Remove SSL cert for localhost

This commit removes SSL certification creation and usage when running
webviz. The onus is on the process that connects to the internet to
handle HTTPS, eg. Azure's firewall.

Author: pinkwah

.github/workflows/webviz-config.yml

@@ -68,7 +68,6 @@ jobs:
 
       - name: 🤖 Run tests
         run: |
-          webviz certificate
           webviz preferences --theme default
           pytest ./tests --headless --forked
           webviz docs --portable ./docs_build --skip-open

CHANGELOG.md

@@ -8,6 +8,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [0.2.7] - 2021-01-14
 
+### Changed
+- [#374](https://github.com/equinor/webviz-config/pull/374) - Removed Webviz
+  SSL certificate generation and forcing of HTTPS connections.
+
 ### Changed
 - [#368](https://github.com/equinor/webviz-config/pull/368) - Made Webviz global
 settings available to plugin implementations through special `webviz_settings` 

INTRODUCTION.md

@@ -82,14 +82,32 @@ webviz build ./examples/basic_example.yaml
 and then modify `./examples/basic_example.yaml` while the Webviz application is
 still running, a hot reload will occur.
 
-#### Localhost certificate
+#### Localhost HSTS
 
-For quick local analysis, `webviz-config` uses `https` and runs on `localhost`.
-In order to create your personal :lock: `https` certificate (only valid for `localhost`), run
-```bash
-webviz certificate --auto-install
-```
-Certificate installation guidelines will be given when running the command.
+Previous versions of webviz generated a local certificate to force localhost
+connections to go through HTTPS. This is no longer the case and localhost
+connections use HTTP. As such, the `webviz certificate` command has been
+deprecated.
+
+Some browsers will force HTTPS and require extra steps to remove this security.
+Note that this is safe as no external computer may connect to a localhost
+server.
+
+If you're having issues connecting to a localhost server running Webviz due to
+security issues, perform the following steps:
+
+##### Google Chrome and Chromium
+
+These are the steps to remove HSTS, a security feature that forces HTTPS
+connections even though the user has specified HTTP:
+
+1. Navigate to chrome://net-internals/#hsts
+2. In the **Delete domain security policies**, type in "localhost" and click
+   delete
+
+##### Firefox
+
+Firefox does not have issues connecting to localhost addresses over HTTP.
 
 #### User preferences
 

tests/test_portable.py

@@ -9,15 +9,6 @@ def test_portable(dash_duo, tmp_path):
         ["webviz", "build", "basic_example.yaml", "--portable", appdir], cwd="examples"
     )
 
-    # Remove Talisman
-    filename = appdir / "webviz_app.py"
-    with open(filename, "r") as filehandle:
-        lines = filehandle.readlines()
-    with open(filename, "w") as filehandle:
-        for line in lines:
-            if not line.strip("\n").startswith("Talisman"):
-                filehandle.write(line)
-
     # Import generated app
     sys.path.append(str(appdir))
     from webviz_app import app  # pylint: disable=import-error, import-outside-toplevel

webviz_config/_docs/open_docs.py

@@ -30,7 +30,6 @@ def _index() -> str:
         host="localhost",
         port=port,
         debug=False,
-        ssl_context=webviz_config.certificate.LocalhostCertificate().ssl_context,
     )
 
 

webviz_config/_localhost_token.py

@@ -7,14 +7,13 @@
 
 
 class LocalhostToken:
-    """Uses a method similar to jupyter notebook (however, here we do it over
-    https in addition). This method is only used during interactive usage on
-    localhost, and the workflow is as follows:
+    """Uses a method similar to jupyter notebook. This method is only used during
+    interactive usage on localhost, and the workflow is as follows:
 
     - During the flask app building, a one-time-token (ott) and a cookie_token
       is generated.
     - When the app is ready, the user needs to "login" using this
-      one-time-token in the url (https://localhost:{port}?ott={token})
+      one-time-token in the url (http://localhost:{port}?ott={token})
     - If ott is valid - a cookie with a separate token is set, and the
       one-time-token is discarded. The cookie is then used for subsequent
       requests.