fix(conn): insecure conn, fail-close by default

[fufesou]

Summary by CodeRabbit

• New Features

  • Added an “Allow insecure session fallback” setting across desktop, mobile, and the web UI for eligible non-public server connections.
  • When enabled, insecure session fallback behavior is now explicitly governed by the new option key.
  • Insecure incoming connections are now logged via a new audit event for visibility.

• Bug Fixes

  • Improved secure handshake handling to distinguish valid vs. invalid peer session messages and apply consistent fallback behavior.
  • When fallback is not allowed, handshake failures now fail decisively and send clearer close reasons.

[coderabbitai]

Warning

Review limit reached

@fufesou, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 2 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 1fd82caf-11e3-414f-8b87-5cc42c9f39a4

📥 Commits

Reviewing files that changed from the base of the PR and between 60167c9 and 5c10144.

📒 Files selected for processing (59)

• flutter/lib/consts.dart
• flutter/lib/desktop/pages/desktop_setting_page.dart
• flutter/lib/mobile/pages/settings_page.dart
• libs/hbb_common
• src/client.rs
• src/lang/ar.rs
• src/lang/be.rs
• src/lang/bg.rs
• src/lang/ca.rs
• src/lang/cn.rs
• src/lang/cs.rs
• src/lang/da.rs
• src/lang/de.rs
• src/lang/el.rs
• src/lang/en.rs
• src/lang/eo.rs
• src/lang/es.rs
• src/lang/et.rs
• src/lang/eu.rs
• src/lang/fa.rs
• src/lang/fi.rs
• src/lang/fr.rs
• src/lang/ge.rs
• src/lang/gu.rs
• src/lang/he.rs
• src/lang/hi.rs
• src/lang/hr.rs
• src/lang/hu.rs
• src/lang/id.rs
• src/lang/it.rs
• src/lang/ja.rs
• src/lang/ko.rs
• src/lang/kz.rs
• src/lang/lt.rs
• src/lang/lv.rs
• src/lang/ml.rs
• src/lang/nb.rs
• src/lang/nl.rs
• src/lang/pl.rs
• src/lang/pt_PT.rs
• src/lang/ptbr.rs
• src/lang/ro.rs
• src/lang/ru.rs
• src/lang/sc.rs
• src/lang/sk.rs
• src/lang/sl.rs
• src/lang/sq.rs
• src/lang/sr.rs
• src/lang/sv.rs
• src/lang/ta.rs
• src/lang/template.rs
• src/lang/th.rs
• src/lang/tr.rs
• src/lang/tw.rs
• src/lang/uk.rs
• src/lang/vi.rs
• src/server.rs
• src/server/connection.rs
• src/ui/index.tis

Walkthrough

Adds a new allow-insecure-session-fallback option. Rust client and server handshake paths now gate fallback behavior on it, and unsecured connections emit a new audit alarm. Desktop, mobile, and legacy TIS settings UIs gain a toggle for the option.

Changes

Allow Insecure Session Fallback

Layer / File(s)	Summary
Option constant and UI toggles flutter/lib/consts.dart, libs/hbb_common, flutter/lib/desktop/pages/desktop_setting_page.dart, flutter/lib/mobile/pages/settings_page.dart, src/ui/index.tis	Defines kOptionAllowInsecureSessionFallback, updates the hbb_common submodule pointer, and adds the allow-insecure-session-fallback toggle in desktop, mobile, and TIS settings UIs.
Server secure handshake fallback src/server.rs	Reads OPTION_ALLOW_INSECURE_SESSION_FALLBACK, changes peer public-key and missing-key handling based on it, and adds a helper that sends a handshake close reason message.
Client secure handshake fallback src/client.rs	Reads the fallback option and applies it to signed-id validation and handshake-response handling, returning Ok(None) on allowed fallback paths or bailing otherwise.
InsecureConnection audit alarm src/server/connection.rs	Adds AlarmAuditType::InsecureConnection and emits it for unsecured streams in Connection::on_open.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 A toggle bloomed in settings bright,
And handshakes chose to fail orাইট?
The server, client, and alarm all sang,
While fallback hops in a cautious bang.
No cloak of encryption? We note the trace—
Then bunny hops onward with steady grace.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 18.18% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: insecure connections now fail closed by default, with handshake fallback behavior updated.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/insecure-conn-fail-close

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@flutter/lib/mobile/pages/settings_page.dart`:
- Around line 773-788: The visibility condition for the "Allow insecure session
fallback" SettingsTile in settings_page.dart is too restrictive compared with
the adjacent TLS fallback toggle and the desktop/TIS variants. Update the guard
around this switch so it follows the same “not using public server” logic as the
other insecure-fallback controls, and make sure the tile only uses the shared
network/public-server visibility check rather than also depending on
disabledSettings/_hideNetwork in a way that hides just this one option.

In `@src/client.rs`:
- Around line 780-783: The fallback branch in the client handshake is returning
too early and can leave a queued server SignedId frame for the next read. Update
the logic in the `None` arm of the receive path in `src/client.rs` so it either
drains and stashes the server handshake frame before returning, or otherwise
ensures the `SignedId` sent by `src/server.rs` cannot remain pending when
`secure` is true and `signed_id_pk` is empty. Keep the behavior aligned with the
existing handshake flow around the client connection setup and the server-side
`SignedId` send path.

In `@src/server.rs`:
- Around line 275-278: The handshake parsing path still hard-fails on malformed
peer-key frames even when allow_insecure_fallback is enabled, so update the
handling around Message::parse_from_bytes to mirror the existing
empty/invalid-union fallback behavior. In the server-side handshake flow,
replace the direct bail! cases for malformed frames with the same fallback
branch used elsewhere when allow_insecure_fallback is true, and only return the
hard error when fallback is disabled. Apply this consistently in both affected
handshake checks so the new option behaves uniformly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3c7e296c-60c1-4fa2-8b46-3e1054bbf568

📥 Commits

Reviewing files that changed from the base of the PR and between b3bd188 and 84cbaba.

📒 Files selected for processing (8)

• flutter/lib/consts.dart
• flutter/lib/desktop/pages/desktop_setting_page.dart
• flutter/lib/mobile/pages/settings_page.dart
• libs/hbb_common
• src/client.rs
• src/server.rs
• src/server/connection.rs
• src/ui/index.tis

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/server.rs`:
- Around line 240-250: The handshake logic in the empty-peer-key branch is
clearing key confirmation unconditionally before the allow_insecure_fallback
check. Move Config::set_key_confirmed(false) into the
allow_insecure_fallback=true path in server::handshake handling so rejected
fail-close cases do not mutate state; keep the log::warn! and handshake
close/bail behavior unchanged for the insecure fallback branch.
- Around line 299-305: The close-reason send in send_handshake_close_reason is
not bounded by the handshake timeout, so a stalled peer can block the handshake
task during fail-close handling. Update this helper to perform the stream.send
call under the same CONNECT_TIMEOUT timeout used for the initial handshake path,
and handle the timeout/error consistently via allow_err! or equivalent so the
close-reason send cannot wait indefinitely.

In `@src/server/connection.rs`:
- Around line 1386-1394: The insecure-connection alarm path in `Connection` is
missing `conn_audit_ref`, so update `post_alarm_audit` to attach that field for
`AlarmAuditType::InsecureConnection` as well, not just `IpWhitelist`. Use the
existing connection audit context from the `Connection`/`post_alarm_audit` flow
so controlled-session insecure alarms remain correlatable with the audit record.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c0373d71-bfc4-4a10-a701-7a836a414f19

📥 Commits

Reviewing files that changed from the base of the PR and between 84cbaba and 60167c9.

📒 Files selected for processing (8)

• flutter/lib/consts.dart
• flutter/lib/desktop/pages/desktop_setting_page.dart
• flutter/lib/mobile/pages/settings_page.dart
• libs/hbb_common
• src/client.rs
• src/server.rs
• src/server/connection.rs
• src/ui/index.tis