Problem with shared secret

Hello i created a floating webview which loads my open github pull request and renders them as buttons. If i click on them it wants to open a new tab / window with the Pull request url. in dev mode everything works. After I deploy the version for the floating webview I get everytime the message enter shared key from BTT. I tried it without and with.. doesn't matter i always receive.

Somebody else has the same Problem?

My Keychain looks for me good

Does the "BTTHTMLScriptingSharedSecret" match the one you are using in the floating web view?
Could you post an example on how you use it?

Good point ... there was a crazy hash inside...no idea from where... i changed it to my secret and it works now!! Thx!

but really curious about where i set this password in the ui? I just know the places in webserver and general.

He asks for the secret everytime now but the key is in the invoke url. Do I have to make some other setup somewhere?

"http://127.0.0.1:3334/trigger_action/?json={"BTTPredefinedActionType"%3A206%2C"BTTEnabled2"%3A1%2C"BTTEnabled"%3A1%2C"BTTShellTaskActionScript"%3A"require('child_process').exec('open%20https%3A%2F%2Fgithub.com%2Fmyporsche%2Fmyportal%2Fpull%2F538')%3B"%2C"BTTShellTaskActionConfig"%3A"%2FUsers%2Fmtschimev%2F.nvm%2Fversions%2Fnode%2Fv10.8.0%2Fbin%2Fnode%3A%3A%3A-e%3A%3A%3Abtt-generated-script"}&shared_key=shared"

For the floating web view it can be set here:

However it only applies to externally loaded HTML. If you use a local HTML, or enter the HTML as text it should work without the secret. This is to prevent malicious websites that trick users to add them to BTT from executing code, thus there is a default value set for this.

He asks for the secret everytime now but the key is in the invoke url. Do I have to make some other setup somewhere?

"http://127.0.0.1:3334/trigger_action/?json={"BTTPredefinedActionType"%3A206%2C"BTTEnabled2"%3A1%2C"BTTEnabled"%3A1%2C"BTTShellTaskActionScript"%3A"require('child_process').exec('open%20https%3A%2F%2Fgithub.com%2Fmyporsche%2Fmyportal%2Fpull%2F538')%3B"%2C"BTTShellTaskActionConfig"%3A"%2FUsers%2Fmtschimev%2F.nvm%2Fversions%2Fnode%2Fv10.8.0%2Fbin%2Fnode%3A%3A%3A-e%3A%3A%3Abtt-generated-script"}&shared_key=shared"

Does the system ask or BTT? There should be a "always allow" button if the question is coming from the system.

No it's coming from BTT

I think the problem is that the shared_secred is not added as query param.

I am using this library https://worie.github.io/btt/api/
I thought it is enough to set the sharedKey in the config but this property is added as shared_key query param. I think this is the reason why i get asked every time

Solved it in another way:

const url = this.btt.executeScript(`require('child_process').exec('open ${url}');`)
    .url + `&shared_secret=${this.sharedSecret}`

But would be cool if the shared secret can be configured in the configuration of the library too. Because than I can use the invoke() function

Ahh sorry I think I see the issue now, sorry I missed that.
In case you use the integrated HTTP server with the floating webview, you need to use the webserver shared secret which is defined in the webserver section:

However you do not really need to use the webserver when running code from the floating webview, because the webview allows to trigger functions without the webserver:
https://docs.bettertouchtool.net/docs/floating_html_menu.html

@Worie does your library automatically detect when it's used in the BTT floating HTML view? Does it then use the window.BTT object to trigger the actions or will it use the webserver by default? :slight_smile:

I am using this library https://worie.github.io/btt/api/ and i think it just supports the web server or has it an auto detection?

Support for that has recently been added and I think it's using auto-detection. But I haven't gotten around to use it yet (I want to make it the default in the web view soon): https://github.com/Worie/btt/commit/041f3c0caf55ce18a4fb82d4a0b4ecaa9115dfbc

I have just updated the message BTT shows to make clear which shared_secret it wants. Will be included in the next version.

Cool! I am trying to understand what was build in for the autodetection :wink: do you have slack or something like this?

No sorry. But this is the function that does the autodetection by checking whether the BTT object exists (which only exists inside the Floating HTML View): https://github.com/Worie/btt/commit/041f3c0caf55ce18a4fb82d4a0b4ecaa9115dfbc#diff-7032e376d11cb381a86524e9eee458c9R40

I think support for shared_secret when using the floating webview has not yet been added to the library, but it should only be a small change that's necessary.

Ok i found the problem! Yes it autodetects it but i see multiple problems which should be solved in my opinion.

  1. The config should provide the possibility to set the sharedSecret too
  2. If I am in the floating webview and i am calling the url of a trigger i should receive the frontendannotation and not the backend annotation

I just made a breakpoint at the place where the handler gets called and added do the payload the 'shared_secret' and it worked :slight_smile:

1 Like

Yes, it should be detected without the need of passing shared_key at all. Though I'll read through this thread later when I got home.

@tfiwm I have seen that you've created a pull request. I'll see what changes you applied and respond on GH, thanks for your time!

@Worie Do you remember that discussion about a shared_secret for remotly loaded HTML? That's what this is about :slight_smile:. I think I may have forgotten to tell you that this has been added right after we talked about it.
Thanks for looking into it!

1 Like

Yes but the formating is a mess :frowning:. There is no tslint config so the IDE is formating like it wants :slight_smile:

We should add a tslint to have the right formatting for everyone who wants to contribute

Prettier + TSLint :heart_eyes:

1 Like