After discussion in the Discord server, and some internal discussion,
this was deemed a reasonable patch for various security concerns. This
basically controls whether obs-websocket binds to 127.0.0.1 or 0.0.0.0.
I decided to have obs-websocket bind to 127.0.0.1 by default, since
most users appear to be using obs-websocket on the same machines as
their client software. This will be changed if it poses significant
support-related issues.
Further security solutions have been discussed, but are either a heavy
amount of work, or significantly impact client applications' connect
flows.
One idea that I should mention is like a cookie system, where:
- On first connect, obs-websocket asks the user to approve the
connection.
- After authentication, obs-websocket gives the client a token in the
`Identified` message, which the client stores.
- On future connects, the client uses this token, along with the
password, to authenticate without needing user confirmation.
This system will likely be implemented in a future version of
obs-websocket.
Closes#907
QCloseEvent is the wrong event to use here. If the `Ok` button is
pressed for example, QCloseEvent is not emitted. QHideEvent is
always called when the dialog is hidden.
The functionality of not reloading the server when debug mode is
changed I determined was too confusing to use considering the
benefit that it provides by not reloading the websocket server.
It is technically possible to set debug mode to the server while
it is running, however the implementation would somewhat dirty the
UI code, so I do not feel comfortable doing it at this point.
Show a confirmation dialog when the Show Connect Info button is
clicked and video is active, to prevent users from
unintentionally showing sensitive information while live.
Among lots of stuff:
- Generate a random password on first load
- Add `ConnectInfo` dialog including QR code display
- Add `Generate Password` button to generate a new random
password
- Delete `Copy Password to Clipboard` button
- Delete `GetConnectString` or whatever from WebSocketServer
(reimplemented the functionality directly into ConnectInfo)
- Added `GeneratePassword()` to Utils
Todo: Show warning when users specify their own passwords
