immich/mobile/lib/utils/http_ssl_options.dart

import 'package:flutter/services.dart';
import 'package:immich_mobile/domain/models/store.model.dart';
import 'package:immich_mobile/entities/store.entity.dart';
import 'package:immich_mobile/services/app_settings.service.dart';
import 'package:logging/logging.dart';

class HttpSSLOptions {
  static const MethodChannel _channel = MethodChannel('immich/httpSSLOptions');

  static void apply({bool applyNative = true}) {
    AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;
    bool allowSelfSignedSSLCert = Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);

    // Check if user certificates are enabled
    bool useUserCerts = Store.get(
      AppSettingsEnum.useUserCertificates.storeKey,
      AppSettingsEnum.useUserCertificates.defaultValue,
    );

    if (useUserCerts) {
      _applyWithUserCertificates(allowSelfSignedSSLCert, applyNative: applyNative);
    } else {
      _apply(allowSelfSignedSSLCert, applyNative: applyNative);
    }
  }

  static void applyFromSettings(bool newValue) {
    // Check if user certificates are enabled
    bool useUserCerts = Store.get(
      AppSettingsEnum.useUserCertificates.storeKey,
      AppSettingsEnum.useUserCertificates.defaultValue,
    );

    if (useUserCerts) {
      _applyWithUserCertificates(newValue);
    } else {
      _apply(newValue);
    }
  }

  static void applyWithUserCertificates({bool applyNative = true}) {
    AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;
    bool allowSelfSignedSSLCert = Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);
    _applyWithUserCertificates(allowSelfSignedSSLCert, applyNative: applyNative);
  }

  static void _apply(bool allowSelfSignedSSLCert, {bool applyNative = true}) {
    String? serverHost;
    if (allowSelfSignedSSLCert && Store.tryGet(StoreKey.currentUser) != null) {
      serverHost = Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;
    }

    // HttpOverrides.global = HttpSSLCertOverride(allowSelfSignedSSLCert, serverHost, clientCert);

    // if (applyNative && Platform.isAndroid) {
    //   _channel
    //       .invokeMethod("apply", [allowSelfSignedSSLCert, serverHost, clientCert?.data, clientCert?.password])
    //       .onError<PlatformException>((e, _) {
    //         final log = Logger("HttpSSLOptions");
    //         log.severe('Failed to set SSL options', e.message);
    //       });
    // }
  }

  static void _applyWithUserCertificates(bool allowSelfSignedSSLCert, {bool applyNative = true}) {
    String? serverHost;
    if (Store.tryGet(StoreKey.currentUser) != null) {
      serverHost = Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;
    }

    // Create SSL override that uses user certificates from system store
    // HttpOverrides.global = HttpSSLCertOverride(allowSelfSignedSSLCert, serverHost, null);

    // if (applyNative) {
    //   _channel
    //       .invokeMethod("applyWithUserCertificates", [serverHost, allowSelfSignedSSLCert])
    //       .onError<PlatformException>((e, _) {
    //         final log = Logger("HttpSSLOptions");
    //         log.severe('Failed to set SSL options with user certificates', e.message);
    //       });
    // }
  }

  static Future<List<Map<String, String>>> getAvailableUserCertificates() async {
    try {
      final List<dynamic> certificates = await _channel.invokeMethod("getAvailableCertificates");
      return certificates.map((cert) => Map<String, String>.from(cert)).toList();
    } catch (e) {
      final log = Logger("HttpSSLOptions");
      log.severe('Failed to get available user certificates: $e');
      return [];
    }
  }
}
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00			`import 'package:flutter/services.dart';`
			`import 'package:immich_mobile/domain/models/store.model.dart';`
			`import 'package:immich_mobile/entities/store.entity.dart';`
			`import 'package:immich_mobile/services/app_settings.service.dart';`
			`import 'package:logging/logging.dart';`

			`class HttpSSLOptions {`
			`static const MethodChannel _channel = MethodChannel('immich/httpSSLOptions');`

fix: override SSL options inside isolates (#20142) Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2025-07-25 00:56:00 +05:30			`static void apply({bool applyNative = true}) {`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00			`AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;`
chore: bump line length to 120 (#20191) 2025-07-25 08:07:22 +05:30			`bool allowSelfSignedSSLCert = Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);`
feat: use OkHttp and fix mTLS (#15230) 2025-10-08 13:55:04 +02:00
			`// Check if user certificates are enabled`
			`bool useUserCerts = Store.get(`
			`AppSettingsEnum.useUserCertificates.storeKey,`
			`AppSettingsEnum.useUserCertificates.defaultValue,`
			`);`

			`if (useUserCerts) {`
			`_applyWithUserCertificates(allowSelfSignedSSLCert, applyNative: applyNative);`
			`} else {`
			`_apply(allowSelfSignedSSLCert, applyNative: applyNative);`
			`}`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00			`}`

			`static void applyFromSettings(bool newValue) {`
feat: use OkHttp and fix mTLS (#15230) 2025-10-08 13:55:04 +02:00			`// Check if user certificates are enabled`
			`bool useUserCerts = Store.get(`
			`AppSettingsEnum.useUserCertificates.storeKey,`
			`AppSettingsEnum.useUserCertificates.defaultValue,`
			`);`

			`if (useUserCerts) {`
			`_applyWithUserCertificates(newValue);`
			`} else {`
			`_apply(newValue);`
			`}`
			`}`

			`static void applyWithUserCertificates({bool applyNative = true}) {`
			`AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;`
			`bool allowSelfSignedSSLCert = Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);`
			`_applyWithUserCertificates(allowSelfSignedSSLCert, applyNative: applyNative);`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00			`}`

fix: override SSL options inside isolates (#20142) Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2025-07-25 00:56:00 +05:30			`static void _apply(bool allowSelfSignedSSLCert, {bool applyNative = true}) {`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00			`String? serverHost;`
			`if (allowSelfSignedSSLCert && Store.tryGet(StoreKey.currentUser) != null) {`
			`serverHost = Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;`
			`}`

feat: use OkHttp and fix mTLS (#15230) 2025-10-08 13:55:04 +02:00			`// HttpOverrides.global = HttpSSLCertOverride(allowSelfSignedSSLCert, serverHost, clientCert);`

			`// if (applyNative && Platform.isAndroid) {`
			`// _channel`
			`// .invokeMethod("apply", [allowSelfSignedSSLCert, serverHost, clientCert?.data, clientCert?.password])`
			`// .onError<PlatformException>((e, _) {`
			`// final log = Logger("HttpSSLOptions");`
			`// log.severe('Failed to set SSL options', e.message);`
			`// });`
			`// }`
			`}`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00
feat: use OkHttp and fix mTLS (#15230) 2025-10-08 13:55:04 +02:00			`static void _applyWithUserCertificates(bool allowSelfSignedSSLCert, {bool applyNative = true}) {`
			`String? serverHost;`
			`if (Store.tryGet(StoreKey.currentUser) != null) {`
			`serverHost = Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;`
			`}`

			`// Create SSL override that uses user certificates from system store`
			`// HttpOverrides.global = HttpSSLCertOverride(allowSelfSignedSSLCert, serverHost, null);`

			`// if (applyNative) {`
			`// _channel`
			`// .invokeMethod("applyWithUserCertificates", [serverHost, allowSelfSignedSSLCert])`
			`// .onError<PlatformException>((e, _) {`
			`// final log = Logger("HttpSSLOptions");`
			`// log.severe('Failed to set SSL options with user certificates', e.message);`
			`// });`
			`// }`
			`}`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00
feat: use OkHttp and fix mTLS (#15230) 2025-10-08 13:55:04 +02:00			`static Future<List<Map<String, String>>> getAvailableUserCertificates() async {`
			`try {`
			`final List<dynamic> certificates = await _channel.invokeMethod("getAvailableCertificates");`
			`return certificates.map((cert) => Map<String, String>.from(cert)).toList();`
			`} catch (e) {`
			`final log = Logger("HttpSSLOptions");`
			`log.severe('Failed to get available user certificates: $e');`
			`return [];`
fix(mobile): Remote video playback and asset download on Android with mTLS (#16403) * Add class to apply SSL options * Apply client certificate for native Android code * Refactor self-signed check * Allow self-signed certificates * Fix Dart analysis * Add HostnameVerifier Android explicitly does NOT check the Common Name of a certificate, only the Subject Alt Names. Chances are that someone who self-signs a certificate doesn't go through the extra steps to add a SAN, and in that case the connection would be prevented by the HostnameVerifier even thought the TrustManager was fine with the certificate itself. * Rename parameter like in Dart * Fix NPE * Catch all native errors in HttpSSLOptionsPlugin * Workaround for too early onChanged() callback * Fix formatting --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2025-05-08 15:45:11 +02:00			`}`
			`}`
			`}`