Stop using __version__ for URLs: Use secure version_signature instead

[evnchn]

Motivation

The security-focused would suggest that version information be kept private.

For example, browsers are freezing the version show in User-Agent-string.

So, being able to list the exact NiceGUI versions used for the websites in #4506, may not be a good idea after all.

Impact-wise it's not that big though. It doesn't even qualify for a security advisory.

Implementation

NiceGUI versions don't have a lot, so hashing that is a no-no (can rainbow table / enumerate)

So, the new version_signature is based off the storage secret under HMAC-SHA256 scheme, which is (iirc) exactly how our client-side JWT cookies are signed.

So long as the storage secret is private, there is no good way to brute force through all NiceGUI versions, without first brute-forcing the storage secret.

Progress

• I chose a meaningful title that completes the sentence: "If applied, this PR will..."
• The implementation is complete (pray to pytest)
  • Fix cyclic import. Need help!
  • Possibly a breaking change if users are registering their own resources without going through NiceGUI?
  • But I don't feel like we should cover that case?
• Pytests have been added (or are not necessary).
• Documentation has been added (or is not necessary).

Final notes

Script kiddies will spam all exploits, so if you're vulnerable you're doomed anyways.

Security through obscurity is no good. It isn't even security.

[falkoschindler]

Quick feedback after talking to Rodja:

• Recomputing the version signature again and again seems wasteful. Since it doesn't change at runtime, we could probably store it as a constant in core.py.
• More importantly: Before merging this PR, we need to update our On Air server. It currently caches NiceGUI resources to avoid requesting them from the NiceGUI app. But if every app has its own signature, we need to somehow communicate the version during handshake.

[evnchn]

Version signature function is cached, so I think it is not wasteful? Still if we want to be more explicit in the constant nature we can move away from a cached function.

The part about On Air is fair, but I don't know how to work on it since I don't know about its inner workings...

[evnchn]

Well for On Air I don't think a secretive version is possible considering CDN use.

Definitely we won't use a separated secret: that way the CDN is incredibly ineffective.

Using a shared secret is as good as no secret, because the hash of a particular version can simply be stored in a lookup dictionary somewhere.

So for On Air we should rather stick with the original plaintext version.

[rodja]

So for On Air we should rather stick with the original plaintext version.

On Air is a smart CDN. If the on air connection provides the information which NiceGUI version the app is running plus it's version_signature, the On Air server can use that to serve the right version from CDN if requests are made to that signature.

[evnchn]

the On Air server can use that to serve the right version from CDN if requests are made to that signature

2 concerns:

• Hash collision
• How do you "serve the right version" that way? If you redirect then it's revealed, but caching can't be efficient if we do direct serving (cache from one app does not benefit another app?)

Anyways I think you will need to take charge on anything that has to do with On Air, including security and client<->server interplay.