[auth] Potential fix for invalid handshake error on Windows (#2247)

## Description

## Tests

auth/lib/core/network.dart

@@ -1,8 +1,10 @@
 import 'dart:io';
 
 import 'package:dio/dio.dart';
+import 'package:dio/io.dart';
 import 'package:ente_auth/core/configuration.dart';
 import 'package:ente_auth/core/event_bus.dart';
+import 'package:ente_auth/core/win_http_client.dart';
 import 'package:ente_auth/events/endpoint_updated_event.dart';
 import 'package:ente_auth/utils/package_info_util.dart';
 import 'package:ente_auth/utils/platform_util.dart';
@@ -50,6 +52,19 @@ class Network {
         },
       ),
     );
+    if (Platform.isWindows) {
+      final customHttpClient = windowsHttpClient();
+      _enteDio.httpClientAdapter = IOHttpClientAdapter(
+        createHttpClient: () {
+          return customHttpClient;
+        },
+      );
+      _dio.httpClientAdapter = IOHttpClientAdapter(
+        createHttpClient: () {
+          return customHttpClient;
+        },
+      );
+    }
     _setupInterceptors(endpoint);
 
     Bus.instance.on<EndpointUpdatedEvent>().listen((event) {

auth/lib/core/win_http_client.dart

@@ -0,0 +1,68 @@
+import 'dart:convert';
+import 'dart:io';
+
+import 'package:flutter/foundation.dart';
+
+/*
+Reference from
+https://github.com/realm/realm-dart/blob/main/packages/realm_dart/lib/src/handles/native/default_client.dart
+https://github.com/realm/realm-dart/pull/1378
+ */
+HttpClient windowsHttpClient() {
+  const isrgRootX1CertPEM = // The root certificate used by lets encrypt
+      '''
+subject=CN=ISRG Root X1,O=Internet Security Research Group,C=US
+issuer=CN=DST Root CA X3,O=Digital Signature Trust Co.
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----''';
+
+  if (Platform.isWindows) {
+    final context = SecurityContext(withTrustedRoots: true);
+    try {
+      context.setTrustedCertificatesBytes(
+        const AsciiEncoder().convert(isrgRootX1CertPEM),
+      );
+      debugPrint("Certificate added to trusted certificates");
+      return HttpClient(context: context);
+    } on TlsException catch (e) {
+      debugPrint(
+          "Error adding certificate to trusted certificates: ${e.osError?.message}");
+      // certificate is already trusted. Nothing to do here
+      if (e.osError?.message.contains("CERT_ALREADY_IN_HASH_TABLE") != true) {
+        rethrow;
+      } else {
+        return HttpClient();
+      }
+    }
+  }
+  throw UnsupportedError("This platform is not supported");
+}

auth/pubspec.yaml

@@ -1,6 +1,6 @@
 name: ente_auth
 description: ente two-factor authenticator
-version: 3.0.14+314
+version: 3.0.15+315
 publish_to: none
 
 environment:

web/apps/accounts/src/services/passkey.ts

@@ -343,8 +343,18 @@ const authenticatorAttestationResponse = (credential: Credential) => {
  * Return `true` if the given {@link redirectURL} (obtained from the redirect
  * query parameter passed around during the passkey verification flow) is one of
  * the whitelisted URLs that we allow redirecting to on success.
+ *
+ * This check is likely not necessary but we've only kept it just to be on the
+ * safer side. However, this gets in the way of people who are self hosting
+ * Ente. So only do this check if we're running on our production servers (or
+ * localhost).
  */
 export const isWhitelistedRedirect = (redirectURL: URL) =>
+    shouldRestrictToWhitelistedRedirect()
+        ? _isWhitelistedRedirect(redirectURL)
+        : true;
+
+const _isWhitelistedRedirect = (redirectURL: URL) =>
     (isDevBuild && redirectURL.hostname.endsWith("localhost")) ||
     redirectURL.host.endsWith(".ente.io") ||
     redirectURL.host.endsWith(".ente.sh") ||
@@ -352,6 +362,16 @@ export const isWhitelistedRedirect = (redirectURL: URL) =>
     redirectURL.protocol == "enteauth:" ||
     redirectURL.protocol == "ente-cli:";
 
+export const shouldRestrictToWhitelistedRedirect = () => {
+    // host includes port, hostname is sans port
+    const hostname = new URL(window.location.origin).hostname;
+    return (
+        hostname.endsWith("localhost") ||
+        hostname.endsWith(".ente.io") ||
+        hostname.endsWith(".ente.sh")
+    );
+};
+
 export interface BeginPasskeyAuthenticationResponse {
     /**
      * An identifier for this authentication ceremony / session.