Found a number of 'Illegal buffer' errors in an Electron log submitted
today. As far as I can tell, these same profiles are succeedig for me,
so it's time to collect more data.
FREEBIE
* Upgrade emoji deps and move to node_modules
Add support for Emoji 3.0 and switch from bower to yarn for managing emoji
dependencies.
// FREEBIE
* Delete old emoji deps
// FREEBIE
* Don't copy emoji on windows
It is no longer necessary since the symlinked image dir is gone.
// FREEBIE
* Update emoji test
// FREEBIE
* Fix emoji tests; remove all overrides of emoji-js functions
FREEBIE
* Add AES-GCM encryption for profiles
With tests.
* Add profileKey to DataMessage protobuf
// FREEBIE
* Decrypt and save profile names
// FREEBIE
* Save incoming profile keys
* Move pad/unpad to crypto module
// FREEBIE
* Support fetching avatars from the cdn
// FREEBIE
* Translate failed authentication errors
When AES-GCM authentication fails, webcrypto returns a very generic error. The
same error is thrown for invalid length inputs, but our earlier checks in
decryptProfile should rule out those failure modes and leave us safe to assume
that we either had bad ciphertext or the wrong key.
// FREEBIE
* Handle profile avatars (wip) and log decrypt errors
// FREEBIE
* Display profile avatars
Synced contact avatars will still override profile avatars.
* Display profile names in convo list
Only if we don't have a synced contact name.
// FREEBIE
* Make cdn url an environment config
Use different ones for staging and production
// FREEBIE
* Display profile name in conversation header
* Display profile name in group messages
* Update conversation header if profile avatar changes
// FREEBIE
* Style profile names small with ~
* Save profileKeys from contact sync messages
// FREEBIE
* Save profile keys from provisioning messages
For standalone accounts, generate a random profile key.
// FREEBIE
* Special case for one-time sync of our profile key
Android will use a contact sync message to sync a profile key from Android
clients who have just upgraded and generated their profile key. Normally we
should receive this data in a provisioning message.
// FREEBIE
* Infer profile sharing from synced data messages
* Populate profile keys on outgoing messages
Requires that `profileSharing` be set on the conversation.
// FREEBIE
* Support for the profile key update flag
When receiving a message with this flag, don't init a message record, just
process the profile key and move on.
// FREEBIE
* Display profile names in group member list
* Refresh contact's profile on profile key changes
// FREEBIE
* Catch errors on profile save
// FREEBIE
* Save our own synced contact info
Don't return early if we get a contact sync for our own number
// FREEBIE
This adds a new copy:deps task into the overall default task, and it
needs to be run before running the product for the first time, and after
upgrading audio-related deps.
FREEBIE
This removes our custom notification sound in favor of the system sound, and
ensures that the system sound is disabled if the user unchecks the audio
notification option.
// FREEBIE
* main.js: check for truthiness of mainwindow, not === null
FREEBIE
* background.js: Connect to websocket even if we are unlinked
We know registration isn't done, but it has been done before. So instead
of sitting tight, we connect to the socket to start everything up and
attempt to the websocket once more.
FREEBIE
* Add certificate pinning on https service requests
Make https requests to the server using node apis instead of browser apis, so we
can specify our own CA list, which contains only our own CA.
This protects us from MITM by a rogue CA.
As a bonus, this let's us drop the use of non-standard ports and just use good
ol' default 443 all the time, at least for http requests.
// FREEBIE
* Make certificateAuthorities an option on requests
Modify node-based xhr implementation based on driverdan/node-XMLHttpRequest,
adding support for setting certificate authorities on each request.
This allows us to pin our master CA for requests to the server and cdn but not
to the s3 attachment server, for instance. Also fix an exception when sending
binary data in a request: it is submitted as an array buffer, and must be
converted to a node Buffer since we are now using a node based request api.
// FREEBIE
* Import node-based xhr implementation
Add a copy of https://github.com/driverdan/node-XMLHttpRequest@86ff70e, and
expose it to the renderer in the preload script.
In later commits this module will be extended to support custom certificate
authorities.
// FREEBIE
* Support "arraybuffer" responseType on requests
When fetching attachments, we want the result as binary data rather than a utf8
string. This lets our node-based XMLHttpRequest honor the responseType property
if it is set on the xhr.
Note that naively using the raw `.buffer` from a node Buffer won't work, since
it is a reuseable backing buffer that is often much larger than the actual
content defined by the Buffer's offset and length.
Instead, we'll prepare a return buffer based on the response's content length
header, and incrementally write chunks of data into it as they arrive.
// FREEBIE
* Switch to self-signed server endpoint
* Log more error info on failed requests
With the node-based xhr, relevant error info are stored in statusText and
responseText when a request fails.
// FREEBIE
* Add node-based websocket w/ support for custom CA
// FREEBIE
* Support handling array buffers instead of blobs
Our node-based websocket calls onmessage with an arraybuffer instead of a blob.
For robustness (on the off chance we switch or update the socket implementation
agian) I've kept the machinery for converting blobs to array buffers.
// FREEBIE
* Destroy all wacky server ports
// FREEBIE
If the 'empty' event is fired between the updateInbox() call and the
new InboxView() call afterwards, then the loading screen will never go
away. We fix that by immediately creating the InboxView but only adding
it to the DOM when the backing data is ready.
FREEBIE
Just send an event from the main process to the renderer,
The latter routes it the appropriate view method.
For now it's a no-op unless the main window exists and it is showing the inbox,
which will be addressed in a future commit.
// FREEBIE
Change the placeholder content for when notifications are configured for
count-only or sender-only. Remove some options that are no longer
supported.
// FREEBIE
Since we no longer have support for list-style notifications, stop
coalescing notifications into batches and just show contents of the last
message received. Also open the window when clicking on a notification
if it has previously been closed.
// FREEBIE
All Whisper.events listeners are now defined and bound in background.js,
and we no longer need global methods for opening the inbox and
conversation views, as those are handled by AppView or internally by
InboxView.
// FREEBIE
Add buttons for switching between the linking flow and the standalone
registration flow. The button and standalone registration are only
availble in a development environment.
// FREEBIE
Traditionally, NODE_ENV refers to an environment variable. For clarity,
let's keep it that way and don't reuse it in the renderer. Also, add a
note about explicitly overriding env vars for node-config.
// FREEBIE
Add the buildExpiration config and add it to the renderer's config
object. Use grunt to write the build expiration to
config/local-production.json which will override the default value (no
expiration) in production. Finally, run this grunt task as part of the
build process.
// FREEBIE
Introduce a top level view for navigating between the inbox and the
installer, enabling an in-window relink flow. Navigation is driven
through the openInbox and openInstaller global events.
// FREEBIE
Add environment-specific configs under `./config` and integrate with the
build system. Also changes package.json `files` from blacklist to
whitelist.
// FREEBIE
Database logging is helpful as a debugging tool, but it creates an
infinite loop with the debug log, which wants to write to the database,
which wants to write to the log, which wants to write to the database,
which wants to write to the log, which wants to write to the database,
which wants to write to the log, which wants to write to the database...
// FREEBIE
Just use the english locale for now. Load locale data from the
filesystem in the main process and pass it to the renderer preload
script via ipc. Note that we need the locale data to be available by the
time view scripts are loaded.
// FREEBIE
Set NODE_ENV at run time or build time to switch the app between dev and
production modes.
At build time, the current NODE_ENV will be included in the packaged
app's package.json file. At runtime we read NODE_ENV from package.json,
but also allow the local environment variable to override. A query
string parsed by a preload script exposes the value to the renderer,
which then determines whether we use the staging or production server.
Additionally, different environments have different user data
directories.
// FREEBIE
Nothing stops us from rendering the inbox in the background page, since
it is no longer a background page at all. TODO: intercept window close
events to hide this window instead of closing it unless the app is quit
explicitly.
// FREEBIE
Because export might take a couple minutes, we now set expectations
that it might take 'several minutes' instead of just 'please wait.'
We also promote 'Install new Signal Desktop' from a text link in the
instructions to a button. This is important on the 'Completed' screen
because it is bigger and to the left of the 'Export Again' button, which
previously drew primary focus on that screen.
Lastly, we also remove the title-specific element of the support link,
so we're resilient to title changes in the future.
FREEBIE
On a recent trip through a CPU profile taken while Signal Desktop
churned through a large backlog of messages, it was clear that
console.log was a major source of time spent, primarily the sort
operation required after every new entry is added to the Backbone
collection. So, three different techniques to combat this:
1) Reduce the maximum number of entries in the collection from 5k to 2k
2) No more logging of add/update/remove queue in MessageReceiver
3) No more log entries in Message.handleDataMessage main codepath
FREEBIE
* Don't show notifications for verified state change with yourself
It's confusing to users, and it really doesn't mean anything anyway.
FREEBIE
* Add log statement that we've suppressed a verified notification
FREEBIE
* Export: limit attachment names to 30 chars, tests for helper fns
Also, reintroduce last contact date in conversation dir name
FREEBIE
* MessageView tests: Fix failures during blanket coverage run
FREEBIE
When we relied on the actual value of the color property to be supplied
to the updateColor change event listener, sometimes it would be null.
Then the conversation bubbles would have no color at all, making the
text hard to read.
FREEBIE
* Fetch all conversations on startup of app, not on inbox load
A recent change to fetch conversations less didn't take into account all
that can happen in the app without the inbox loaded. That only happens
when the window is shown, and messages can come in with the app in the
background. In that case, the conversation wouldn't have been loaded
from the database, but would be saved to the database anyway, losing
data.
This change fetches all conversations as soon as the the data store is
ready for a fetch. It also introduces failsafe throws to ensure that
synchronous ConversationController accesses don't happen until the
initial fetch is complete. A new getUnsafe() method was required to
account for some of the model setup that happens during that initial
conversation fetch.
Fixes#1428
FREEBIE
* Fix tests: ConversationController.load() required before get()
FREEBIE
* Fetch conversations once, clean up ConversationController API
Race conditions around re-fetching have caused some problems recently,
so this removes the need to re-fetch conversations. They are fetched
once or saved once, and that is it. All interaction goes through the
ConversationController, which is the central source of truth.
We have two rules for Conversations:
1. If a conversation is in the ConversationController it doesn't need
to be fetched, but its initial fetch/save might be in progress. You
can wait for that fetch/save with conversation.initialPromise.
2. If a conversation is not already in the ConversationController, it's
not yet in the database. It needs to be added to the
ConversationController and saved to the database.
FREEBIE
* Remove Conversation.fetch() call in Message.handleDataMessage()
FREEBIE
* ConversationController.API cleanup: Fix two missing spots
FREEBIE
When processing a contact sync with embedded identity key verification info, we
were running overlapping async fetch/save operations on the same conversation
model, causing a race that tends to clobber updates to the contact info.
In this change we extend the application-level contact info handler to block on
a subsequent call to the verification handler, which effectively serializes the
fetch/save calls, and relieves the need for the message receiver to trigger a
seperate event concerning the verification info on contact sync messages.
Fixes#1408
// FREEBIE
* On export, don't print out entire group id, just last three chars
FREEBIE
* Export: Limit conversation dirs to 30 characters of original name
FREEBIE
* Redact groups ids on import as well
FREEBIE
* InboxView: Protect against nonexistent loading screen
FREEBIE
* Add support for backup and restore
This first pass works for all stores except messages, pending some scaling
improvements.
// FREEBIE
* Import of messages and attachments
Properly sanitize filenames. Logging information that will help with
debugging but won't threaten privacy (no contact or group names),
where the on-disk directories have this information to make things
human-readable
FREEBIE
* First fully operational single-action export and import!
FREEBIE
* Add migration export flow
A banner alert leads to a blocking ui for the migration. We close the socket and
wait for incoming messages to drain before starting the export.
FREEBIE
* A number of updates for the export flow
1. We don't immediately pop the directory selection dialog box, instead
showing an explicit 'choose directory' button after explaining what is
about to happen
2. We show a 'submit debug log' button on most steps of the process
3. We handle export errors and encourage the user to double-check their
filesystem then submit their log
4. We are resilient to restarts during the process
5. We handle the user cancelling out of the directory selection dialog
differently from other errors.
6. The export process is now serialized: non-messages, then messages.
7. After successful export, show where the data is on disk
FREEBUE
* Put migration behind a flag
FREEBIE
* Shut down websocket before proceeding with export
FREEBIE
* Add MigrationView to test/index.html to fix test
FREEBIE
* Remove 'Submit Debug Log' button when the export process is complete
FREEBIE
* Create a 'Signal Export' directory below user-chosen dir
This cleans things up a bit so we don't litter the user's target
directory with lots of stuff.
FREEBIE
* Clarify MessageReceiver.drain() method comments
FREEBIE
* A couple updates for clarity - event names, else handling
Also the removal of wait(), which wasn't used anywhere.
FREEBIE
* A number of wording updates for the export flow
FREEBIE
* Export complete: put dir on its own line, make text selectable
FREEBIE
There's really no reason to retry encryption errors again if they've
already been made user-visible in a conversation.
Also, refactor e->error in background.js onError(), since both e and ev
in this method made it too easy to make a mistake.
- How long it takes to get a message through the pre-send checks
- How long it takes to open a conversation for the first time
- The timestamp of any message we send to corellate with other logs
- Add conversation ID to 'decrypt old identity key errors' start/end
FREEBIE
Because we do a number of async checks before allowing the real send to
begin, on a slow matchine or when doing a lot of work (like receiving a
lot of messages) there can be a noticeable delay between hitting Enter
and the clearing of the text in the message box. In fact, newly-typed
text can be added to the previous message if the delay is long enough.
This prevents any interaction with the message box until the send has
either been prevented or has started.
FREEBIE
Discovered a user log where expiring message checks were happening
constantly. This ensures that a very large timeout doesn't roll over
into immediate callbacks.
FREEBIE
isVerified and isUntrusted both went to the protocol layer, but were not
prepared for rejected promises resulting from missing records. This
prevented send in large groups where there has never been a message
exchanged with one of the members.
FREEBIE
I believe this to be the reason behind some of the high resource usage
on startup. If a lot of read receipts come in for disappearing messages,
this method can be called many, many times very quickly.
FREEBIE
Not sure exactly how to think about Chrome app lifetimes, so we're
being conservative. We only show the full-application loading screen
once, on first display of the inbox.
FREEBIE
Model operations are vulnerable to exceptions thrown by event handlers.
Because this can interrupt really important data operations, it's better
to let the operation continue and log the error. In all likelihood it's
a view-related problem, and that shouldn't cause any data operation to
fail.
FREEBIE
Fix too-aggressive verification notifications on startup by starting a
conversation with the right initial verified state, and then making sure
to fetch() before setting a new verified state.
FREEBIE
On every click, even when sub-panes were open, we were calling
markRead(), which would save the conversation model with the new
unreadCount. The KeyVerificationPanelView was wired up to the change
event on conversation, so it would render with the results of that
update, then finally the user's intended update.
FREEBIE
This removes our support for the New Key/DEFAULT case, which iOS will
sync to us. Why? Because it ensures that in out of date scenarios, we
don't lose the higher-security state we were in previously.
FREEBIE
Tabbing right after entering the view would cause everythign to go crazy
as focus went back to the pane you were just on. This change both sets
the proper focus on load of that view (on the cancel button) and hides
other panes when they aren't active, only making them visible again when
they are once again the 'top' pane.
FREEBIE
New experience in the Message Detail view when outgoing identity key
errors happen, matching the Android View.
'View' button is only shown on outgoing key errors right now.
When a contact with an outgoing identity key error is clicked, they are
taken to a view like the popup that comes up on Android: an explanation
of what happened and three options: 'Show Safety Number', 'Send Anyway',
and 'Cancel'
Contacts are now sorted alphabetically, with the set of contacts with
errors coming before the rest.
FREEBIE
