[pve-devel] [PATCH proxmox_dart_api_client v3 0/2] fix: ios: add support for custom user certificates

[pve-devel] [PATCH proxmox_dart_api_client v3 0/2] fix: ios: add support for custom user certificates

[Shan Shaji]

The app was not honoring the user installed certificate and was still
throwing `HandShakeException` when using `IOClient`. Inorder to fix the
issue used the `cupertino_http` package. This patch series only includes
the changes specific to iOS. Android related changes can be found here
[0].

- [0] https://lore.proxmox.com/pve-devel/DCKQF7FSYTGT.HK16P9PBZEDS@proxmox.com/T/#t

History:
==============

Changes since v2: Thanks @Dominik
patch: https://lore.proxmox.com/pve-devel/20250917120616.80136-1-s.shaji@proxmox.com/T/#t
- Rebased with master. 
- Fixed commit message

changes since  v1: https://lore.proxmox.com/pve-devel/DCUXS353OF44.2TCRIG1U97LAK@proxmox.com/T/#m18041c4e36f4188d46a6fa224a61e76ac394abfa
- Rebased with master


Shan Shaji (2):
  fix: ios: use `cupertino_http` package to honor custom user
    certificates
  fix: ios: add explicit throw of `HandshakeException`

 lib/src/authenticate.dart | 14 +++++++++++++-
 lib/src/utils_native.dart | 10 +++++++++-
 pubspec.lock              | 18 +++++++++++++++++-
 pubspec.yaml              |  1 +
 4 files changed, 40 insertions(+), 3 deletions(-)

-- 
2.50.1



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH proxmox_dart_api_client v3 1/2] fix: ios: use `cupertino_http` package to honor custom user certificates

[Shan Shaji]

In iOS when a user installs a custom certificate and manually trusts it
from the certificate trust settings of iOS. The app was not
honoring the installed certificate [0] and was still throwing
`HandShakeException`.

The issue is because the `IOClient` doesn't by default honor user
installed certificate. To fix the issue, used the `cupertino_http` [1]
package which will honor the user installed certificates.
The `cupertino_http` package internally uses the native
iOS URL loading system [2].

- [0] https://support.apple.com/en-us/102390
- [1] https://pub.dev/packages/cupertino_http
- [2] https://developer.apple.com/documentation/foundation/url-loading-system

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 lib/src/utils_native.dart | 10 +++++++++-
 pubspec.lock              | 18 +++++++++++++++++-
 pubspec.yaml              |  1 +
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/lib/src/utils_native.dart b/lib/src/utils_native.dart
index a4b7397..de66b31 100644
--- a/lib/src/utils_native.dart
+++ b/lib/src/utils_native.dart
@@ -1,4 +1,5 @@
 import 'package:cronet_http/cronet_http.dart';
+import 'package:cupertino_http/cupertino_http.dart';
 import 'package:http/http.dart' as http;
 import 'package:http/io_client.dart' as http_io;
 import 'dart:io';
@@ -6,9 +7,10 @@ import 'dart:io';
 http.Client getCustomIOHttpClient({bool validateSSL = true}) {
   var ioClient = HttpClient();
 
+  const cacheMaxSizeInBytes = 1024 * 1024;
   if (Platform.isAndroid && validateSSL) {
     final engine = CronetEngine.build(
-      cacheMaxSize: 1024 * 1024,
+      cacheMaxSize: cacheMaxSizeInBytes,
       cacheMode: CacheMode.memory,
     );
     return CronetClient.fromCronetEngine(
@@ -17,6 +19,12 @@ http.Client getCustomIOHttpClient({bool validateSSL = true}) {
     );
   }
 
+  if (Platform.isIOS && validateSSL) {
+    final config = URLSessionConfiguration.ephemeralSessionConfiguration()
+      ..cache = URLCache.withCapacity(memoryCapacity: cacheMaxSizeInBytes);
+    return CupertinoClient.fromSessionConfiguration(config);
+  }
+
   if (!validateSSL) {
     ioClient.badCertificateCallback =
         ((X509Certificate cert, String host, int port) {
diff --git a/pubspec.lock b/pubspec.lock
index dbedb07..229ce66 100644
--- a/pubspec.lock
+++ b/pubspec.lock
@@ -169,6 +169,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "3.0.6"
+  cupertino_http:
+    dependency: "direct main"
+    description:
+      name: cupertino_http
+      sha256: "72187f715837290a63479a5b0ae709f4fedad0ed6bd0441c275eceaa02d5abae"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.3.0"
   dart_style:
     dependency: transitive
     description:
@@ -350,6 +358,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "2.0.2"
+  objective_c:
+    dependency: transitive
+    description:
+      name: objective_c
+      sha256: "9f034ba1eeca53ddb339bc8f4813cb07336a849cd735559b60cdc068ecce2dc7"
+      url: "https://pub.dev"
+    source: hosted
+    version: "7.1.0"
   package_config:
     dependency: transitive
     description:
@@ -613,4 +629,4 @@ packages:
     version: "3.1.3"
 sdks:
   dart: ">=3.9.0 <4.0.0"
-  flutter: ">=3.22.0"
+  flutter: ">=3.24.0"
diff --git a/pubspec.yaml b/pubspec.yaml
index 97c4783..9094c4d 100644
--- a/pubspec.yaml
+++ b/pubspec.yaml
@@ -11,6 +11,7 @@ dependencies:
   built_collection: ^5.1.1
   retry: ^3.1.0
   cronet_http: ^1.5.0
+  cupertino_http: ^2.3.0
 
 dev_dependencies:
   lints: ^6.0.0
-- 
2.50.1



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH proxmox_dart_api_client v3 2/2] fix: ios: add explicit throw of `HandshakeException`

[Shan Shaji]

The `cupertino_http` package is throwing `NSErrorClientException` [0] instead
of `HandShakeException` when the certificate is not valid.

Due to this the exception was directly shown in the UI. Inorder to make
the error more user friendly catch the `NSErrorClientException` and
rethrow `HandShakeException` if the certificate is not valid.

- [0] https://github.com/dart-lang/http/blob/e0dadd16e01bb4611036f4946ed480dac2d59dca/pkgs/cupertino_http/lib/src/cupertino_client.dart#L219C21-L219C43

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 changes since v2: 
 - Fixed commit message. 

 lib/src/authenticate.dart | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/src/authenticate.dart b/lib/src/authenticate.dart
index a142a4c..04f363f 100644
--- a/lib/src/authenticate.dart
+++ b/lib/src/authenticate.dart
@@ -2,12 +2,12 @@ import 'dart:async';
 import 'dart:convert';
 import 'dart:io';
 
+import 'package:cupertino_http/cupertino_http.dart';
 import 'package:http/http.dart' as http;
 import 'package:proxmox_dart_api_client/proxmox_dart_api_client.dart';
 import 'package:proxmox_dart_api_client/src/handle_ticket_response.dart';
 import 'package:proxmox_dart_api_client/src/models/serializers.dart';
 
-
 /// Returns an authenticated client to work with if successful.
 ///
 /// This is the function you are looking for if you want to interact with any
@@ -62,6 +62,12 @@ Future<ProxmoxApiClient> authenticate(
       throw HandshakeException(e.message);
     }
     rethrow;
+  } on NSErrorClientException catch (e) {
+    // Treat untrusted server certificate (-1202) as a handshake failure.
+    if (e.error.code == -1202) {
+      throw HandshakeException(e.message);
+    }
+    rethrow;
   }
 }
 
@@ -86,5 +92,11 @@ Future<List<PveAccessDomainModel?>> accessDomains(
       throw HandshakeException(e.message);
     }
     rethrow;
+  } on NSErrorClientException catch (e) {
+    // Treat untrusted server certificate (-1202) as a handshake failure.
+    if (e.error.code == -1202) {
+      throw HandshakeException(e.message);
+    }
+    rethrow;
   }
 }
-- 
2.50.1



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel