Linux Testing Feedback


ahauser

Well-known member
Feb 22, 2019
224
57
As @Paul F has pointed out in the newsgroups a long time ago, there is some weird difference between the sqrl:// invocation on the GRC demo page as apposed to here on the forums, which nobody seems to have figured out the reason for yet.
Well, finally finding some time to look at this, the solution to this mistery turns out to be quite simple:

JavaScript:
// Linux/WINE desktop environments lack the uniform means for registering scheme handlers.
// So when we detect that we're running under Linux we disable the invocation of SQRL with
// the "sqrl://" scheme and rely upon upon the localhost server --- UNLESS we detect 'sqrl'
// present in the user-agent header which gives us permission to invoke with the sqrl:// scheme.
window.onload = function() {
    if ((navigator.userAgent.match(/linux/i)) && !(navigator.userAgent.match(/sqrl/i)) && !(navigator.userAgent.match(/android/i)))
    {        // if we're on Linux, suppress the sqrl:// href completely
        document.getElementById("sqrl").onclick = function() { sqrlLinkClick(this); return false; };
    }
}
Steve turns off the sqrl:// link invokation on the demo page for Linux ON PURPOSE, as long as no sqrl string is present in the User-Agent header.

CC @Paul F, @josecgomez, @Alan M Cameron
 
Last edited:
  • Like
Reactions: Paul F

Alan M Cameron

Well-known member
Well, finally finding some time to look at this, the solution to this mistery turns out to be quite simple:

JavaScript:
// Linux/WINE desktop environments lack the uniform means for registering scheme handlers.
// So when we detect that we're running under Linux we disable the invocation of SQRL with
// the "sqrl://" scheme and rely upon upon the localhost server --- UNLESS we detect 'sqrl'
// present in the user-agent header which gives us permission to invoke with the sqrl:// scheme.
window.onload = function() {
    if ((navigator.userAgent.match(/linux/i)) && !(navigator.userAgent.match(/sqrl/i)) && !(navigator.userAgent.match(/android/i)))
    {        // if we're on Linux, suppress the sqrl:// href completely
        document.getElementById("sqrl").onclick = function() { sqrlLinkClick(this); return false; };
    }
}
Steve turns off the sqrl:// link invokation on the demo page for Linux ON PURPOSE, as long as no sqrl string is present in the User-Agent header.

CC @Paul F, @josecgomez, @Alan M Cameron
Will this lead to a change in the Linux installation?
 

Paul F

Well-known member
Apr 11, 2019
97
29
Toronto
Well, finally finding some time to look at this, the solution to this mistery turns out to be quite simple:
...
Steve turns off the sqrl:// link invokation on the demo page for Linux ON PURPOSE, as long as no sqrl string is present in the User-Agent header.
And here it is: http://www.GRC.com/groups/sqrl:17932

Thanks very much @ahauser for looking into this! How do you get the javascript dump? Can you see why it works when you open the signin button in a new tab?
 

ahauser

Well-known member
Feb 22, 2019
224
57
Right before our eyes. Thanks for the pointer, @Paul F!

How do you get the javascript dump?
Just "show source" on the demo page and then follow the javascript include: https://www.grc.com/sqrl/demo/pagesync.js

Can you see why it works when you open the signin button in a new tab?
I haven't really looked into this @Paul F, I so I can only suspect that the window.onload isn't honored when opening in a new tab!? I'm not a javascript guy, so I don't really know what I'm talking about here, maybe someone like @Jaap can shed some light.
 

Paul F

Well-known member
Apr 11, 2019
97
29
Toronto
Just "show source" on the demo page and then follow the javascript include: https://www.grc.com/sqrl/demo/pagesync.js
Ah, yes, you have to right-click on the page. It's not in the menu toolbar. And then you have to go into pagesync.js. Good work! I shouldn't have been so quick to blame Linux. Except it was presumably Linux's fault that Steve had to disable the sqrl:// handling in the first place :) .
 

PHolder

Well-known member
May 19, 2018
1,228
205
I guess I am not understanding the problem. I know that Steve's client does identify itself as SQRL in the user agent... and I know this because that was proving a problem for some users behind some proxy servers inside some businesses.

So perhaps you can summarize the problem because I haven't been keeping up closely with this loooong thread (currently on page 7.)
 

ahauser

Well-known member
Feb 22, 2019
224
57
So perhaps you can summarize the problem...
Sure! The thing is, at the point in time where we hit this problem, the SQRL client isn't even involved in the auth process yet:
  1. User visits web site (in this case https://www.grc.com/sqrl/demo.htm)
  2. The user's browser displays the login form
  3. A javascript handler is placed on the "Log in with SQRL" button that simultaneously provides the sqrl:// link and starts polling the CPS server.

    <= This is where we hit a wall on Linux, since Steve deliberately crafted his javascript so that the click handler returns false if the user agent header contains "Linux". This was implemented because it was impossible to get things going with his client in Linux under WINE.To somewhat "mitigate" this, he added another clause that would still allow the sqrl:// invocation if the string sqrl is found in the browser's user agent header, which would allow tech-savvy people to manipulate their browser's user agent string manually to still trigger the invocation. This is of course of no use to us.

  4. The SQRL client is invoked either by receiving the sqrl:// invokation or by receiving the CPS request.

    Up until now, Jose and me followed a different approach here: We only started the CPS server after receiving a sqrl:// invocation, simply to reduce the attack surface. Why have the CPS server running all the time and present a possible target for attacks if we don't need to? However, with the deliberate blocking of the sqrl:// invocation on Linux, this is a problem for our approach. So we are simultaneously also investigating changing it so that our client can also be "awakened" by CPS and does not rely on a preceeding sqrl:// invocation.
Hope this helps.
 

PHolder

Well-known member
May 19, 2018
1,228
205
That dang Javascript. I've never liked it even being present on the landing/login page, though Steve wants it there because it makes the log in via scanning a QR Code more magical. (I think that isn't even really all that useful or advised IMHO. Mobile phones have gotten powerful enough to use in place of any kiosk in almost every case.) My thinking has always been to have the site have that "magic" QRCode and matching Javascript hidden off somehow, so that the user has to request it to even have it come in to play. That way, no Javascript would even run at all until after the SQRL button is clicked and the client also gets involved. Anyway... this is likely not the place to discuss that issue.
 

Alan M Cameron

Well-known member
All that was way above my paygrade but nevertheless interesting. I will avoid JS until I feel more comfortable with bread and butter PHP.
Do we @ahauser @josecgomez and I need to spawn a new thread to handle the ongoing testing or are you happy with the comment

So perhaps you can summarize the problem because I haven't been keeping up closely with this loooong thread (currently on page 7.
 

Alan M Cameron

Well-known member
I would suggest to either open a new thread specifically for your testing efforts, @Alan M Cameron, or report problems directly as an "issue" on Github: https://github.com/sqrldev/SQRLDotNetClient/issues
I do not feel comfortable using GitHub so perhaps we just plough along in this thread. There is not much I have to report in the testing so far. If you want a status I will gather the tests I have done and report on each one.

So far no show stoppers.
 

josecgomez

Well-known member
Aug 6, 2018
137
35
I do not feel comfortable using GitHub so perhaps we just plough along in this thread. There is not much I have to report in the testing so far. If you want a status I will gather the tests I have done and report on each one.

So far no show stoppers.
That's fine Alan, no worries about github keep them coming in here now big. We can transfer it over there if it is needed.
 

Alan M Cameron

Well-known member
I think I have found out how to view the issues associated with the linux installation in GitHub I have been collaborating on. I have added a comment on the most relevant bug but do not know if I have be added to your list of collaborating members.
Your advice would be appreciated and if you agree I will make my testing reports in GitHub which is still strange to me but I am sure you will correct me if I go wrong.
 

ahauser

Well-known member
Feb 22, 2019
224
57
@Alan M Cameron, we received your comment on the "Garbled window contents" issue on Github just fine, no problems there! As @josecgomez already mentioned before, just use whatever method you feel comfortable with when reporting bugs, and we will take care of the rest!
 

Alan M Cameron

Well-known member
There is somewhere in the Linux client a line of text "show advanced options". I cannot see where this comes into play.
How do show the advanced options?

In Steve's spec there is a mention of alternate identities has this been implemented in the Linux client?