After discussion in the Discord server, and some internal discussion,
this was deemed a reasonable patch for various security concerns. This
basically controls whether obs-websocket binds to 127.0.0.1 or 0.0.0.0.
I decided to have obs-websocket bind to 127.0.0.1 by default, since
most users appear to be using obs-websocket on the same machines as
their client software. This will be changed if it poses significant
support-related issues.
Further security solutions have been discussed, but are either a heavy
amount of work, or significantly impact client applications' connect
flows.
One idea that I should mention is like a cookie system, where:
- On first connect, obs-websocket asks the user to approve the
connection.
- After authentication, obs-websocket gives the client a token in the
`Identified` message, which the client stores.
- On future connects, the client uses this token, along with the
password, to authenticate without needing user confirmation.
This system will likely be implemented in a future version of
obs-websocket.
Closes#907
Final "UI" part of the plugin to be completed. I'm annoyed at how
many includes are required in order to implement this feature. It
breaks quite a bit of the modularity of the plugin because suddenly
everything has to include obs libraries (for translations)
A request from the OBS developers. Debug mode tends to be enabled,
then not remembered to be disabled, leading to logs that are both
long and difficult to read. In some cases, the OBS logviewer may
noticeably lock up the UI just trying to parse the long log file.
Show a confirmation dialog when the Show Connect Info button is
clicked and video is active, to prevent users from
unintentionally showing sensitive information while live.
Among lots of stuff:
- Generate a random password on first load
- Add `ConnectInfo` dialog including QR code display
- Add `Generate Password` button to generate a new random
password
- Delete `Copy Password to Clipboard` button
- Delete `GetConnectString` or whatever from WebSocketServer
(reimplemented the functionality directly into ConnectInfo)
- Added `GeneratePassword()` to Utils
Todo: Show warning when users specify their own passwords
Debug mode requires a restart of the websocket server by design.
However, to avoid interrupting connections, the websocket server is
not automatically restarted when the setting is changed
