trust *.cryptomator.cloud

2026-05-14 08:41:28 +00:00 · 2026-03-11 21:38:51 +01:00
parent a95883f98b
commit 57614f59e4
1 changed files with 11 additions and 5 deletions
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostAuthenticityController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostAuthenticityController.java
@@ -21,13 +21,11 @@ import javafx.scene.text.Text;
 import javafx.scene.text.TextFlow;
 import javafx.stage.Stage;
 import java.net.URI;
-import java.util.Arrays;
 import java.util.ResourceBundle;
 import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 import java.util.concurrent.CompletableFuture;
-import java.util.stream.Collectors;

@KeyLoadingScoped
 public class CheckHostAuthenticityController implements FxController {
@@ -70,14 +68,16 @@ public class CheckHostAuthenticityController implements FxController {
 		if (!isConsistentHubConfig()) {
 			LOG.warn("Inconsistent hub config detected. Denying access to protect the user.");
 			Platform.runLater(this::deny);
+		} else if (isCryptomatorCloud()) {
+			trust(); // trust *.cryptomator.cloud by default, domain is owned by Cryptomator maintainers
 		} else if (containsAllowedHosts(env.hubAllowedHosts())) {
-			trust();
+			trust(); // trust hosts explicitly allowlisted via system property
 		} else if (env.hubTrustOnFirstUse() && containsAllowedHosts(settings.trustedHosts)) {
-			trust();
+			trust(); // trust hosts previously allowlisted by the user
 		} else if (env.hubTrustOnFirstUse()) {
 			hostnames.add(getAuthority(hubConfig.getApiBaseUrl()));
 			hostnames.add(getAuthority(hubConfig.authEndpoint));
-			renderHostnames();
+			renderHostnames(); // ask user whether to trust these hosts
 		} else {
 			LOG.warn("Cryptomator is not allowed to connect to {}. Check your {} config.", getAuthority(hubConfig.getApiBaseUrl()), Environment.HUB_ALLOWED_HOSTS_PROP_NAME);
 			Platform.runLater(this::deny);
@@ -118,6 +118,12 @@ public class CheckHostAuthenticityController implements FxController {
 				&& getAuthority(hubConfig.tokenEndpoint).equals(canonicalAuthHost);
 	}

+	private boolean isCryptomatorCloud() {
+		var canonicalHubHost = hubConfig.getApiBaseUrl().getHost();
+		var canonicalAuthHost = URI.create(hubConfig.authEndpoint).getHost();
+		return canonicalHubHost.endsWith("cryptomator.cloud") && canonicalAuthHost.endsWith("cryptomator.cloud");
+	}
+
 	@VisibleForTesting
 	boolean containsAllowedHosts(Set<String> allowedHubHosts) {
 		var canonicalHubHost = getAuthority(hubConfig.getApiBaseUrl());