Connected Devices/Projects/Project Link/Box-Client networking
Box-Client networking (using Mozilla's hosted app)
Apart from the Box pairing with IoT devices, clients (web pages open on phones and laptops) need to connect with the Box. We call this Client Pairing. There are several ways in which this can work, but for now we're only implementing the first one:
Step 1: The Box generates a self-signed certificate. The fingerprint of that certificate becomes the Box's identifier.
Step 2: The Box is plugged in to an internet router using an ethernet cable. That way it gets access to the internet without the need for selecting an SSID or entering a password.
Step 3: The Box connects to an API (https://github.com/fxbox/dns-server) on knilxof.org to create its public DNS zone under <fingerprint>.knilxof.org, using its self-signed certificate as a client certificate. The API server checks the <fingerprint> from the DNS zone edit request against the fingerprint of the client certificate presented.
Step 4: Now that the Box has a public DNS zone it can control, it can get a LetsEncrypt certificate, using the DNS-01 challenge.
Step 5: The Box sets its main DNS A record to its current *local* IP address which it obtained via DHCP earlier. It will update this A record whenever its local IP address changes.
Step 6: The Box also sets two or more mirror A records to its current local IP address. The idea here being that only one of the records will be cached by caching DNS servers, so switching to the other one at the right time will avoid downtime due to DNS propagation delays. This still has to be worked out in more detail, and tested in practice with the caching DNS servers of real ISPs.
Step 7: The Box starts up a Pagekite client, which connects to a Pagekite frontend, and adds the IP address of the public interface of the Pagekite frontend into its DNS zone.
Step 8: The Box announces all its URLs (local/main, mirrors, tunneled) on the registration server (see https://github.com/fxbox/registration_server).
Step 9: The user opens the app with their browser.
Step 10: The app makes a cross-origin request to the registration server to discover which Boxes are on a network with the same outgoing IP address.
Step 11: If exactly one Box is discovered, the user can click "Connect" and gets redirected to the Box's setup/login page. Once the admin user is created, or the password is entered correctly, the user is redirected back to the app. See also Login Flow (early draft) mockup about this last step.
In the future, we hope FlyWeb can replace the roles of the registration_server and the dns-server. This means you will no longer be sending any data to Mozilla's servers (except for the fact that you're accessing the static web app).
Until then, for a serverless alternative, see Michiel's serverless Link client (under development). It discovers the Box via mDNS and trusts its TLS cert on first use. Downside is that it requires Cordova.