Support for client certificates

[ippocratis]

I came upon a reddit post about it and start reading.
From what I can tell i can configure my webserver/reverse proxy to only accept requests from clients that have a matching certificate as an extra layer of security
Haven't manage to set up the server properly yet (I'm kinda noob and the proccess considered pain eitherway)
My suggestion is it will be nice if uhuruphotos supported client certificates

[savvasdalkitsis]

I believe what you might be referring to is certificate pinning? That's usually done in the other direction. To protect clients from connecting to fake servers (or more appropriately, to prevent man in the middle attacks where you connect to a network that intercepts encrypted traffic by issuing their own certificates that are not part of the well known trust chains)

I guess in theory you could do something similar in reverse but not sure of a standard that I could implement that librephotos or your reverse proxy supports.

If you have some keywords or links for me to see what you are referring to that would help

[ippocratis]

I think it is also caled certificate pining
Also mutual tls

As far as I can tell during normal TLS only the client asks from the server a certificate from a trusted authority
In mutual TLS the server also awaits for a trusted cert from the client (the android app in our case)
I think that it does not need to be hard coded in to the app code but the app can read the android a system-wide KeyStore that is used to store cryptographic keys using the KeyStore class.

Here is what openai responded to "How can an android app use the client certificate that is installed on the device"

    Retrieve the KeyStore: The first step is to retrieve the KeyStore that contains the client certificate. Android provides a system-wide KeyStore that is used to store cryptographic keys and certificates, including the client certificate. You can retrieve the system KeyStore using the KeyStore class.

    Get the certificate alias: Once you have retrieved the KeyStore, you need to find the alias of the client certificate. The alias is a unique identifier that is used to access the certificate from the KeyStore. You can get the alias by iterating over the aliases in the KeyStore until you find the client certificate.

    Retrieve the client certificate: Once you have the alias, you can retrieve the client certificate from the KeyStore using the alias. You can use the KeyStore.getCertificate(alias) method to get the certificate as a java.security.cert.Certificate object.

    Convert the certificate: The certificate retrieved from the KeyStore is a java.security.cert.Certificate object, which may need to be converted to the appropriate format for use in your app. For example, if you need to use the certificate in an HTTPS connection, you may need to convert it to an X509Certificate object.

    Use the certificate: Once you have the certificate in the appropriate format, you can use it in your app as needed. For example, you can configure an SSLContext to use the certificate for client authentication during an HTTPS connection.

Anyway
I think this might be way down to the priority list of uhuruphotos

But sounded like a great security feature and thought I might share it

Here is the reddit post I was referring to link

[ippocratis]

More on this

I have managed to set up caddy to reverse proxy with mtls to librephotos following the above thread

Installed the generated p12 cert as VPN and app cert to android settings >security
So webprowser ask and CAN use it to access my librephotos server

A popular app that have the mtls option is davx5

bitfireAT/davx5-ose@3689df1

Keeping this alive as you may have a look in to it at some point

Thanks
Keep up

[ippocratis]

Even more on this......

This one uses a difernet aproach
Instead of providing the PKS12 cert with a file picker the app picks it from the android user cert store

Radiokot/photoprism-android-client#14