs" to "trust_forward_headers". Nothing else
  is abbreviated.
2022-03-16 12:34:39 -07:00
Scott Lamb
de28f6eed3 point to correct version of install instructions
This is particularly important right now. The master branch describes
a config file that doesn't exist in the latest release (0.7.1).

Fixes #204
2022-03-11 15:38:52 -08:00
Scott Lamb
0a9ec04a4e install instructions updates
Fixes #204

* The docker container won't start if a bind refers to a path that
  doesn't exist yet, so move the /etc/moonfire-nvr.json creation up
* Remove redundant command in the dedicated hard drive setup, and
  improve its clarity
2022-03-11 15:02:29 -08:00
Scott Lamb
78cdd82f36 fix warnings 2022-03-11 12:01:35 -08:00
Scott Lamb
5264e9848e fix test failure 2022-03-11 11:59:20 -08:00
Scott Lamb
7467b382dc make Unix sockets bind reliably and add to config 2022-03-11 11:52:00 -08:00
Scott Lamb
7c453b5f9d support treating own effective uid as privileged
I intend this to be an easy bootstrapping mechanism for web auth.
2022-03-11 11:10:26 -08:00
Scott Lamb
4ce3e511b5 support Unix sockets (#133) 2022-03-09 16:47:08 -08:00
Scott Lamb
ceaef46ea9 introduce /etc/moonfire-nvr.json (#133) 2022-03-09 13:18:33 -08:00
Scott Lamb
1a51b53b54 upgrade moonfire-ffmpeg 2022-03-08 11:42:05 -08:00
Scott Lamb
adc7087dc2 upgrade reffers dependency 2022-03-08 11:41:00 -08:00
Scott Lamb
8720495608 upgrade scrypt dependency 2022-03-08 11:40:25 -08:00
Scott Lamb
197e10f56f upgrade tokio-tungstenite 2022-03-08 11:39:22 -08:00
Scott Lamb
ce3cf9c096 upgrade rusqlite 2022-03-08 11:37:45 -08:00
Scott Lamb
c5ef87ee79 upgrade cursive 2022-03-08 11:35:29 -08:00
Scott Lamb
9d70d68710 fix #187 via a dependency upgrade
I did a full `cargo upgrade` and fixed what it broke:

*   a couple things for the latest protobuf 3.0 alphas
    (note alphas don't promise API stability)
*   new minimum supported Rust version

This should have some other nice effects: parking_lot now uses inline
assembler, tokio has gotten faster, etc.
2022-03-08 11:24:44 -08:00
Scott Lamb
3c1171e405 link to JS equality rules 2022-03-07 13:48:47 -08:00
Scott Lamb
93792fcc57 better document TimerangeSelector
I haven't figured out how to expose its state in the URL (for #202),
but documenting how it works today seems like a good first step.
2022-03-07 13:13:32 -08:00
Scott Lamb
08109d61ce clean up App.tsx
This structure (described in
https://github.com/scottlamb/moonfire-nvr/issues/202#issue-1161741347)
has less activity-specific logic in App.tsx itself and avoids duplicate
route handling.

This fixes the `No routes matched location "/"` mentioned in #202.
2022-03-07 11:55:44 -08:00
Scott Lamb
782eb2f0d8 add some URL parameters for the list view
This is still missing the time range, which is more complex than the
others. Small steps.
2022-03-04 15:21:37 -08:00
Scott Lamb
bcc59e9109 plumb more api response through to list view
This keeps a coarser-grained `toplevel` property rather than `user`
and `session`. It also synthesizes a `streams` field within it with ids.
This makes it easier to put the streams in the URL by id.
2022-03-04 12:03:47 -08:00
Scott Lamb
90c9a31ad0 upgrade almost all frontend deps
typescript isn't at the latest because eslint warns about it.
2022-03-04 08:55:06 -08:00
Scott Lamb
274dc09ec3 upgrade typescript to 4.5.5
I found one significant breaking change: caught exceptions are now
unknown rather than any. Rework the error handling a bit to match.
2022-03-03 14:49:14 -08:00
Scott Lamb
a82453e73a upgrade to create-react-scripts v5
I had to disable more of the Login tests to get this to work.
Frustrating, but I just can't figure out how to fake jest timers,
msw, and the testing libraries to all get along anymore.
2022-03-03 14:39:08 -08:00
Scott Lamb
8a65a09c7f upgrade msw version 2022-03-03 12:56:46 -08:00
Scott Lamb
bc29e8b23c fix eslint 8 complaints
I'm working on this upgrade now.
https://github.com/testing-library/eslint-plugin-testing-library/blob/main/docs/rules/prefer-presence-queries.md
2022-03-03 12:37:39 -08:00
Scott Lamb
d40715c210 fix some type errors in VideoList.test.tsx
For whatever reason, these aren't caught in my current setup. I'm trying
to upgrade the whole frontend mess (typescript version, react-scripts
version) and they're caught then.
2022-03-03 12:28:27 -08:00
Scott Lamb
b2fa415823 VS Code: specify workspace typescript version
Currently the workspace's version is older than VS Code's default.
VS Code complains about things that aren't errors according to the
workspace. (In particular, typing of catched exceptions has become
stricter.) With this setting, you can select the workspace's Typescript
version in the VS Code UI so the two are consistent.
2022-03-03 10:56:14 -08:00
Damian Krysta
e90d804f1a FIX build - add OR empty string
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
Damian Krysta
4d3d72c7b5 EDIT - remove or condition
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
Damian Krysta
f8ff07d2ad EDIT Multiview - fix none in cam selector
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
Damian Krysta
41dfae336e EDIT - Run prettier
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
Damian Krysta
28208b7bb4 CHANGE router type
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
Damian Krysta
3240c20eae FIX tests
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
Damian Krysta
56918bf5c2 Add store in url for layout and all cameras
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
Damian Krysta
552f6bf19d FIX lint
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
Damian Krysta
3988c3922d ADD set search param after selected cam
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
Damian Krysta
2d517c28dc ADD react router and reading from query params
Signed-off-by: Damian Krysta <damian@krysta.dev>
2022-03-02 10:07:46 -08:00
dependabot[bot]
c9b1e49f3d Bump url-parse from 1.5.3 to 1.5.10 in /ui
Bumps [url-parse](https://github.com/unshiftio/url-parse) from 1.5.3 to 1.5.10.
- [Release notes](https://github.com/unshiftio/url-parse/releases)
- [Commits](https://github.com/unshiftio/url-parse/compare/1.5.3...1.5.10)

---
updated-dependencies:
- dependency-name: url-parse
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 09:22:42 -08:00
dependabot[bot]
4d848b64cd Bump follow-redirects from 1.14.7 to 1.14.8 in /ui
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.7 to 1.14.8.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.14.7...v1.14.8)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-16 11:01:22 -08:00