Add VNC token-based authentication using websockify TokenFile plugin #1160
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit implements secure token-based authentication for VNC/noVNC access, similar to the VSCode authentication pattern: - Add token generation and management to DesktopService - Token can be provided via session_api_keys or auto-generated - Token stored in websockify-tokens.conf file with proper permissions - Update noVNC proxy startup to use websockify TokenFile plugin - Tokens are validated by websockify before allowing VNC access - VNC server continues to listen only on localhost for security - Update get_vnc_url() to include token in URL parameters - Token passed via 'token' query parameter - Similar to VSCode's connection token approach - Add comprehensive tests for token authentication - Test token generation and file creation - Test URL generation with token - Test integration with session_api_keys Fixes #972 Co-authored-by: openhands <[email protected]>
Contributor
Coverage Report •
|
||||||||||||||||||||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR implements secure token-based authentication for VNC/noVNC access to address the security vulnerability identified in #972. The implementation follows the same pattern as VSCode's token-based authentication.
Changes Made
1. Token Generation and Management
connection_tokenattribute toDesktopServicesession_api_keysor auto-generated (64-char hex)~/.vnc/websockify-tokens.confwith proper file permissions (0o600)2. WebSocket Authentication
TokenFileplugin<token>: 127.0.0.1:5901\n3. URL Generation with Token
get_vnc_url()to include token in URL parameters<base>/vnc.html?path=<host>/websockify&token=<token>&autoconnect=1&resize=remote4. Integration with Config
get_desktop_service()to pass token fromsession_api_keys5. Comprehensive Testing
Security Considerations
-SecurityTypes None: Since VNC only listens on localhost, authentication is enforced by websockify at the proxy layerTesting
All existing tests pass plus new authentication tests:
uv run pytest tests/agent_server/test_desktop_service.py -xvs # 33 passed, 2 warnings in 0.09sPre-commit hooks all pass:
Related Issues
Fixes #972
Co-authored-by: openhands [email protected]
@xingyaoww can click here to continue refining the PR
Agent Server images for this PR
• GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server
Variants & Base Images
eclipse-temurin:17-jdknikolaik/python-nodejs:python3.12-nodejs22golang:1.21-bookwormPull (multi-arch manifest)
# Each variant is a multi-arch manifest supporting both amd64 and arm64 docker pull ghcr.io/openhands/agent-server:bccd57f-pythonRun
All tags pushed for this build
About Multi-Architecture Support
bccd57f-python) is a multi-arch manifest supporting both amd64 and arm64bccd57f-python-amd64) are also available if needed