Skip to content
This repository has been archived by the owner on Nov 2, 2023. It is now read-only.

Upload form to Aggregate should support HTTP #54

Closed
yanokwa opened this issue Dec 21, 2016 · 6 comments
Closed

Upload form to Aggregate should support HTTP #54

yanokwa opened this issue Dec 21, 2016 · 6 comments
Labels
enhancement good first issue help wanted
Milestone
0.3.3

Comments

@yanokwa
Copy link
Member

yanokwa commented Dec 21, 2016

Currently, the Upload Form to Aggregate Instance URI starts with https. Local servers of ODK Aggregate are often http so we should support it.

And if we do, the second example in the dialog box should be http.
@issa-tseng
Copy link
Member

issa-tseng commented Dec 21, 2016
edited
Loading

The JavaRosa documentation has a lot to say about not allowing http: https://bitbucket.org/javarosa/javarosa/wiki/AuthenticationAPI

I find it vanishingly unlikely that somebody will have a local server that is accessible from the Internet at large anyway?

@yanokwa
Copy link
Member Author

yanokwa commented Dec 21, 2016

My reading of the spec is that you should use HTTPS, but it isn't required.

The vast majority of local Aggregate servers (and there are a fair bit of those) I come across do not have HTTPS enabled. This is mostly because installing a SSL cert on Tomcat is a miserable task.

@issa-tseng
Copy link
Member

Question stands: are those servers visible from the internet, though, or are they likely to be behind a NAT?

@yanokwa
Copy link
Member Author

yanokwa commented Jan 6, 2017

They are visible from the Internet.

@ghost ghost mentioned this issue Mar 1, 2017
Closed
@issa-tseng
Copy link
Member

PR #101 started on this ticket, but it still needs more work:

The request here is to allow both http and https server addresses, so there are quite a few spots that need adjustment:

  • The UI should neither assume http nor https, and allow either option, either via a <select> tag or via format validation with meaningful error text to the user.
  • The server currently assumes https.
  • I'd personally appreciate it if there were a security notice at the bottom (if you go with a <select>, ideally only show it if http is chosen) noting that the user's authentication credentials will be sent insecurely. Sample wording: "Warning: sending data to a non-HTTPS Aggregate server will mean your credentials and data are sent over the web insecurely."

I like that #101 left one example https and changed one to http.

@issa-tseng issa-tseng added this to the 0.3.3 milestone Jun 12, 2017
issa-tseng added a commit to issa-tseng/odkbuild that referenced this issue Jul 6, 2017
@issa-tseng
all/improve getodk#54: allow uploading to HTTP-only Aggregates.
a7331a7
@issa-tseng issa-tseng mentioned this issue Jul 6, 2017
Merged
@trendspotter
Copy link
Contributor

Hi,
Sorry for the thread necromancy, but the unsecured HTTP is still not supported correctly enough. Currently, there is this in the code: https://github.com/opendatakit/build/blob/283da5840c7f83adf8228c558311266723b83fc1/server/odkbuild_server.rb#L252-L255
which forces http.use_ssl = true every time, resulting in OpenSSL handshake error on plain HTTP. It seems like an easy fix, but I have absolutely zero knowledge of ruby, so I don't dare to make one.

trendspotter added a commit to trendspotter/build that referenced this issue Mar 17, 2018
@trendspotter
server/bug getodk#54: Fix upload to Aggregate via plain (unsecured) HTTP
73f5f8f
issa-tseng pushed a commit that referenced this issue Mar 27, 2018
@trendspotter @issa-tseng
server/bug #54: Fix upload to Aggregate via plain (unsecured) HTTP
dc510c2
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement good first issue help wanted
Projects
None yet
Milestone
0.3.3
Development

No branches or pull requests
4 participants
@yanokwa @issa-tseng @lognaturel @trendspotter