zed/crates/collab
Marshall Bowers c84da37030
rpc: Add support for OAEP-based encryption format (#15058)
This PR adds support for a new encryption format for exchanging access
tokens during the authentication flow.

The new format uses Optimal Asymmetric Encryption Padding (OAEP) instead
of PKCS#1 v1.5, which is known to be vulnerable to side-channel attacks.

**Note: We are not yet encrypting access tokens using the new format, as
this is a breaking change between the client and the server. This PR
only adds support for it, and makes it so the client and server can
decrypt either format moving forward.**

This required bumping the RSA key size from 1024 bits to 2048 bits. This
is necessary to be able to encode the access token into the ciphertext
when using OAEP.

This also follows OWASP recommendations:

> If ECC is not available and RSA must be used, then ensure that the key
is at least 2048 bits.
>
> —
[source](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)

Release Notes:

- N/A
2024-07-23 21:25:25 -04:00
..
k8s
migrations remoting: Allow Add/Remove remote folder (#14532) 2024-07-16 12:01:59 -06:00
migrations.sqlite remoting: Allow Add/Remove remote folder (#14532) 2024-07-16 12:01:59 -06:00
src rpc: Add support for OAEP-based encryption format (#15058) 2024-07-23 21:25:25 -04:00
.env.toml
admin_api.conf
Cargo.toml Update http crate name (#15041) 2024-07-23 15:01:05 -07:00
LICENSE-AGPL
README.md
seed.default.json

Zed Server

This crate is what we run at https://collab.zed.dev.

It contains our back-end logic for collaboration, to which we connect from the Zed client via a websocket after authenticating via https://zed.dev, which is a separate repo running on Vercel.

Local Development

Database setup

Before you can run the collab server locally, you'll need to set up a zed Postgres database.

script/bootstrap

This script will set up the zed Postgres database, and populate it with some users. It requires internet access, because it fetches some users from the GitHub API.

The script will create several admin users, who you'll sign in as by default when developing locally. The GitHub logins for the default users are specified in the seed.default.json file.

To use a different set of admin users, create crates/collab/seed.json.

{
  "admins": ["yourgithubhere"],
  "channels": ["zed"],
  "number_of_users": 20
}

Testing collaborative features locally

In one terminal, run Zed's collaboration server and the livekit dev server:

foreman start

In a second terminal, run two or more instances of Zed.

script/zed-local -2

This script starts one to four instances of Zed, depending on the -2, -3 or -4 flags. Each instance will be connected to the local collab server, signed in as a different user from seed.json or seed.default.json.

Deployment

We run two instances of collab:

Both of these run on the Kubernetes cluster hosted in Digital Ocean.

Deployment is triggered by pushing to the collab-staging (or collab-production) tag in Github. The best way to do this is:

  • ./script/deploy-collab staging
  • ./script/deploy-collab production

You can tell what is currently deployed with ./script/what-is-deployed.

Database Migrations

To create a new migration:

./script/create-migration <name>

Migrations are run automatically on service start, so run foreman start again. The service will crash if the migrations fail.

When you create a new migration, you also need to update the SQLite schema that is used for testing.