npm - iobroker.mywebui - Versions diffs - 1.37.28 → 1.37.29 - Mend

iobroker.mywebui 1.37.28 → 1.37.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/io-package.json +8 -1
package/package.json +1 -1
package/webExtension.cjs +85 -14
package/www/dist/frontend/common/IobrokerHandler.js +6 -3

package/io-package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "common": {
     "name": "mywebui",
-    "version": "1.37.28",
+    "version": "1.37.29",
     "titleLang": {
       "en": "mywebui",
       "de": "mywebui",
@@ -29,6 +29,13 @@
       "zh-cn": "使用万维网传送器的高锰用户接口"
     },
     "news": {
+      "1.37.29": {
+        "en": "security fix: lang sync via session-verified HTTP endpoint instead of sendTo — username no longer trusted from frontend",
+        "az": "təhlükəsizlik düzəlişi: dil sinxronizasiyası session-yoxlamalı HTTP endpoint ilə — username artıq frontend-dən alınmır",
+        "tr": "güvenlik düzeltmesi: dil senkronizasyonu session doğrulamalı HTTP endpoint ile — username artık frontend'den gelmiyor",
+        "ru": "исправление безопасности: синхронизация языка через HTTP endpoint с проверкой сессии — username больше не берётся из frontend",
+        "de": "Sicherheitsfix: Sprachsync über session-verifizierten HTTP-Endpoint — username kommt nicht mehr vom Frontend"
+      },
       "1.37.28": {
         "en": "fix: rename webExtension.js to .cjs to avoid ES module conflict",
         "az": "düzəliş: ES module konflikti aradan qaldırmaq üçün webExtension.js → .cjs",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "iobroker.mywebui",
-  "version": "1.37.28",
+  "version": "1.37.29",
   "description": "ioBroker mywebui - Custom edited mywebui by gokturk413",
   "type": "module",
   "main": "dist/backend/main.js",

package/webExtension.cjs CHANGED Viewed

@@ -1,5 +1,35 @@
 'use strict';
+const https = require('https');
+const http  = require('http');
+function mapGrafanaLanguage(lang) {
+    switch (lang) {
+        case 'az': return 'az-AZ';
+        case 'ru': return 'ru-RU';
+        case 'en': return 'en-US';
+        case 'de': return 'de-DE';
+        case 'tr': return 'tr-TR';
+        default:   return 'en-US';
+    }
+}
+function httpPatch(urlStr, headers, body) {
+    return new Promise((resolve, reject) => {
+        const parsed = new URL(urlStr);
+        const lib = parsed.protocol === 'https:' ? https : http;
+        const req = lib.request(parsed, { method: 'PATCH', headers }, (res) => {
+            let data = '';
+            res.on('data', c => data += c);
+            res.on('end', () => resolve({ status: res.statusCode, body: data }));
+        });
+        req.on('error', reject);
+        req.setTimeout(3000, () => { req.destroy(); reject(new Error('timeout')); });
+        req.write(body);
+        req.end();
+    });
+}
 class MywebuiWebExtension {
     /**
      * @param {import('http').Server} server
@@ -10,25 +40,66 @@ class MywebuiWebExtension {
      */
     constructor(server, settings, adapter, config, app) {
         this._adapter = adapter;
+        const native = config?.native || {};
-        const ssoEnabled = config?.native?.grafanaEnabled && config?.native?.grafanaSsoEnabled;
-        if (!ssoEnabled) {
-            adapter.log.debug('[mywebui/WebExt] SSO disabled — /mywebui-auth-check not registered');
+        if (!native.grafanaEnabled) {
+            adapter.log.debug('[mywebui/WebExt] Grafana disabled — no endpoints registered');
             return;
         }
-        app.get('/mywebui-auth-check', (req, res) => {
-            const username = req.session?.passport?.user;
-            if (!username) {
-                res.status(401).end();
-                return;
-            }
-            res.setHeader('X-User', username);
-            res.status(200).end();
-        });
+        const grafanaUrl = (native.grafanaUrl || 'http://localhost:3000').replace(/\/$/, '');
+        // ── SSO auth check (nginx auth_request) ──────────────────────────────
+        if (native.grafanaSsoEnabled) {
+            app.get('/mywebui-auth-check', (req, res) => {
+                const username = req.session?.passport?.user;
+                if (!username) { res.status(401).end(); return; }
+                res.setHeader('X-User', username);
+                res.status(200).end();
+            });
+            adapter.log.info('[mywebui/WebExt] /mywebui-auth-check registered for nginx SSO');
+        }
+        // ── Language sync (session-verified, no username from frontend) ──────
+        if (native.grafanaLangSyncEnabled) {
+            app.post('/mywebui-grafana-lang', async (req, res) => {
+                const username = req.session?.passport?.user;
+                if (!username) { res.status(401).json({ error: 'not authenticated' }); return; }
-        adapter.log.info('[mywebui/WebExt] /mywebui-auth-check registered for nginx SSO');
+                let body = '';
+                req.on('data', c => body += c);
+                await new Promise(r => req.on('end', r));
+                let lang;
+                try { lang = JSON.parse(body).lang; } catch (e) { /**/ }
+                if (!lang) { res.status(400).json({ error: 'missing lang' }); return; }
+                const grafanaLang = mapGrafanaLanguage(lang);
+                const payload = JSON.stringify({ language: grafanaLang });
+                try {
+                    const r = await httpPatch(
+                        grafanaUrl + '/api/user/preferences',
+                        {
+                            'Content-Type': 'application/json',
+                            'Content-Length': Buffer.byteLength(payload),
+                            'X-WEBAUTH-USER': username
+                        },
+                        payload
+                    );
+                    if (r.status === 200) {
+                        adapter.log.debug(`[mywebui/WebExt] lang synced: ${username} → ${grafanaLang}`);
+                        res.json({ success: true });
+                    } else {
+                        adapter.log.warn(`[mywebui/WebExt] Grafana ${r.status}: ${r.body}`);
+                        res.status(502).json({ error: `Grafana HTTP ${r.status}` });
+                    }
+                } catch (e) {
+                    adapter.log.warn(`[mywebui/WebExt] lang sync error: ${e.message}`);
+                    res.status(500).json({ error: e.message });
+                }
+            });
+            adapter.log.info('[mywebui/WebExt] /mywebui-grafana-lang registered (session-verified)');
+        }
     }
 }

package/www/dist/frontend/common/IobrokerHandler.js CHANGED Viewed

@@ -497,9 +497,12 @@ export class IobrokerHandler {
         localStorage.setItem('webui-language', lang);
         this.languageChanged.emit(lang);
         window.dispatchEvent(new CustomEvent('languageChanged', { detail: lang }));
-        if (this.userName && this.connection) {
-            this.connection.sendTo('mywebui.0', 'grafanaLangSync', { username: this.userName, lang }).catch(() => {});
-        }
+        fetch('/mywebui-grafana-lang', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+            body: JSON.stringify({ lang })
+        }).catch(() => {});
     }
     /** Translation helper - hər yerdən istifadə üçün
      *  iobrokerHandler.t('pid.op')