iobroker.hassemu 1.2.0 → 1.3.0

package/README.md

@@ -36,16 +36,16 @@ ioBroker adapter that emulates a [Home Assistant](https://www.home-assistant.io)
 - **Node.js >= 20**
 - **ioBroker js-controller >= 7.0.7**
 - **ioBroker Admin >= 7.7.22**
-- **ioBroker web >= 8.0.0** — required for the VIS/Admin URL discovery that fills the mode-dropdown
+- **ioBroker web >= 8.0.0**
 
 ---
 
 ## Ports
 
-| Port | Protocol | Purpose                                      | Configurable |
-| ---- | -------- | -------------------------------------------- | ------------ |
-| 8123 | TCP/HTTP | Home Assistant emulation (HA standard port)  | No — fixed   |
-| 5353 | UDP      | mDNS service broadcast (only if mDNS enabled)| No           |
+| Port | Protocol | Purpose                                       | Configurable |
+| ---- | -------- | --------------------------------------------- | ------------ |
+| 8123 | TCP/HTTP | Home Assistant emulation (HA standard port)   | No — fixed   |
+| 5353 | UDP      | mDNS service broadcast (only if mDNS enabled) | No           |
 
 ---
 
@@ -53,15 +53,13 @@ ioBroker adapter that emulates a [Home Assistant](https://www.home-assistant.io)
 
 The Admin UI configures the server. Redirect URLs are set via the state tree (see below).
 
-| Option | Description | Default |
-|--------|-------------|---------|
-| **Bind to Interface** | Network interface to listen on | 0.0.0.0 (all) |
-| **Service Name** | Name broadcast via mDNS, shown as the server name on the display | `ioBroker` |
-| **mDNS Enabled** | Broadcast `_home-assistant._tcp` on the LAN | `true` |
-| **Auth Required** | Check credentials the display sends during login | `false` |
-| **Username / Password** | Used when *Auth Required* is on (password encrypted at rest) | `admin` / — |
-
-> URLs you set must be reachable from the display — use the LAN IP of the ioBroker host, not `localhost`.
+| Option                  | Description                                                      | Default       |
+| ----------------------- | ---------------------------------------------------------------- | ------------- |
+| **Bind to Interface**   | Network interface to listen on                                   | 0.0.0.0 (all) |
+| **Service Name**        | Name broadcast via mDNS, shown as the server name on the display | `ioBroker`    |
+| **mDNS Enabled**        | Broadcast `_home-assistant._tcp` on the LAN                      | `true`        |
+| **Auth Required**       | Check credentials the display sends during login                 | `false`       |
+| **Username / Password** | Used when _Auth Required_ is on (password encrypted at rest)     | `admin` / —   |
 
 ---
 
@@ -86,11 +84,11 @@ hassemu.0.
 
 The adapter reads `clients.<id>.mode` on every visit:
 
-| `mode` value | redirect target |
-|--------------|----------------|
-| `global` | `global.mode` / `global.manualUrl` (same rules, one level up) |
-| `manual` | `clients.<id>.manualUrl` |
-| a URL | that URL |
+| `mode` value    | redirect target                                                |
+| --------------- | -------------------------------------------------------------- |
+| `global`        | `global.mode` / `global.manualUrl` (same rules, one level up)  |
+| `manual`        | `clients.<id>.manualUrl`                                       |
+| a URL           | that URL                                                       |
 | empty / unknown | landing page (small HTML with device ID, refreshes every 15 s) |
 
 ### Master switch
@@ -107,12 +105,12 @@ The adapter broadcasts `_home-assistant._tcp` via mDNS. If the display does not
 
 1. Check the adapter log for `mDNS: Broadcasting`.
 2. Verify the service is visible from another host:
-   ```bash
-   # macOS
-   dns-sd -B _home-assistant._tcp
-   # Linux (with avahi-utils)
-   avahi-browse _home-assistant._tcp -r -t
-   ```
+    ```bash
+    # macOS
+    dns-sd -B _home-assistant._tcp
+    # Linux (with avahi-utils)
+    avahi-browse _home-assistant._tcp -r -t
+    ```
 3. Make sure UDP 5353 is not blocked by a firewall.
 4. If mDNS is not usable on your LAN, set the URL manually on the display: `http://<ioBroker-IP>:8123`.
 
@@ -149,23 +147,33 @@ Reverse DNS on a home LAN depends on your router/DHCP server and often fails. Th
 ---
 
 ## Changelog
+### 1.3.0 (2026-04-30)
+
+- Security: brute-force lockout on `/auth/login_flow/:flowId` — after 5 failed credential attempts an IP is rejected with HTTP 429 for 15 min. Successful login resets the counter.
+- DRY refactor: shared `parseManualUrlWrite` helper between client + global config; FIFO-cap helper in WebServer; OAuth access-token TTL + lockout window/threshold are now named constants instead of magic numbers.
+- Dead-code cleanup: `resolveBindToReachable`, `coerceUuid` strict-V4 parameter, `DEFAULT_REFRESH_DEBOUNCE_MS` export, internal `getMode`/`getManualUrl` test affordances — all removed; tests rewritten to assert observable behaviour.
+- New `landing-page` test suite with XSS-escape coverage and 11-language fallback verification.
+- Emulated Home Assistant version bumped from 2026.3.1 to 2026.4.0.
+
 ### 1.2.0 (2026-04-29)
 
-- (krobi) Redirect target now configured via `mode` (dropdown) + `manualUrl` (free text) instead of the old `visUrl`. Migration runs automatically.
-- (krobi) Master switch `global.enabled` bulk-syncs every display: on → all follow the global URL, off → each display picks up its own again.
-- (krobi) Idle displays without auth token are auto-removed after 30 days.
-- (krobi) Security hardening of the auth flow.
-- (krobi) `web` adapter declared as dependency — needed for the URL dropdown.
+- Redirect target now configured via `mode` (dropdown) + `manualUrl` (free text) instead of the old `visUrl`. Migration runs automatically.
+- Master switch `global.enabled` syncs every display: on → all follow the global URL, off → each display picks up its own again.
+- Idle displays without auth token are auto-removed after 30 days.
+- Security hardening of the auth flow.
+- `web` adapter declared as dependency.
 
 ### 1.1.6 (2026-04-28)
+
 - Audit cleanup against the upstream `ioBroker.example/TypeScript` full standard:
-  - Test setup migrated: tests now live next to source as `src/lib/*.test.ts` and run directly via `ts-node/register`. Removed `tsconfig.test.json` + `build-test/`, added `test/mocharc.custom.json` + `test/mocha.setup.js` + `test/tsconfig.json` + `test/.eslintrc.json`
-  - `@types/node` rolled back from `^25.6.0` to `^20.19.24` so type defs match `engines.node: ">=20"`
-  - Dependabot now ignores major bumps for `@types/node`, `typescript`, `eslint`, `actions/checkout`, `actions/setup-node`
-  - `nyc` config + `coverage` script added
-  - Orphan `.github/auto-merge.yml` removed (active workflow is `automerge-dependabot.yml` using `gh pr merge`)
+    - Test setup migrated: tests now live next to source as `src/lib/*.test.ts` and run directly via `ts-node/register`. Removed `tsconfig.test.json` + `build-test/`, added `test/mocharc.custom.json` + `test/mocha.setup.js` + `test/tsconfig.json` + `test/.eslintrc.json`
+    - `@types/node` rolled back from `^25.6.0` to `^20.19.24` so type defs match `engines.node: ">=20"`
+    - Dependabot now ignores major bumps for `@types/node`, `typescript`, `eslint`, `actions/checkout`, `actions/setup-node`
+    - `nyc` config + `coverage` script added
+    - Orphan `.github/auto-merge.yml` removed (active workflow is `automerge-dependabot.yml` using `gh pr merge`)
 
 ### 1.1.5 (2026-04-26)
+
 - Process-level `unhandledRejection` / `uncaughtException` handlers added as last-line-of-defence against fire-and-forget rejections.
 - Stop shipping the `manual-review` release-script plugin — adapter-only consequence.
 - Audit-driven boilerplate sync with the other krobi adapters (`.vscode` json5 schemas, `tsconfig.test` looser test rules).
@@ -173,13 +181,10 @@ Reverse DNS on a home LAN depends on your router/DHCP server and often fails. Th
 - `@types/iobroker` bumped to `^7.1.1`.
 
 ### 1.1.4 (2026-04-23)
-- Separate test-build output (`build-test/`) from production `build/` — `npm test` no longer risks leaving duplicated `build/src` + `build/test` trees in the published package. No runtime change.
 
-### 1.1.3 (2026-04-19)
+- Separate test-build output (`build-test/`) from production `build/` — `npm test` no longer risks leaving duplicated `build/src` + `build/test` trees in the published package. No runtime change.
 
-- **Fix duplicate client registration on first connect** — HA displays fire several parallel cookieless requests (`GET /`, `GET /api/`, `POST /auth/login_flow`) within milliseconds of each other. Each used to create a separate client record, leaving orphans behind. The registry now locks per IP while the first client is being created, so parallel burst requests from the same display attach to the same client and cookie.
-- **Setup page redesigned** — big green OK banner so "everything's connected" is visible at a glance, responsive layout with dark-mode support, IP shown alongside the device ID, clearer step-by-step instructions.
-- **Setup page localized into all 11 adapter languages** — automatically picks the ioBroker system language (set in Admin → Main Settings), falls back to English for unknown languages.
+Older entries are in [CHANGELOG_OLD.md](CHANGELOG_OLD.md).
 
 ## Support
 

package/admin/jsonConfig.json

@@ -1,161 +1,161 @@
 {
-	"i18n": true,
-	"type": "panel",
-	"items": {
-		"_headerServer": {
-			"type": "header",
-			"text": "header_server",
-			"size": 4
-		},
-		"bindAddress": {
-			"type": "ip",
-			"label": "bindAddress",
-			"tooltip": "bindAddressTooltip",
-			"listenOnAllPorts": true,
-			"onlyIp4": true,
-			"noInternal": false,
-			"xs": 12,
-			"sm": 6,
-			"md": 4,
-			"lg": 4,
-			"xl": 4
-		},
-		"serviceName": {
-			"type": "text",
-			"label": "serviceName",
-			"tooltip": "serviceNameTooltip",
-			"default": "ioBroker",
-			"xs": 12,
-			"sm": 6,
-			"md": 4,
-			"lg": 4,
-			"xl": 4
-		},
-		"_redirectInfo": {
-			"type": "staticText",
-			"text": "redirectInfo",
-			"xs": 12,
-			"sm": 12,
-			"md": 12,
-			"lg": 12,
-			"xl": 12
-		},
-		"_headerMdns": {
-			"type": "header",
-			"text": "header_mdns",
-			"size": 4
-		},
-		"mdnsEnabled": {
-			"type": "checkbox",
-			"label": "mdnsEnabled",
-			"tooltip": "mdnsEnabledTooltip",
-			"default": true,
-			"xs": 12,
-			"sm": 12,
-			"md": 12,
-			"lg": 12,
-			"xl": 12
-		},
-		"_mdnsInfo": {
-			"type": "staticText",
-			"text": "mdnsInfo",
-			"xs": 12,
-			"sm": 12,
-			"md": 12,
-			"lg": 12,
-			"xl": 12
-		},
-		"_headerAuth": {
-			"type": "header",
-			"text": "header_auth",
-			"size": 4
-		},
-		"authRequired": {
-			"type": "checkbox",
-			"label": "authRequired",
-			"tooltip": "authRequiredTooltip",
-			"default": false,
-			"xs": 12,
-			"sm": 12,
-			"md": 12,
-			"lg": 12,
-			"xl": 12
-		},
-		"username": {
-			"type": "text",
-			"label": "username",
-			"default": "admin",
-			"hidden": "!data.authRequired",
-			"xs": 12,
-			"sm": 6,
-			"md": 6,
-			"lg": 6,
-			"xl": 6
-		},
-		"password": {
-			"type": "password",
-			"label": "password",
-			"visible": true,
-			"hidden": "!data.authRequired",
-			"xs": 12,
-			"sm": 6,
-			"md": 6,
-			"lg": 6,
-			"xl": 6
-		},
-		"_authInfo": {
-			"type": "staticText",
-			"text": "authInfo",
-			"hidden": "data.authRequired",
-			"xs": 12,
-			"sm": 12,
-			"md": 12,
-			"lg": 12,
-			"xl": 12
-		},
-		"_supportHeader": {
-			"type": "header",
-			"text": "supportHeader",
-			"size": 5
-		},
-		"_aboutInfo": {
-			"type": "staticText",
-			"text": "aboutInfo",
-			"xs": 12,
-			"sm": 12,
-			"md": 12,
-			"lg": 12,
-			"xl": 12,
-			"style": {
-				"fontSize": 14,
-				"marginBottom": 16
-			}
-		},
-		"_kofiLink": {
-			"type": "staticLink",
-			"href": "https://ko-fi.com/krobipd",
-			"label": "donateKofi",
-			"button": true,
-			"variant": "outlined",
-			"color": "primary",
-			"xs": 12,
-			"sm": 6,
-			"md": 4,
-			"lg": 4,
-			"xl": 4
-		},
-		"_paypalLink": {
-			"type": "staticLink",
-			"href": "https://paypal.me/krobipd",
-			"label": "donatePaypal",
-			"button": true,
-			"variant": "outlined",
-			"color": "primary",
-			"xs": 12,
-			"sm": 6,
-			"md": 4,
-			"lg": 4,
-			"xl": 4
-		}
-	}
+    "i18n": true,
+    "type": "panel",
+    "items": {
+        "_headerServer": {
+            "type": "header",
+            "text": "header_server",
+            "size": 4
+        },
+        "bindAddress": {
+            "type": "ip",
+            "label": "bindAddress",
+            "tooltip": "bindAddressTooltip",
+            "listenOnAllPorts": true,
+            "onlyIp4": true,
+            "noInternal": false,
+            "xs": 12,
+            "sm": 6,
+            "md": 4,
+            "lg": 4,
+            "xl": 4
+        },
+        "serviceName": {
+            "type": "text",
+            "label": "serviceName",
+            "tooltip": "serviceNameTooltip",
+            "default": "ioBroker",
+            "xs": 12,
+            "sm": 6,
+            "md": 4,
+            "lg": 4,
+            "xl": 4
+        },
+        "_redirectInfo": {
+            "type": "staticText",
+            "text": "redirectInfo",
+            "xs": 12,
+            "sm": 12,
+            "md": 12,
+            "lg": 12,
+            "xl": 12
+        },
+        "_headerMdns": {
+            "type": "header",
+            "text": "header_mdns",
+            "size": 4
+        },
+        "mdnsEnabled": {
+            "type": "checkbox",
+            "label": "mdnsEnabled",
+            "tooltip": "mdnsEnabledTooltip",
+            "default": true,
+            "xs": 12,
+            "sm": 12,
+            "md": 12,
+            "lg": 12,
+            "xl": 12
+        },
+        "_mdnsInfo": {
+            "type": "staticText",
+            "text": "mdnsInfo",
+            "xs": 12,
+            "sm": 12,
+            "md": 12,
+            "lg": 12,
+            "xl": 12
+        },
+        "_headerAuth": {
+            "type": "header",
+            "text": "header_auth",
+            "size": 4
+        },
+        "authRequired": {
+            "type": "checkbox",
+            "label": "authRequired",
+            "tooltip": "authRequiredTooltip",
+            "default": false,
+            "xs": 12,
+            "sm": 12,
+            "md": 12,
+            "lg": 12,
+            "xl": 12
+        },
+        "username": {
+            "type": "text",
+            "label": "username",
+            "default": "admin",
+            "hidden": "!data.authRequired",
+            "xs": 12,
+            "sm": 6,
+            "md": 6,
+            "lg": 6,
+            "xl": 6
+        },
+        "password": {
+            "type": "password",
+            "label": "password",
+            "visible": true,
+            "hidden": "!data.authRequired",
+            "xs": 12,
+            "sm": 6,
+            "md": 6,
+            "lg": 6,
+            "xl": 6
+        },
+        "_authInfo": {
+            "type": "staticText",
+            "text": "authInfo",
+            "hidden": "data.authRequired",
+            "xs": 12,
+            "sm": 12,
+            "md": 12,
+            "lg": 12,
+            "xl": 12
+        },
+        "_supportHeader": {
+            "type": "header",
+            "text": "supportHeader",
+            "size": 5
+        },
+        "_aboutInfo": {
+            "type": "staticText",
+            "text": "aboutInfo",
+            "xs": 12,
+            "sm": 12,
+            "md": 12,
+            "lg": 12,
+            "xl": 12,
+            "style": {
+                "fontSize": 14,
+                "marginBottom": 16
+            }
+        },
+        "_kofiLink": {
+            "type": "staticLink",
+            "href": "https://ko-fi.com/krobipd",
+            "label": "donateKofi",
+            "button": true,
+            "variant": "outlined",
+            "color": "primary",
+            "xs": 12,
+            "sm": 6,
+            "md": 4,
+            "lg": 4,
+            "xl": 4
+        },
+        "_paypalLink": {
+            "type": "staticLink",
+            "href": "https://paypal.me/krobipd",
+            "label": "donatePaypal",
+            "button": true,
+            "variant": "outlined",
+            "color": "primary",
+            "xs": 12,
+            "sm": 6,
+            "md": 4,
+            "lg": 4,
+            "xl": 4
+        }
+    }
 }

package/build/lib/client-registry.js

@@ -251,21 +251,20 @@ class ClientRegistry {
    * @param rawValue Value written to the state.
    */
   async handleManualUrlWrite(id, rawValue) {
-    var _a;
+    var _a, _b;
     const record = this.byId.get(id);
     if (!record) {
       return;
     }
-    const empty = rawValue === "" || rawValue === null || rawValue === void 0;
-    const safe = empty ? null : (0, import_coerce.coerceSafeUrl)(rawValue);
-    if (!empty && !safe) {
+    const result = (0, import_coerce.parseManualUrlWrite)(rawValue);
+    if (!result.ok) {
       this.adapter.log.warn(`client-registry: rejected unsafe manualUrl for ${id}`);
       await this.adapter.setStateAsync(`clients.${id}.manualUrl`, { val: (_a = record.manualUrl) != null ? _a : "", ack: true });
       return;
     }
-    record.manualUrl = safe;
-    await this.adapter.setStateAsync(`clients.${id}.manualUrl`, { val: safe != null ? safe : "", ack: true });
-    if (record.mode === import_global_config.MODE_MANUAL && !safe) {
+    record.manualUrl = result.safe;
+    await this.adapter.setStateAsync(`clients.${id}.manualUrl`, { val: (_b = result.safe) != null ? _b : "", ack: true });
+    if (record.mode === import_global_config.MODE_MANUAL && !result.safe) {
       this.adapter.log.warn(
         `client-registry: ${id} manualUrl cleared while mode='manual' \u2014 display will hit the setup page`
       );