Add security indicators for server URL connections#49
Conversation
Adds isSecure / isLocalNetwork / isInsecureRemote helpers to ServerUrl and renders a small inline hint under the URL field on the connect and settings screens: a "Consider using HTTPS for remote access." warning when the user enters an http:// URL whose host is not loopback, a private LAN range (10/8, 172.16/12, 192.168/16, 169.254/16), an IPv6 local address, localhost, or a *.local mDNS name; a "Secure connection" badge when the URL uses https://. Plain HTTP to LAN hosts continues to work without nagging.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8680775e40
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (h.startsWith('fc') || h.startsWith('fd')) return true; | ||
| if (h.startsWith('fe8') || | ||
| h.startsWith('fe9') || | ||
| h.startsWith('fea') || | ||
| h.startsWith('feb')) { |
There was a problem hiding this comment.
isLocalHost currently treats any hostname starting with fc, fd, fe8, fe9, fea, or feb as local, even when it is a normal DNS name rather than an IPv6 literal. For example, http://fdroid.org is classified as local and therefore isInsecureRemote becomes false, so the insecure HTTP warning is suppressed for a real remote connection. This undermines the security indicator’s core purpose for a non-trivial set of hostnames.
Useful? React with 👍 / 👎.
2 participants
Summary
This PR adds security classification and visual indicators for server URL connections, helping users understand whether their connection is secure and whether they're connecting to a local or remote host.
Key Changes
ServerUrl security properties: Added three new computed properties to
ServerUrl:isSecure: Returns true for HTTPS URLsisLocalNetwork: Detects local/private network hosts (IPv4 private ranges, loopback, link-local, IPv6 unique-local/link-local, localhost, and mDNS.localdomains)isInsecureRemote: Flags non-HTTPS connections to remote hosts as potentially insecureLocal host detection: Implemented
isLocalHost()static method that classifies hostnames and IP addresses:localhostand*.local(mDNS)UI security hints: Added
_SecurityHintwidget (duplicated in bothconnect_screen.dartandsettings_screen.dart) that:Screen integration: Updated both Connect and Settings screens to:
onChangedcallbackImplementation Details
_SecurityHintwidget is currently duplicated across two screens; future refactoring could extract it to a shared locationhttps://claude.ai/code/session_01SRB4Jm1AYVYjmqFqKPFrHN