npm - iobroker.mywebui - Versions diffs - 1.37.27 → 1.37.29 - Mend

iobroker.mywebui 1.37.27 → 1.37.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/io-package.json +16 -2
package/package.json +2 -2
package/webExtension.cjs +106 -0
package/www/dist/frontend/common/IobrokerHandler.js +6 -3
package/webExtension.js +0 -35

package/io-package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "common": {
     "name": "mywebui",
-    "version": "1.37.27",
+    "version": "1.37.29",
     "titleLang": {
       "en": "mywebui",
       "de": "mywebui",
@@ -29,6 +29,20 @@
       "zh-cn": "使用万维网传送器的高锰用户接口"
     },
     "news": {
+      "1.37.29": {
+        "en": "security fix: lang sync via session-verified HTTP endpoint instead of sendTo — username no longer trusted from frontend",
+        "az": "təhlükəsizlik düzəlişi: dil sinxronizasiyası session-yoxlamalı HTTP endpoint ilə — username artıq frontend-dən alınmır",
+        "tr": "güvenlik düzeltmesi: dil senkronizasyonu session doğrulamalı HTTP endpoint ile — username artık frontend'den gelmiyor",
+        "ru": "исправление безопасности: синхронизация языка через HTTP endpoint с проверкой сессии — username больше не берётся из frontend",
+        "de": "Sicherheitsfix: Sprachsync über session-verifizierten HTTP-Endpoint — username kommt nicht mehr vom Frontend"
+      },
+      "1.37.28": {
+        "en": "fix: rename webExtension.js to .cjs to avoid ES module conflict",
+        "az": "düzəliş: ES module konflikti aradan qaldırmaq üçün webExtension.js → .cjs",
+        "tr": "düzeltme: ES module çakışmasını önlemek için webExtension.js → .cjs",
+        "ru": "исправление: переименован webExtension.js в .cjs для совместимости с ES module",
+        "de": "fix: webExtension.js in .cjs umbenannt wegen ES-Modul-Konflikt"
+      },
       "1.37.27": {
         "en": "fix: add native.webInstance='*' so iobroker.web loads webExtension.js",
         "az": "düzəliş: native.webInstance='*' əlavə edildi ki iobroker.web webExtension.js-i yükləsin",
@@ -308,7 +322,7 @@
     "onlyWWW": false,
     "nogit": false,
     "mode": "daemon",
-    "webExtension": "webExtension.js",
+    "webExtension": "webExtension.cjs",
     "welcomeScreen": {
       "link": "mywebui/index.html",
       "name": "mywebui editor",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "iobroker.mywebui",
-  "version": "1.37.27",
+  "version": "1.37.29",
   "description": "ioBroker mywebui - Custom edited mywebui by gokturk413",
   "type": "module",
   "main": "dist/backend/main.js",
@@ -59,7 +59,7 @@
     "README.md",
     "SCADA_SETUP.md",
     "setup-scada-utils.js",
-    "webExtension.js"
+    "webExtension.cjs"
   ],
   "engines": {
     "node": ">=18"

package/webExtension.cjs ADDED Viewed

@@ -0,0 +1,106 @@
+'use strict';
+const https = require('https');
+const http  = require('http');
+function mapGrafanaLanguage(lang) {
+    switch (lang) {
+        case 'az': return 'az-AZ';
+        case 'ru': return 'ru-RU';
+        case 'en': return 'en-US';
+        case 'de': return 'de-DE';
+        case 'tr': return 'tr-TR';
+        default:   return 'en-US';
+    }
+}
+function httpPatch(urlStr, headers, body) {
+    return new Promise((resolve, reject) => {
+        const parsed = new URL(urlStr);
+        const lib = parsed.protocol === 'https:' ? https : http;
+        const req = lib.request(parsed, { method: 'PATCH', headers }, (res) => {
+            let data = '';
+            res.on('data', c => data += c);
+            res.on('end', () => resolve({ status: res.statusCode, body: data }));
+        });
+        req.on('error', reject);
+        req.setTimeout(3000, () => { req.destroy(); reject(new Error('timeout')); });
+        req.write(body);
+        req.end();
+    });
+}
+class MywebuiWebExtension {
+    /**
+     * @param {import('http').Server} server
+     * @param {{secure: boolean, port: number}} settings
+     * @param {object} adapter  - iobroker.web adapter instance
+     * @param {object} config   - system.adapter.mywebui.0 object
+     * @param {import('express').Application} app
+     */
+    constructor(server, settings, adapter, config, app) {
+        this._adapter = adapter;
+        const native = config?.native || {};
+        if (!native.grafanaEnabled) {
+            adapter.log.debug('[mywebui/WebExt] Grafana disabled — no endpoints registered');
+            return;
+        }
+        const grafanaUrl = (native.grafanaUrl || 'http://localhost:3000').replace(/\/$/, '');
+        // ── SSO auth check (nginx auth_request) ──────────────────────────────
+        if (native.grafanaSsoEnabled) {
+            app.get('/mywebui-auth-check', (req, res) => {
+                const username = req.session?.passport?.user;
+                if (!username) { res.status(401).end(); return; }
+                res.setHeader('X-User', username);
+                res.status(200).end();
+            });
+            adapter.log.info('[mywebui/WebExt] /mywebui-auth-check registered for nginx SSO');
+        }
+        // ── Language sync (session-verified, no username from frontend) ──────
+        if (native.grafanaLangSyncEnabled) {
+            app.post('/mywebui-grafana-lang', async (req, res) => {
+                const username = req.session?.passport?.user;
+                if (!username) { res.status(401).json({ error: 'not authenticated' }); return; }
+                let body = '';
+                req.on('data', c => body += c);
+                await new Promise(r => req.on('end', r));
+                let lang;
+                try { lang = JSON.parse(body).lang; } catch (e) { /**/ }
+                if (!lang) { res.status(400).json({ error: 'missing lang' }); return; }
+                const grafanaLang = mapGrafanaLanguage(lang);
+                const payload = JSON.stringify({ language: grafanaLang });
+                try {
+                    const r = await httpPatch(
+                        grafanaUrl + '/api/user/preferences',
+                        {
+                            'Content-Type': 'application/json',
+                            'Content-Length': Buffer.byteLength(payload),
+                            'X-WEBAUTH-USER': username
+                        },
+                        payload
+                    );
+                    if (r.status === 200) {
+                        adapter.log.debug(`[mywebui/WebExt] lang synced: ${username} → ${grafanaLang}`);
+                        res.json({ success: true });
+                    } else {
+                        adapter.log.warn(`[mywebui/WebExt] Grafana ${r.status}: ${r.body}`);
+                        res.status(502).json({ error: `Grafana HTTP ${r.status}` });
+                    }
+                } catch (e) {
+                    adapter.log.warn(`[mywebui/WebExt] lang sync error: ${e.message}`);
+                    res.status(500).json({ error: e.message });
+                }
+            });
+            adapter.log.info('[mywebui/WebExt] /mywebui-grafana-lang registered (session-verified)');
+        }
+    }
+}
+module.exports = MywebuiWebExtension;

package/www/dist/frontend/common/IobrokerHandler.js CHANGED Viewed

@@ -497,9 +497,12 @@ export class IobrokerHandler {
         localStorage.setItem('webui-language', lang);
         this.languageChanged.emit(lang);
         window.dispatchEvent(new CustomEvent('languageChanged', { detail: lang }));
-        if (this.userName && this.connection) {
-            this.connection.sendTo('mywebui.0', 'grafanaLangSync', { username: this.userName, lang }).catch(() => {});
-        }
+        fetch('/mywebui-grafana-lang', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+            body: JSON.stringify({ lang })
+        }).catch(() => {});
     }
     /** Translation helper - hər yerdən istifadə üçün
      *  iobrokerHandler.t('pid.op')

package/webExtension.js DELETED Viewed

@@ -1,35 +0,0 @@
-'use strict';
-class MywebuiWebExtension {
-    /**
-     * @param {import('http').Server} server
-     * @param {{secure: boolean, port: number}} settings
-     * @param {object} adapter  - iobroker.web adapter instance
-     * @param {object} config   - system.adapter.mywebui.0 object
-     * @param {import('express').Application} app
-     */
-    constructor(server, settings, adapter, config, app) {
-        this._adapter = adapter;
-        const ssoEnabled = config?.native?.grafanaEnabled && config?.native?.grafanaSsoEnabled;
-        if (!ssoEnabled) {
-            adapter.log.debug('[mywebui/WebExt] SSO disabled — /mywebui-auth-check not registered');
-            return;
-        }
-        app.get('/mywebui-auth-check', (req, res) => {
-            const username = req.session?.passport?.user;
-            if (!username) {
-                res.status(401).end();
-                return;
-            }
-            res.setHeader('X-User', username);
-            res.status(200).end();
-        });
-        adapter.log.info('[mywebui/WebExt] /mywebui-auth-check registered for nginx SSO');
-    }
-}
-module.exports = MywebuiWebExtension;