browsix | Browsix is a Unix-like operating system for the browser
kandi X-RAY | browsix Summary
kandi X-RAY | browsix Summary
Browsix is a Unix-like operating system for the browser.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Represents a REPL server .
- Integration of the module .
- Main worker setup
- Listen for incoming packets .
- Emit input to a string
- Format a value into an object .
- Function to call a sychronous command
- Initialize worker .
- Represents a client request .
- Prepare history to new history storage
browsix Key Features
browsix Examples and Code Snippets
Community Discussions
Trending Discussions on browsix
QUESTION
No specific code to look at--just hoping to talk through a problem I am facing, list the options I am aware of, and see if there are any options I am missing. Kindly let me know if this is not appropriate and I will delete the question.
The problem
I'm working on a web-based application that features a method of running commands on a user-owned server, ideally via SSH. I need to implement a solution for executing SSH commands from the browser in the most secure and convenient (for users) way possible. I'm detailing some solutions I've come up with that don't quite cut the mustard, and hoping you all may have some ideas I didn't think of, or tools I might not know about.
My current solution
Currently, I have a working API that translates HTTPS posts into SSH commands, mostly SFTP. The application connects an SSH instance on the application server to a user-owned server, given a username and password or uploaded private key. The server then maintains the SSH client, reconnecting if necessary using user-provided credentials. The application does not store usernames, passwords, or private keys, and information between the client and application server is conducted over HTTPS; authentication information IS, however, kept in a redis in-memory session instance. Because that information must travel through my middle-man application server, causing potential concerns about the client's server security, I would like to find another solution.
My ideal solution
Ideally, I would write an SSH client in a language like Go, converted to WebAssembly, which could be downloaded and run in the browser. No calls to my app server--all SSH traffic, including authentication, goes direct from the client to their server. The WebAssembly would be cached by the browser (though pretty light-weight anyway), preventing egregious download sizes, while still allowing me to do updates as need be. This doesn't work, however, because the browser is sandboxed and can't establish connections with a remote server. I've looked into solutions like Browsix to run a light Unix system in the browser, which could in turn run the SSH application, but it would appear to be similarly limited to running the WebAssembly directly. (Browsix also seems not to be maintained???)
I have come up with two potential alternative solutions, both with some drawbacks that have prevented me from committing to them:
Solution 1
Move the SSH client client-side. My ideal solution is a form of this, but to get around browser limitations, I would require that clients download a small SSH client that can be called from the client-side web application. Realistically, if I am supporting browsers that do not run Chromium and if I am avoiding maintaining a browser extension for every browser I choose to support, that means I cannot interface between the browser and a native application. To get around this, I think I CAN wrap the SSH client in a web server meant to run on a particular port, say :9090. The web app could then make calls to, say, localhost:9090/listDirectories, which would funnel the request body to the SSH client, which would execute the relevant call on the client-owned server. The only downside to this is that it would require the user to download and run an installer, and the program would have to constantly be running and listening on a port on the client computer. This isn't as seamless of a user experience as I would like, and would be prone to errors like the program terminating or not properly starting up when the machine boots. I would also have to maintain installers for multiple major operating systems.
Solution 2
Ditch SSH. Create a small webserver (probably in Go) to listen on a port on the client-owned server. The client-side web app could then make API calls directly to the client-owned server, encrypted over HTTPS, and the webserver listening on the client-owned server would handle the requests. Downsides of this: I need to create a user management system (rather than rely on the client-owned server's authentication systems) and implement some way of ascertaining that the client-owned server is actually owned by the client.
Possible question from you all
You may ask, "Why not just make a native application? You could use something like Electron if you're comfortable making web apps!" That's true--but I would really prefer that the application live in the browser for the sake of updates and ease of access. I know, it sounds like I'm just being difficult.
Please let me know if I can provide any more detail, or if you have any leads for what I should look into next.
...ANSWER
Answered 2020-Nov-10 at 03:59Okay--I'm assuming this question is VERY specific to my use case, so there may not be much demand for an answer here, but if anyone is headed down this same path...
What I went with was creating a simple HTTP server in Go that the client could install on their own server, and then my web application could communicate with it. It was all simpler than I thought it would be. Using SSH was not possible, so I created a simple authentication system, and then all actions on the client's server were prompted by HTTP requests from the web application.
The one catch here is that you WILL run afoul of CORS policy. Thankfully, you have full control over the server application, so cross-origin requests are manageable. You'll need to read up on how to allow cross origin requests on your server (see the excellent MDN reference), paying special attention to all the possible Access-Control-* headers.
Also be aware (and this had me stuck for a long time) that CORS requests come in pairs--one with an OPTIONS method (as part of the browser's pre-flight check) and one with whatever method you assign (GET, POST, etc.). The OPTIONS method is sent first, and is pretty finicky. Read up on OPTIONS and the browser's pre-flight again at MDN, and anywhere else you can find the info you need.
Authentication is a barrier for OPTIONS, as a status code other than 200 can cause the pre-flight to fail and halt your request; but blanket approval of OPTIONS requests can cause a mismatch in content sizes between OPTIONS and your method, causing your request to fail also. To overcome that barrier, I had my initial authentication always return a status 200 and then set "authenticated" or "not authenticated" in the return body, so that my client app knew if the request was successful or not. I also set a session variable on the server side so that the user wouldn't need to keep sending auth information and I could use HTTP status responses normally.
This is a big overview. If anyone has specific questions, feel free to ask them--I'm no CORS expert, but I might be able to point you in the right direction!
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install browsix
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page