Prefer security types in the server's order

This is how TigerVNC has been behaving for years and has worked well
there, so let's follow them.

2 files changed, 29 insertions, 27 deletions

diff --git a/core/rfb.js b/core/rfb.js
index 2d7e77f..b10b502 100644
--- a/core/rfb.js
+++ b/core/rfb.js
@@ -1354,6 +1354,21 @@ export default class RFB extends EventTargetMixin {
         this._rfbInitState = 'Security';
     }
 
+    _isSupportedSecurityType(type) {
+        const clientTypes = [
+            securityTypeNone,
+            securityTypeVNCAuth,
+            securityTypeRA2ne,
+            securityTypeTight,
+            securityTypeVeNCrypt,
+            securityTypeXVP,
+            securityTypeARD,
+            securityTypePlain,
+        ];
+
+        return clientTypes.includes(type);
+    }
+
     _negotiateSecurity() {
         if (this._rfbVersion >= 3.7) {
             // Server sends supported list, client decides
@@ -1370,22 +1385,17 @@ export default class RFB extends EventTargetMixin {
             const types = this._sock.rQshiftBytes(numTypes);
             Log.Debug("Server security types: " + types);
 
-            // Look for each auth in preferred order
-            if (types.includes(securityTypeNone)) {
-                this._rfbAuthScheme = securityTypeNone;
-            } else if (types.includes(securityTypeXVP)) {
-                this._rfbAuthScheme = securityTypeXVP;
-            } else if (types.includes(securityTypeTight)) {
-                this._rfbAuthScheme = securityTypeTight;
-            } else if (types.includes(securityTypeRA2ne)) {
-                this._rfbAuthScheme = securityTypeRA2ne;
-            } else if (types.includes(securityTypeVNCAuth)) {
-                this._rfbAuthScheme = securityTypeVNCAuth;
-            } else if (types.includes(securityTypeARD)) {
-                this._rfbAuthScheme = securityTypeARD;
-            } else if (types.includes(securityTypeVeNCrypt)) {
-                this._rfbAuthScheme = securityTypeVeNCrypt;
-            } else {
+            // Look for a matching security type in the order that the
+            // server prefers
+            this._rfbAuthScheme = -1;
+            for (let type of types) {
+                if (this._isSupportedSecurityType(type)) {
+                    this._rfbAuthScheme = type;
+                    break;
+                }
+            }
+
+            if (this._rfbAuthScheme === -1) {
                 return this._fail("Unsupported security types (types: " + types + ")");
             }
 
diff --git a/tests/test.rfb.js b/tests/test.rfb.js
index e7d6040..0e46ff4 100644
--- a/tests/test.rfb.js
+++ b/tests/test.rfb.js
@@ -1135,18 +1135,10 @@ describe('Remote Frame Buffer Protocol Client', function () {
                 client._sock._websocket._getSentData();
             });
 
-            it('should prefer no authentication is possible', function () {
-                const authSchemes = [2, 1, 3];
+            it('should respect server preference order', function () {
+                const authSchemes = [ 6, 79, 30, 188, 16, 6, 1 ];
                 client._sock._websocket._receiveData(new Uint8Array(authSchemes));
-                expect(client._rfbAuthScheme).to.equal(1);
-                expect(client._sock).to.have.sent(new Uint8Array([1]));
-            });
-
-            it('should choose for the most prefered scheme possible', function () {
-                const authSchemes = [2, 22, 16];
-                client._sock._websocket._receiveData(new Uint8Array(authSchemes));
-                expect(client._rfbAuthScheme).to.equal(22);
-                expect(client._sock).to.have.sent(new Uint8Array([22]));
+                expect(client._sock).to.have.sent(new Uint8Array([30]));
             });
 
             it('should fail if there are no supported schemes', function () {