feat(pairing): seamless no-PIN delegated approval (host parks the knock, clients add "Request access")
Web-console "Approve" (delegated pairing, roadmap §8b-1) was unreachable: every client routed a fresh pair=required host straight to the SPAKE2 PIN ceremony, so no "knock" was ever recorded; and an unpaired connect was rejected+closed with no way to resume after approval. The backend + console were complete but had no client-side trigger and no post-approval admit path. Host (native_pairing.rs, punktfunk1.rs): an unpaired identified knock is now PARKED instead of rejected — it releases its NVENC session permit, awaits an operator decision (NativePairing::wait_for_decision, woken by a Notify on approve/deny), and on approval re-acquires a slot and admits the SAME connection with no reconnect. QUIC keep-alive (4s/8s) holds the parked connection warm. The pairing gate moves out of the HANDSHAKE_TIMEOUT-bounded handshake future; approve_pending is reordered read-then-add and wait_for_decision double-checks is_paired to close a "neither pending nor paired" race. New PENDING_APPROVAL_WAIT (180s). Tests: delegated_approval_admits_after_knock now approves mid-park (no reconnect) + new wait_for_decision_approve_deny_timeout unit test (108 host tests green). Clients (Linux/Apple/Windows/Android): a fresh pair=required host now offers "Request access" alongside the PIN ceremony — a plain identified connect with a ~185s handshake budget and a cancelable "waiting for approval" UI; on success the host is saved as paired, and cancel returns the UI immediately while a late- resolving connect is torn down silently via a per-attempt flag. Apple reuses the existing C-ABI timeout_ms (no ABI change); Windows adds SessionParams.connect_timeout + a RequestAccess screen; Android adds a timeoutMs arg to the nativeConnect JNI seam (both sides + both callers). Linux built + clippy + fmt clean; Apple/Windows/ Android pending their CI/on-device compiles. SPAKE2 ceremony reviewed end-to-end against the spake2 0.4 contract — correct, no changes needed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -74,10 +74,31 @@ import io.unom.punktfunk.kit.security.KnownHostStore
|
||||
import io.unom.punktfunk.kit.security.obtainIdentity
|
||||
import io.unom.punktfunk.models.HostStatus
|
||||
import io.unom.punktfunk.models.PendingTrust
|
||||
import java.util.concurrent.atomic.AtomicBoolean
|
||||
import kotlinx.coroutines.Dispatchers
|
||||
import kotlinx.coroutines.launch
|
||||
import kotlinx.coroutines.withContext
|
||||
|
||||
/** Handshake budget for a normal connect (the prior hardcoded value, now passed explicitly). */
|
||||
private const val CONNECT_TIMEOUT_MS = 10_000
|
||||
|
||||
/**
|
||||
* Handshake budget for the no-PIN "request access" connect. Must exceed the host's approval-park
|
||||
* window (~180 s) so a slow operator approval still lands on this same parked connection rather than
|
||||
* timing the client out first. Mirrors the Linux client's 185 s.
|
||||
*/
|
||||
private const val REQUEST_ACCESS_TIMEOUT_MS = 185_000
|
||||
|
||||
/**
|
||||
* A no-PIN "request access" connect in flight — the host being requested (drives the cancelable
|
||||
* "Waiting for approval…" dialog) and a per-attempt flag the Cancel button trips. The connect is a
|
||||
* blocking call with no abort, so Cancel returns the UI immediately and a late result checks
|
||||
* [cancelled] and tears the (possibly just-approved) session down silently rather than navigating.
|
||||
*/
|
||||
private class RequestAccessState(val target: PendingTrust) {
|
||||
val cancelled = AtomicBoolean(false)
|
||||
}
|
||||
|
||||
@OptIn(ExperimentalMaterial3Api::class)
|
||||
@Composable
|
||||
fun ConnectScreen(settings: Settings, onConnected: (Long) -> Unit) {
|
||||
@@ -128,8 +149,11 @@ fun ConnectScreen(settings: Settings, onConnected: (Long) -> Unit) {
|
||||
.onSuccess { identity = it }
|
||||
.onFailure { status = "Identity unavailable: ${it.message} — re-pair may be required" }
|
||||
}
|
||||
// A trust decision awaiting the user (first-connect TOFU / fp changed / PIN pairing).
|
||||
// A trust decision awaiting the user (first-connect TOFU / fp changed / PIN pairing / the
|
||||
// request-access-or-PIN choice).
|
||||
var pendingTrust by remember { mutableStateOf<PendingTrust?>(null) }
|
||||
// A no-PIN "request access" connect in flight (the cancelable "Waiting for approval…" dialog).
|
||||
var awaiting by remember { mutableStateOf<RequestAccessState?>(null) }
|
||||
// A saved host whose label is being edited (the Rename dialog).
|
||||
var renameTarget by remember { mutableStateOf<KnownHost?>(null) }
|
||||
|
||||
@@ -163,7 +187,7 @@ fun ConnectScreen(settings: Settings, onConnected: (Long) -> Unit) {
|
||||
targetHost, targetPort, w, h, hz,
|
||||
id.certPem, id.privateKeyPem, pinHex ?: "",
|
||||
settings.bitrateKbps, settings.compositor, gamepadPref,
|
||||
hdrEnabled, settings.audioChannels,
|
||||
hdrEnabled, settings.audioChannels, CONNECT_TIMEOUT_MS,
|
||||
)
|
||||
}
|
||||
connecting = false
|
||||
@@ -182,10 +206,66 @@ fun ConnectScreen(settings: Settings, onConnected: (Long) -> Unit) {
|
||||
}
|
||||
}
|
||||
|
||||
// Decide pinned-reconnect vs fp-changed vs TOFU vs PIN pairing before connecting. Trust state is
|
||||
// The no-PIN "request access" path (delegated approval): open a normal identified connect that
|
||||
// the host PARKS until the operator clicks Approve in its console/web UI, showing a cancelable
|
||||
// "Waiting for approval…" dialog meanwhile. The SAME connection is admitted on approval (no
|
||||
// reconnect), so on success we record the host as PAIRED — the operator's approval IS the pairing.
|
||||
// The connect can't be aborted, so Cancel returns the UI immediately and a late result is torn
|
||||
// down silently via the per-attempt flag (mirrors the Linux client's request-access flow).
|
||||
fun requestAccess(target: PendingTrust) {
|
||||
val id = identity
|
||||
if (id == null) {
|
||||
status = "Identity not ready yet — try again in a moment"
|
||||
return
|
||||
}
|
||||
val req = RequestAccessState(target)
|
||||
awaiting = req
|
||||
connecting = true
|
||||
status = null
|
||||
discovery.stop() // free the Wi-Fi radio before the (parked) stream session
|
||||
scope.launch {
|
||||
val hdrEnabled = displaySupportsHdr(context)
|
||||
val gamepadPref = Gamepad.resolvePref(settings.gamepad)
|
||||
// Pin the advertised fingerprint for a discovered host (defence against an impostor while
|
||||
// we wait); a manually-typed host has none, so trust-on-first-use.
|
||||
val pinHex = target.advertisedFp ?: ""
|
||||
val handle = withContext(Dispatchers.IO) {
|
||||
NativeBridge.nativeConnect(
|
||||
target.host, target.port, w, h, hz,
|
||||
id.certPem, id.privateKeyPem, pinHex,
|
||||
settings.bitrateKbps, settings.compositor, gamepadPref,
|
||||
hdrEnabled, settings.audioChannels, REQUEST_ACCESS_TIMEOUT_MS,
|
||||
)
|
||||
}
|
||||
// Cancelled while we were parked: tear the (possibly just-approved) session down and
|
||||
// don't touch UI a fresh action may now own.
|
||||
if (req.cancelled.get()) {
|
||||
if (handle != 0L) withContext(Dispatchers.IO) { NativeBridge.nativeClose(handle) }
|
||||
return@launch
|
||||
}
|
||||
awaiting = null
|
||||
connecting = false
|
||||
if (handle != 0L) {
|
||||
// Approved — save the host as PAIRED, pinning the fingerprint it presented, so
|
||||
// future connects are silent (exactly like after a PIN ceremony).
|
||||
val fp = NativeBridge.nativeHostFingerprint(handle)
|
||||
if (fp.isNotEmpty()) {
|
||||
knownHostStore.save(KnownHost(target.host, target.port, target.name, fp, paired = true))
|
||||
savedHosts = knownHostStore.all()
|
||||
}
|
||||
onConnected(handle)
|
||||
} else {
|
||||
status = "Request timed out — approve this device in the host's console, then retry."
|
||||
discovery.start()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Decide pinned-reconnect vs fp-changed vs TOFU vs pairing before connecting. Trust state is
|
||||
// keyed by address:port, so a discovered and a manually-typed connection to the same host share
|
||||
// one record. Trust-on-first-use is permitted ONLY when the host advertised pair=optional; a
|
||||
// pair=required host, or a manual/unknown-policy host, must pair by PIN.
|
||||
// pair=required host, or a manual/unknown-policy host, must pair — either by no-PIN request
|
||||
// access (approve in the console) or by the SPAKE2 PIN ceremony.
|
||||
fun connect(
|
||||
targetHost: String,
|
||||
targetPort: Int,
|
||||
@@ -208,9 +288,10 @@ fun ConnectScreen(settings: Settings, onConnected: (Long) -> Unit) {
|
||||
// clearly labeled, alongside PIN pairing). Smart-cast: this branch ⇒ dh != null.
|
||||
dh?.pairingRequired == false -> pendingTrust =
|
||||
PendingTrust(targetHost, targetPort, name, dh.fingerprint, PendingTrust.Kind.TRUST_NEW)
|
||||
// pair=required, or a manual/unknown-policy host → PIN pairing is mandatory.
|
||||
// pair=required, or a manual/unknown-policy host → offer the two ways in: a no-PIN
|
||||
// "request access" (approve in the console) or the SPAKE2 PIN ceremony.
|
||||
else -> pendingTrust =
|
||||
PendingTrust(targetHost, targetPort, name, adv, PendingTrust.Kind.PAIR)
|
||||
PendingTrust(targetHost, targetPort, name, adv, PendingTrust.Kind.REQUEST_ACCESS)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -471,6 +552,33 @@ fun ConnectScreen(settings: Settings, onConnected: (Long) -> Unit) {
|
||||
TextButton({ pendingTrust = null }) { Text("Cancel") }
|
||||
},
|
||||
)
|
||||
// A fresh pair=required (or manual/unknown-policy) host: offer the two ways in. "Request
|
||||
// access" is the no-PIN path — connect and wait for the operator to click Approve in the
|
||||
// host's console; "Use a PIN…" switches to the SPAKE2 ceremony.
|
||||
PendingTrust.Kind.REQUEST_ACCESS -> AlertDialog(
|
||||
onDismissRequest = { pendingTrust = null },
|
||||
title = { Text("Pairing required") },
|
||||
text = {
|
||||
Column {
|
||||
Text("${pt.host}:${pt.port} requires pairing before it will stream.")
|
||||
Text(
|
||||
"Request access and approve this device in the host's console (or web " +
|
||||
"UI) — no PIN needed. Or pair with the 4-digit PIN the host displays.",
|
||||
)
|
||||
}
|
||||
},
|
||||
confirmButton = {
|
||||
TextButton({ pendingTrust = null; requestAccess(pt) }) { Text("Request access") }
|
||||
},
|
||||
dismissButton = {
|
||||
Row {
|
||||
TextButton({ pendingTrust = pt.copy(kind = PendingTrust.Kind.PAIR) }) {
|
||||
Text("Use a PIN…")
|
||||
}
|
||||
TextButton({ pendingTrust = null }) { Text("Cancel") }
|
||||
}
|
||||
},
|
||||
)
|
||||
PendingTrust.Kind.PAIR -> {
|
||||
var pin by remember(pt) { mutableStateOf("") }
|
||||
var name by remember(pt) { mutableStateOf(Build.MODEL ?: "Android") }
|
||||
@@ -537,6 +645,44 @@ fun ConnectScreen(settings: Settings, onConnected: (Long) -> Unit) {
|
||||
}
|
||||
}
|
||||
|
||||
// The no-PIN "request access" wait: the connect is parked on the host until the operator
|
||||
// approves this device. Cancel returns the UI immediately — it trips the per-attempt flag so a
|
||||
// late approval is torn down silently (see requestAccess) and resumes discovery.
|
||||
awaiting?.let { req ->
|
||||
fun cancel() {
|
||||
req.cancelled.set(true)
|
||||
awaiting = null
|
||||
connecting = false
|
||||
discovery.start() // the request may still be pending on the host; keep scanning
|
||||
}
|
||||
AlertDialog(
|
||||
onDismissRequest = { cancel() },
|
||||
title = { Text("Waiting for approval") },
|
||||
text = {
|
||||
val deviceName = Build.MODEL ?: "this device"
|
||||
Column(verticalArrangement = Arrangement.spacedBy(12.dp)) {
|
||||
Row(
|
||||
verticalAlignment = Alignment.CenterVertically,
|
||||
horizontalArrangement = Arrangement.spacedBy(12.dp),
|
||||
) {
|
||||
CircularProgressIndicator(modifier = Modifier.size(20.dp), strokeWidth = 2.dp)
|
||||
Text("Approve this device on ${req.target.name}.")
|
||||
}
|
||||
Text(
|
||||
"Open the host's console (or web UI) and approve “$deviceName”. It connects " +
|
||||
"automatically once you approve — no PIN needed.",
|
||||
style = MaterialTheme.typography.bodyMedium,
|
||||
color = MaterialTheme.colorScheme.onSurfaceVariant,
|
||||
)
|
||||
}
|
||||
},
|
||||
confirmButton = {},
|
||||
dismissButton = {
|
||||
TextButton(onClick = { cancel() }) { Text("Cancel") }
|
||||
},
|
||||
)
|
||||
}
|
||||
|
||||
// Rename a saved host's label (discovered hosts are named by mDNS; this is how you give one a
|
||||
// friendly name like "Living Room" after pairing). Keyed by the host so reopening resets the field.
|
||||
renameTarget?.let { kh ->
|
||||
|
||||
@@ -14,8 +14,10 @@ enum class Tab(val label: String, val icon: ImageVector) {
|
||||
/**
|
||||
* A trust decision awaiting the user before a connect proceeds. [name] is the label to save the
|
||||
* host under. Trust-on-first-use ([Kind.TRUST_NEW]) is only ever offered when the host ADVERTISED
|
||||
* pair=optional; a pair=required host or a manually-typed/unknown-policy host goes straight to PIN
|
||||
* pairing ([Kind.PAIR]), and a changed fingerprint forces re-pairing — never a silent re-trust.
|
||||
* pair=optional; a pair=required host or a manually-typed/unknown-policy host is offered the
|
||||
* two ways in ([Kind.REQUEST_ACCESS]): a no-PIN "request access" connect the operator approves in
|
||||
* the host's console, or the SPAKE2 PIN ceremony ([Kind.PAIR]). A changed fingerprint forces
|
||||
* re-pairing by PIN ([Kind.FP_CHANGED]) — never a silent re-trust.
|
||||
*/
|
||||
data class PendingTrust(
|
||||
val host: String,
|
||||
@@ -24,7 +26,7 @@ data class PendingTrust(
|
||||
val advertisedFp: String?,
|
||||
val kind: Kind,
|
||||
) {
|
||||
enum class Kind { TRUST_NEW, FP_CHANGED, PAIR }
|
||||
enum class Kind { TRUST_NEW, FP_CHANGED, PAIR, REQUEST_ACCESS }
|
||||
}
|
||||
|
||||
/** Trust state of a host, shown as a colored pill on its card. */
|
||||
|
||||
@@ -29,8 +29,10 @@ object NativeBridge {
|
||||
* trust-on-first-use — read [nativeHostFingerprint] after; else 64-hex host SHA-256, mismatch →
|
||||
* `0`). [width]/[height]/[refreshHz] are the requested virtual-output mode (the host streams at
|
||||
* exactly this); [bitrateKbps] 0 = host default; [compositorPref]/[gamepadPref] are the
|
||||
* `CompositorPref`/`GamepadPref` wire bytes (0 = Auto). Returns an opaque session handle, or `0`
|
||||
* on failure. Pair with exactly one [nativeClose].
|
||||
* `CompositorPref`/`GamepadPref` wire bytes (0 = Auto). [timeoutMs] is the handshake budget — the
|
||||
* normal path passes a short value, the no-PIN "request access" path a long one (≥ the host's
|
||||
* approval-park window) so a slow operator approval lands on this same parked connection. Returns
|
||||
* an opaque session handle, or `0` on failure. Pair with exactly one [nativeClose].
|
||||
*/
|
||||
external fun nativeConnect(
|
||||
host: String,
|
||||
@@ -46,6 +48,7 @@ object NativeBridge {
|
||||
gamepadPref: Int,
|
||||
hdrEnabled: Boolean,
|
||||
audioChannels: Int,
|
||||
timeoutMs: Int,
|
||||
): Long
|
||||
|
||||
/** 64-hex SHA-256 of the cert the host presented on [handle]; valid after a successful connect. */
|
||||
|
||||
@@ -140,13 +140,15 @@ pub extern "system" fn Java_io_unom_punktfunk_kit_NativeBridge_nativeGenerateIde
|
||||
}
|
||||
|
||||
/// `NativeBridge.nativeConnect(host, port, w, h, hz, certPem, keyPem, pinHex, bitrateKbps,
|
||||
/// compositorPref, gamepadPref, hdrEnabled, audioChannels): Long`. `certPem`/`keyPem` empty =
|
||||
/// anonymous, else presented as the persistent identity. `pinHex` empty = TOFU (read
|
||||
/// compositorPref, gamepadPref, hdrEnabled, audioChannels, timeoutMs): Long`. `certPem`/`keyPem`
|
||||
/// empty = anonymous, else presented as the persistent identity. `pinHex` empty = TOFU (read
|
||||
/// `nativeHostFingerprint` after), else 64-hex SHA-256 to pin the host (mismatch → 0). `bitrateKbps`
|
||||
/// 0 = host default. `compositorPref`/`gamepadPref` are `CompositorPref`/`GamepadPref` wire bytes
|
||||
/// (0 = Auto; unknown → Auto). `audioChannels` is the requested surround layout (2/6/8; normalized,
|
||||
/// anything else → stereo) — the host clamps it and the resolved count drives playback.
|
||||
/// Returns an opaque handle, or 0 on failure (logged).
|
||||
/// anything else → stereo) — the host clamps it and the resolved count drives playback. `timeoutMs`
|
||||
/// is the handshake budget: the normal path passes a short value, the no-PIN "request access" path a
|
||||
/// long one (≥ the host's approval-park window) so a slow operator approval lands on this same parked
|
||||
/// connection rather than timing the client out first. Returns an opaque handle, or 0 on failure.
|
||||
#[no_mangle]
|
||||
#[allow(clippy::too_many_arguments)]
|
||||
pub extern "system" fn Java_io_unom_punktfunk_kit_NativeBridge_nativeConnect<'local>(
|
||||
@@ -165,6 +167,7 @@ pub extern "system" fn Java_io_unom_punktfunk_kit_NativeBridge_nativeConnect<'lo
|
||||
gamepad_pref: jint,
|
||||
hdr_enabled: jboolean,
|
||||
audio_channels: jint,
|
||||
timeout_ms: jint,
|
||||
) -> jlong {
|
||||
let host: String = match env.get_string(&host) {
|
||||
Ok(s) => s.into(),
|
||||
@@ -224,7 +227,9 @@ pub extern "system" fn Java_io_unom_punktfunk_kit_NativeBridge_nativeConnect<'lo
|
||||
None, // launch: default app
|
||||
pin, // Some → Crypto on host-fp mismatch
|
||||
identity, // owned (cert, key) PEM, or None (anonymous)
|
||||
Duration::from_secs(10),
|
||||
// Handshake budget from Kotlin: ~10 s for a normal connect, ~185 s for "request access"
|
||||
// (the host parks the connection until the operator approves the device — see ConnectScreen).
|
||||
Duration::from_millis(timeout_ms.max(0) as u64),
|
||||
) {
|
||||
Ok(client) => {
|
||||
let handle = SessionHandle {
|
||||
|
||||
Reference in New Issue
Block a user