Feature/create security cookie

[simonhamp]

Adds a route for the security cookie to be created by the runtime

[mpociot]

Why do we need such a cookie? 🤔

[simonhamp]

It means the local PHP server application can't be accessed directly by another browser, only by the environment

This will prevent a whole slew of attack vectors where, for example, a public webpage could embed some request/iframe to exploit behaviour on the users machine or exfiltrate private data

Consider a public webpage is crafted to direct a user to GET http://localhost:3000/api/clipboard and now the users clipboard has been accessed without any explicit permission

(Equally applies to any unsecured endpoint served by PHP or Electron/Rust - I'm still working on securing the Rust server)

So far, I haven't found a way to let Tauri set custom headers for the webview, so it's an alternative way of doing that

So for the Tauri implementation right now, the first request when booting the app is to /_native/api/cookie?secret={randomly-generated-secret} where {randomly-generated-secret} is a UUID4 generated in Rust that is passed to the PHP application as an env value at boot up of the PHP web server

In that way it's like a rotating pre-shared key that we can use to make sure both sides of the app only talk to each other

This is client->server, but equally something like this should apply PHP<->Rust/Electron (tho we can just use the header there)