Securing RocketChat server by additional header/cookie

[warmanton]

Hello.

I have suggestion (or question) about additional level of rocket.chat security. Probably many people would like to protect their company's rocket.chat instances with VPN or other additional level of security - nobody likes to open services to the public internet due to scanning bots and sudden security vulnerabilities.

VPN is not convenient and reduces usability of mobile apps. The most easy way is to protect rocket.chat server with nginx which accepts some kind of auth. It should be some additional header or cookie (actually cookie is a kind of headers but it can have expiration which is more useful).

Actually I already tested this scheme with nginx + cookie: to get into the rocket.chat user has to field web form with his email in allowed domain. Python backend does all the magic - it sets some keys in redis and sends email with two deeplinks to user. First link sets cookie, second link contains real rocket.chat deeplink with access token. We tested it on android and iPhone clients - it works. May be not very clear but it works. Cookie is per-user-basis. DeepLink should be only one and mobile clients should set this accessCookie on every request. Cookie should be passed to the mobile client via additional deepLink parameter which is not yet implemented.

My question/suggestion: is it good idea to do feature request about adding yet another parameter to deep link with access cookie ? May be even we can do pull request about this. Or may be there is another useful way to protect rocket.chat server from public network ?

[diegolmello]

Usually this kind of additional security is done by adding a SSL client certificate.
There's apply your certificate at the bottom of add server screen.
If all set, all requests are made through it.

[diegolmello]

I see.
Do you have any documentation/example of what you're trying to achieve?

[warmanton]

Yes, I have. Here are two diagrams:

First example:

Here is my testing stand with authentication by cookie. To enter the chat User should do next steps:

1. Open in browser web form and fill it out with his e-mail address (backend checks for allowed domains and prepares cookie and saves it to Redis DB)
2. Receive the email from backend. Email contains two DeepLinks for Mobile client and two links for browser clien. The first link is used to set cookie for domain, the second link is a real rocketchat link.
3. Click on link1 and then on link2

After that user has access to rocketchat with cookie. Nginx allows proxy_pass only if cookie is presented

Second example:

Here rocketchat is protected by nginx which allows proxy_pass only if client has certificate.

To get access to chat User has to fill out web form with his email. Backend checks email for allowed domains and issues client certificate for this user and sends cert to specified email. User should install this cert to mobile client or to the browser.

In both usage cases email address is the entry point for the user. If user can read specified email address then he has access to rocketchat.

The thing that I would like to have from the mobile client side is and additional parameter to specify cookie (case1) or to pass client cert (case2) in deeplink (or both). Whith special parameters for deeplink users should only click on deeplink once. Deeplink should have all parameters to get access to rocket chat:

1. rocketchat host, user-id, access-key and cookie
2. rocketchat host, user-id, access-key and client cert

[diegolmello]

I see. Do you know if other apps do that, like Slack, Teams, etc?
Do you see this getting implemented on enterprise businesses?
Can you contribute with this proposal?

[warmanton]

I assume these features described above provide additional level of security for self-hosted chat installation. AFAIK Slack and Teams have no self hosted installations and thus these features cannot be used there (Slack and Teams teams do service protection by its own).

I have no information about other chat solutions and I have nothing to contribute.

[warmanton]

Usually this kind of additional security is done by adding a SSL client certificate. There's apply your certificate at the bottom of add server screen. If all set, all requests are made through it.

I installed nginx with ssl_verify_client on (created CA and client certs, installed certs to Firefox and to my android). Connected to rocketchat via nginx with client certs. Looks like web browser works well but mobile app has some issues. For example:

rc-nginx       | 10.10.6.1 - - [02/Sep/2022:07:55:50 +0000] "GET /avatar/room/GENERAL?format=png&size=144 HTTP/1.1" 400 237 "-" "RC Mobile; android 10; v4.29.0 (34199)" "-"
rc-nginx       | 10.10.6.1 - - [02/Sep/2022:07:55:50 +0000] "GET /avatar/admin.admin?format=png&size=144 HTTP/1.1" 400 237 "-" "RC Mobile; android 10; v4.29.0 (34199)" "-"
rc-nginx       | 10.10.6.1 - - [02/Sep/2022:07:55:50 +0000] "GET /avatar/a.ivanov?format=png&size=144 HTTP/1.1" 400 237 "-" "RC Mobile; android 10; v4.29.0 (34199)" "-"
rc-nginx       | 10.10.6.1 - - [02/Sep/2022:07:55:50 +0000] "GET /avatar/room/3RzW7Q8W3uvFDBb2H?format=png&size=144 HTTP/1.1" 400 237 "-" "RC Mobile; android 10; v4.29.0 (34199)" "-"
rc-nginx       | 10.10.6.1 - - [02/Sep/2022:07:55:50 +0000] "GET /avatar/i.ivanov?format=png&size=144 HTTP/1.1" 400 237 "-" "RC Mobile; android 10; v4.29.0 (34199)" "-"
rc-nginx       | 10.10.6.1 - - [02/Sep/2022:07:55:50 +0000] "GET /avatar/polina?format=png&size=144 HTTP/1.1" 400 237 "-" "RC Mobile; android 10; v4.29.0 (34199)" "-"
rc-nginx       | 10.10.6.1 - - [02/Sep/2022:07:55:50 +0000] "GET /avatar/mobile2?format=png&size=144 HTTP/1.1" 400 237 "-" "RC Mobile; android 10; v4.29.0 (34199)" "-"
rc-nginx       | 10.10.6.1 - - [02/Sep/2022:07:55:50 +0000] "GET /avatar/room/d4nb9862FW76MZeX2?format=png&size=144 HTTP/1.1" 400 237 "-" "RC Mobile; android 10; v4.29.0 (34199)" "-"
rc-nginx       | 10.10.6.1 - - [02/Sep/2022:07:55:50 +0000] "GET /avatar/mu1?format=png&size=144 HTTP/1.1" 400 237 "-" "RC Mobile; android 10; v4.29.0 (34199)" "-"

Also video message cannot be downloaded - got 400 in nginx logs (this means that client does not provide certificate).

I.e. text messages work but other features work bad (no user icons, no video files). A lot of 400 codes in nginx logs means that client certificate support is not fully functional in moblile rocketchat client. My tests with cookies work better.

B.t.w. when I did not found 400 codes in nginx logs while tested client cert authenticated connection on FireFox.

@diegolmello do You have any ideas how to fix workflow with client certificate ?