node-red-contrib-alarm-ultimate 1.0.1 → 1.0.2

package/CHANGELOG.MD

@@ -3,6 +3,15 @@
 > Stable release track from `0.3.0`.
 > Previous pre-release history is preserved below.
 
+## [1.0.2] - 2026-04-08
+
+### Fixed
+
+- **Tools + adminAuth (OAuth):** fixed `401/Unauthorized` when opening tools pages from the editor with protected Node-RED admin access.
+- **OAuth token handling:** tools now support `access_token` propagation from editor links and keep the token while navigating between tool pages.
+- **Bearer parsing conflict:** fixed `400 Bad Request` when both query `access_token` and `Authorization` header were present by normalizing auth before permission checks.
+- **Control Panel auth fallback:** improved token lookup to support Node-RED token storage keys with `httpAdminRoot` suffix.
+
 ## [1.0.1] - 2026-04-07
 
 ### Changed

package/nodes/AlarmSystemUltimate.html

@@ -267,13 +267,35 @@
         zoneAxProMatchRow.toggle(adapter === "axpro");
       }
 
+      function getEditorAccessToken() {
+        try {
+          const tokens =
+            RED && RED.settings && typeof RED.settings.get === "function"
+              ? RED.settings.get("auth-tokens")
+              : null;
+          return tokens && typeof tokens.access_token === "string"
+            ? tokens.access_token.trim()
+            : "";
+        } catch (_err) {
+          return "";
+        }
+      }
+
+      function withAccessToken(url) {
+        const token = getEditorAccessToken();
+        if (!token) return url;
+        const sep = url.includes("?") ? "&" : "?";
+        return `${url}${sep}access_token=${encodeURIComponent(token)}`;
+      }
+
       function openZonesManager() {
         const httpAdminRoot = (RED.settings && RED.settings.httpAdminRoot) || "/";
         const root = httpAdminRoot.endsWith("/") ? httpAdminRoot : `${httpAdminRoot}/`;
         const currentName = String($("#node-input-name").val() || "").trim();
         const namePart = currentName ? `&name=${encodeURIComponent(currentName)}` : "";
         const idPart = nodeId ? `?id=${encodeURIComponent(nodeId)}${namePart}` : "";
-        window.open(`${root}alarm-ultimate/alarm-json-mapper${idPart}`, "_blank");
+        const targetUrl = `${root}alarm-ultimate/alarm-json-mapper${idPart}`;
+        window.open(withAccessToken(targetUrl), "_blank");
       }
 
       $("#node-input-zones-panel").on("click", function (evt) {
@@ -281,8 +303,9 @@
         const httpAdminRoot = (RED.settings && RED.settings.httpAdminRoot) || "/";
         const root = httpAdminRoot.endsWith("/") ? httpAdminRoot : `${httpAdminRoot}/`;
         const idPart = nodeId ? `?id=${encodeURIComponent(nodeId)}` : "";
+        const targetUrl = `${root}alarm-ultimate/alarm-panel${idPart}`;
         window.open(
-          `${root}alarm-ultimate/alarm-panel${idPart}`,
+          withAccessToken(targetUrl),
           "_blank",
           "noopener,noreferrer",
         );

package/nodes/AlarmSystemUltimate.js

@@ -86,6 +86,37 @@ module.exports = function (RED) {
         ? RED.auth.needsPermission('AlarmSystemUltimate.write')
         : (req, res, next) => next();
 
+    function applyAccessTokenFromQuery(req) {
+      const token =
+        req &&
+        req.query &&
+        typeof req.query.access_token === 'string' &&
+        req.query.access_token.trim().length > 0
+          ? req.query.access_token.trim()
+          : '';
+      if (!token) {
+        return;
+      }
+      if (!req.headers || typeof req.headers !== 'object') {
+        req.headers = {};
+      }
+      const authHeader =
+        typeof req.headers.authorization === 'string' ? req.headers.authorization.trim() : '';
+      if (!authHeader && token) {
+        req.headers.authorization = `Bearer ${token}`;
+      }
+      // passport-http-bearer returns 400 if token is present in both header and query.
+      // Normalize to header-only for this request.
+      if (req.query && Object.prototype.hasOwnProperty.call(req.query, 'access_token')) {
+        delete req.query.access_token;
+      }
+    }
+
+    function needsReadWithQueryToken(req, res, next) {
+      applyAccessTokenFromQuery(req);
+      return needsRead(req, res, next);
+    }
+
     function sendToolFile(res, filename) {
       const filePath = path.join(__dirname, '..', 'tools', filename);
       res.set('Cache-Control', 'no-store, max-age=0');
@@ -113,19 +144,19 @@ module.exports = function (RED) {
       });
     }
 
-    RED.httpAdmin.get('/alarm-ultimate/alarm-json-mapper', needsRead, (req, res) => {
+    RED.httpAdmin.get('/alarm-ultimate/alarm-json-mapper', needsReadWithQueryToken, (req, res) => {
       sendToolFile(res, 'alarm-json-mapper.html');
     });
 
-    RED.httpAdmin.get('/alarm-ultimate/alarm-panel', needsRead, (req, res) => {
+    RED.httpAdmin.get('/alarm-ultimate/alarm-panel', needsReadWithQueryToken, (req, res) => {
       sendToolFile(res, 'alarm-panel.html');
     });
 
-    RED.httpAdmin.get('/alarm-ultimate/alarm-settings', needsRead, (req, res) => {
+    RED.httpAdmin.get('/alarm-ultimate/alarm-settings', needsReadWithQueryToken, (req, res) => {
       sendToolFile(res, 'alarm-settings.html');
     });
 
-    RED.httpAdmin.get('/alarm-ultimate/alarm-tools/assets/:file', needsRead, (req, res) => {
+    RED.httpAdmin.get('/alarm-ultimate/alarm-tools/assets/:file', (req, res) => {
       sendToolAssetFile(res, req.params.file);
     });
 

package/nodes/AlarmUltimateSiren.html

@@ -31,12 +31,34 @@
       const url = `${root}alarm-ultimate/alarm/nodes`;
       const panelButton = $("#node-input-alarm-panel");
 
+      function getEditorAccessToken() {
+        try {
+          const tokens =
+            RED && RED.settings && typeof RED.settings.get === "function"
+              ? RED.settings.get("auth-tokens")
+              : null;
+          return tokens && typeof tokens.access_token === "string"
+            ? tokens.access_token.trim()
+            : "";
+        } catch (_err) {
+          return "";
+        }
+      }
+
+      function withAccessToken(urlValue) {
+        const token = getEditorAccessToken();
+        if (!token) return urlValue;
+        const sep = urlValue.includes("?") ? "&" : "?";
+        return `${urlValue}${sep}access_token=${encodeURIComponent(token)}`;
+      }
+
       panelButton.off("click").on("click", (evt) => {
         evt.preventDefault();
         const alarmId = alarmSelect.val() || this.alarmId || "";
         const idPart = alarmId ? `?id=${encodeURIComponent(alarmId)}` : "";
+        const targetUrl = `${root}alarm-ultimate/alarm-panel${idPart}`;
         window.open(
-          `${root}alarm-ultimate/alarm-panel${idPart}`,
+          withAccessToken(targetUrl),
           "_blank",
           "noopener,noreferrer",
         );

package/nodes/AlarmUltimateState.html

@@ -40,6 +40,27 @@
       const topicRow = $("#au-row-topic");
       const initRow = $("#au-row-outputInitialState");
 
+      function getEditorAccessToken() {
+        try {
+          const tokens =
+            RED && RED.settings && typeof RED.settings.get === "function"
+              ? RED.settings.get("auth-tokens")
+              : null;
+          return tokens && typeof tokens.access_token === "string"
+            ? tokens.access_token.trim()
+            : "";
+        } catch (_err) {
+          return "";
+        }
+      }
+
+      function withAccessToken(urlValue) {
+        const token = getEditorAccessToken();
+        if (!token) return urlValue;
+        const sep = urlValue.includes("?") ? "&" : "?";
+        return `${urlValue}${sep}access_token=${encodeURIComponent(token)}`;
+      }
+
       function refreshVisibility() {
         const mode = String(ioSelect.val() || "out");
         const isOut = mode === "out";
@@ -51,8 +72,9 @@
         evt.preventDefault();
         const alarmId = alarmSelect.val() || this.alarmId || "";
         const idPart = alarmId ? `?id=${encodeURIComponent(alarmId)}` : "";
+        const targetUrl = `${root}alarm-ultimate/alarm-panel${idPart}`;
         window.open(
-          `${root}alarm-ultimate/alarm-panel${idPart}`,
+          withAccessToken(targetUrl),
           "_blank",
           "noopener,noreferrer",
         );

package/nodes/AlarmUltimateZone.html

@@ -38,6 +38,27 @@
       const root = httpAdminRoot.endsWith("/") ? httpAdminRoot : `${httpAdminRoot}/`;
       const panelButton = $("#node-input-alarm-panel");
 
+      function getEditorAccessToken() {
+        try {
+          const tokens =
+            RED && RED.settings && typeof RED.settings.get === "function"
+              ? RED.settings.get("auth-tokens")
+              : null;
+          return tokens && typeof tokens.access_token === "string"
+            ? tokens.access_token.trim()
+            : "";
+        } catch (_err) {
+          return "";
+        }
+      }
+
+      function withAccessToken(url) {
+        const token = getEditorAccessToken();
+        if (!token) return url;
+        const sep = url.includes("?") ? "&" : "?";
+        return `${url}${sep}access_token=${encodeURIComponent(token)}`;
+      }
+
       function apiUrl(path) {
         return `${root}${path.replace(/^\//, "")}`;
       }
@@ -46,8 +67,9 @@
         evt.preventDefault();
         const alarmId = alarmSelect.val() || this.alarmId || "";
         const idPart = alarmId ? `?id=${encodeURIComponent(alarmId)}` : "";
+        const targetUrl = `${root}alarm-ultimate/alarm-panel${idPart}`;
         window.open(
-          `${root}alarm-ultimate/alarm-panel${idPart}`,
+          withAccessToken(targetUrl),
           "_blank",
           "noopener,noreferrer",
         );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-red-contrib-alarm-ultimate",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Alarm System node for Node-RED. Integrates also with Home Assistant, MQTT, KNX-Ultimate. Completed with web interface for fast configuration and control. With zone import wizard.",
   "author": "Massimo Saccani (https://github.com/Supergiovane)",
   "license": "MIT",

package/tools/alarm-panel.html

@@ -450,9 +450,28 @@
 
 	      function authHeaders() {
 	        try {
-	          const raw = localStorage.getItem("auth-tokens");
-	          if (!raw) return {};
-	          const tokens = JSON.parse(raw);
+	          const tokenFromQuery =
+	            params && typeof params.get === "function" ? String(params.get("access_token") || "").trim() : "";
+	          if (tokenFromQuery) {
+	            return { Authorization: `Bearer ${tokenFromQuery}` };
+	          }
+
+	          const root = httpAdminRoot();
+	          const rootNoSlash = root.endsWith("/") ? root.slice(0, -1) : root;
+	          const suffix = rootNoSlash ? rootNoSlash.replace(/\//g, "-") : "";
+	          const candidates = [`auth-tokens${suffix}`, "auth-tokens"];
+	          let tokens = null;
+
+	          for (const key of candidates) {
+	            const raw = localStorage.getItem(key);
+	            if (!raw) continue;
+	            const parsed = JSON.parse(raw);
+	            if (parsed && parsed.access_token) {
+	              tokens = parsed;
+	              break;
+	            }
+	          }
+
 	          if (!tokens || !tokens.access_token) return {};
 	          return { Authorization: `Bearer ${tokens.access_token}` };
 	        } catch (err) {

package/tools/assets/alarm-vue-shell.js

@@ -26,7 +26,7 @@
 
   function computeTargetUrl(root, page, params, sourceParams) {
     const target = new URLSearchParams();
-    const copyKeys = ['id', 'name', 'embed'];
+    const copyKeys = ['id', 'name', 'embed', 'access_token'];
     for (const key of copyKeys) {
       const value = asText(params.get(key));
       if (value) target.set(key, value);