npm - node-red-contrib-i3x - Versions diffs - 0.0.2 → 0.0.3 - Mend

node-red-contrib-i3x 0.0.2 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/.claude/settings.local.json +2 -1
package/CHANGELOG.md +27 -0
package/lib/i3x-client.js +32 -8
package/lib/node-utils.js +27 -1
package/nodes/i3x-browse.html +13 -0
package/nodes/i3x-browse.js +14 -19
package/nodes/i3x-history.html +14 -0
package/nodes/i3x-history.js +6 -6
package/nodes/i3x-read.html +15 -0
package/nodes/i3x-read.js +6 -6
package/nodes/i3x-server.html +926 -0
package/nodes/i3x-server.js +122 -0
package/nodes/i3x-subscribe.html +14 -1
package/nodes/i3x-subscribe.js +9 -6
package/nodes/i3x-write.html +15 -2
package/nodes/i3x-write.js +3 -3
package/package.json +1 -1

package/.claude/settings.local.json CHANGED Viewed

@@ -7,7 +7,8 @@
       "Bash(npm test:*)",
       "Bash(node-red:*)",
       "Bash(npx node-red:*)",
-      "Bash(docker compose:*)"
+      "Bash(docker compose:*)",
+      "Bash(ls /home/la/private/node-red-contrib-i3x/docker-compose* /home/la/private/node-red-contrib-i3x/Dockerfile* 2>/dev/null)"
     ]
   }
 }

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,32 @@
 # Changelog
+## 0.0.3 (2026-03-10)
+Hardening, security improvements, and new browser widget features.
+### Added
+- **Live Values in Browser Widget** – The tree view now displays the current value, quality, and timestamp next to each element. Values are fetched automatically when expanding types or children, and on search results. Hover to see full value with quality and timestamp.
+- **Test Connection Button** – Server config panel now includes a "Test Connection" button to verify connectivity without deploying
+- **New admin endpoint** `POST /i3x-server/:id/browse/values` – Batch-reads live values for up to 50 elements (used by browser widget)
+- **`statusError()` utility** – Smarter error message truncation (48 chars with `...`) replacing the hard `substring(0, 32)` cut across all nodes
+- **`clampMaxDepth()` utility** – Validates and clamps `maxDepth` to 0–100 range, preventing negative or excessively large values
+### Security
+- **HTTPS warning** – Nodes now warn at startup when credentials are sent over plain HTTP to non-localhost servers
+- **Error response sanitization** – `_wrapError()` strips sensitive fields (`token`, `password`, `apiKey`, `secret`) from API error response bodies to prevent accidental credential leakage in logs
+### Fixed
+- **SSE auth header duplication** – `streamSubscription()` now copies all configured headers cleanly via spread instead of manually duplicating individual auth headers
+- **Poll interval minimum** – Increased from 500ms to 1000ms to prevent accidental API overload
+### Changed
+- Error status messages across all nodes now show up to 48 characters (was 32)
+- `maxDepth` is validated on all nodes that accept it (read, history, subscribe)
 ## 0.0.2 (2026-03-05)
 Compliance improvements based on [i3X Client Developer Guidelines](https://www.i3x.dev/sdk/category/client-developers).

package/lib/i3x-client.js CHANGED Viewed

@@ -84,6 +84,14 @@ class I3XClient extends EventEmitter {
         this.authType = config.authType || "none";
         this.timeout = config.timeout || 10000;
+        // Warn if credentials are sent over plain HTTP (not localhost)
+        if (this.authType !== "none" && this.baseUrl && !this.baseUrl.startsWith("https://")) {
+            const isLocal = /^https?:\/\/(localhost|127\.0\.0\.1|::1)(:|\/|$)/.test(this.baseUrl);
+            if (!isLocal) {
+                this._httpsWarning = "Credentials sent over plain HTTP – use HTTPS in production";
+            }
+        }
         const axiosConfig = {
             baseURL: this._prefix(),
             timeout: this.timeout,
@@ -328,13 +336,19 @@ class I3XClient extends EventEmitter {
         let closed = false;
         let reconnectCount = 0;
-        const headers = { ...this.http.defaults.headers.common, Accept: "text/event-stream" };
-        if (this.http.defaults.headers["Authorization"]) {
-            headers["Authorization"] = this.http.defaults.headers["Authorization"];
-        }
-        if (this.http.defaults.headers["X-API-Key"]) {
-            headers["X-API-Key"] = this.http.defaults.headers["X-API-Key"];
-        }
+        const headers = {
+            ...this.http.defaults.headers.common,
+            ...this.http.defaults.headers,
+            Accept: "text/event-stream",
+        };
+        // Remove non-header axios defaults that got spread in
+        delete headers.common;
+        delete headers.get;
+        delete headers.post;
+        delete headers.put;
+        delete headers.delete;
+        delete headers.patch;
+        delete headers.head;
         if (this.http.defaults.auth) {
             const b64 = Buffer.from(
                 `${this.http.defaults.auth.username}:${this.http.defaults.auth.password}`
@@ -513,7 +527,17 @@ class I3XClient extends EventEmitter {
         if (err.response) {
             wrapped.statusCode = err.response.status;
             wrapped.statusText = err.response.statusText;
-            wrapped.body = err.response.data;
+            // Sanitize response body to avoid leaking auth details
+            const body = err.response.data;
+            if (body && typeof body === "object") {
+                const sanitized = { ...body };
+                for (const key of ["authorization", "token", "apiKey", "api_key", "password", "secret"]) {
+                    delete sanitized[key];
+                }
+                wrapped.body = sanitized;
+            } else {
+                wrapped.body = body;
+            }
         } else if (err.code) {
             wrapped.code = err.code;
         }

package/lib/node-utils.js CHANGED Viewed

@@ -58,4 +58,30 @@ function safeSend(node, send) {
     return send || function () { node.send.apply(node, arguments); };
 }
-module.exports = { bindServer, parseIds, safeSend };
+/**
+ * Truncate an error message for node status display.
+ * Keeps up to 48 characters and appends "..." if truncated.
+ * @param {string} msg
+ * @returns {string}
+ */
+function statusError(msg) {
+    if (!msg) return "error";
+    if (msg.length <= 48) return msg;
+    return msg.substring(0, 45) + "...";
+}
+/**
+ * Clamp maxDepth to a valid range (0–100).
+ * @param {number} val
+ * @param {number} [fallback=1]
+ * @returns {number}
+ */
+function clampMaxDepth(val, fallback) {
+    if (fallback === undefined) fallback = 1;
+    var n = parseInt(val, 10);
+    if (isNaN(n) || n < 0) return fallback;
+    if (n > 100) return 100;
+    return n;
+}
+module.exports = { bindServer, parseIds, safeSend, statusError, clampMaxDepth };

package/nodes/i3x-browse.html CHANGED Viewed

@@ -21,6 +21,9 @@
         <label for="node-input-elementId"><i class="fa fa-crosshairs"></i> Element ID</label>
         <input type="text" id="node-input-elementId" placeholder="optional – filter by element ID">
     </div>
+    <div class="form-row i3x-browse-elementId">
+        <div id="i3x-browse-browser"></div>
+    </div>
     <div class="form-row i3x-browse-typeId">
         <label for="node-input-typeId"><i class="fa fa-filter"></i> Type ID</label>
         <input type="text" id="node-input-typeId" placeholder="optional – filter objects by type">
@@ -66,6 +69,7 @@
     <h3>Details</h3>
     <p>This node talks to the <b>Explore</b> endpoints of the i3X API.
     <code>msg</code> properties override the values configured in the node editor.</p>
+    <p>Use the <b>Browse</b> button to visually select an element from the server.</p>
 </script>
 <script type="text/javascript">
@@ -101,6 +105,15 @@
             }
             target.on("change", toggle);
             toggle();
+            if (window.I3XBrowser) {
+                this._browser = I3XBrowser.create({
+                    container: "#i3x-browse-browser",
+                    serverField: "#node-input-server",
+                    targetField: "#node-input-elementId",
+                    mode: "single",
+                });
+            }
         },
     });
 </script>

package/nodes/i3x-browse.js CHANGED Viewed

@@ -3,7 +3,7 @@
  */
 "use strict";
-const { bindServer, safeSend } = require("../lib/node-utils");
+const { bindServer, parseIds, safeSend, statusError } = require("../lib/node-utils");
 module.exports = function (RED) {
     function I3XBrowseNode(config) {
@@ -24,13 +24,13 @@ module.exports = function (RED) {
             const client = node.server.client;
             const target = msg.browseTarget || node.browseTarget;
-            const elementId = msg.elementId || node.elementId;
+            const ids = parseIds(msg.elementId || node.elementId);
             const typeId = msg.typeId || node.typeId;
             const nsUri = msg.namespaceUri || node.namespaceUri;
             const inclMeta = msg.includeMetadata !== undefined ? msg.includeMetadata : node.includeMetadata;
             const relType = msg.relationshipType || node.relationshipType;
-            node.status({ fill: "blue", shape: "dot", text: "requesting..." });
+            node.status({ fill: "blue", shape: "dot", text: "browsing " + target + "..." });
             try {
                 let result;
@@ -39,51 +39,46 @@ module.exports = function (RED) {
                         result = await client.getNamespaces();
                         break;
                     case "objecttypes":
-                        if (elementId) {
-                            const ids = Array.isArray(elementId) ? elementId : [elementId];
+                        if (ids.length) {
                             result = await client.queryObjectTypes(ids);
                         } else {
                             result = await client.getObjectTypes({ namespaceUri: nsUri || undefined });
                         }
                         break;
                     case "relationshiptypes":
-                        if (elementId) {
-                            const ids = Array.isArray(elementId) ? elementId : [elementId];
+                        if (ids.length) {
                             result = await client.queryRelationshipTypes(ids);
                         } else {
                             result = await client.getRelationshipTypes({ namespaceUri: nsUri || undefined });
                         }
                         break;
                     case "objects":
-                        if (elementId) {
-                            const ids = Array.isArray(elementId) ? elementId : [elementId];
+                        if (ids.length) {
                             result = await client.listObjects(ids, { includeMetadata: inclMeta });
                         } else {
                             result = await client.getObjects({ typeId: typeId || undefined, includeMetadata: inclMeta });
                         }
                         break;
                     case "related":
-                        if (!elementId) {
+                        if (!ids.length) {
                             throw new Error("elementId is required for related objects query");
                         }
-                        {
-                            const ids = Array.isArray(elementId) ? elementId : [elementId];
-                            result = await client.getRelatedObjects(ids, {
-                                relationshipType: relType || undefined,
-                                includeMetadata: inclMeta,
-                            });
-                        }
+                        result = await client.getRelatedObjects(ids, {
+                            relationshipType: relType || undefined,
+                            includeMetadata: inclMeta,
+                        });
                         break;
                     default:
                         throw new Error("Unknown browse target: " + target);
                 }
+                const count = Array.isArray(result) ? result.length : 1;
                 msg.payload = result;
-                node.status({ fill: "green", shape: "dot", text: "ok" });
+                node.status({ fill: "green", shape: "dot", text: count + " " + target });
                 send(msg);
                 if (done) done();
             } catch (err) {
-                node.status({ fill: "red", shape: "ring", text: err.message.substring(0, 32) });
+                node.status({ fill: "red", shape: "ring", text: statusError(err.message) });
                 if (done) done(err); else node.error(err, msg);
             }
         });

package/nodes/i3x-history.html CHANGED Viewed

@@ -11,6 +11,9 @@
         <label for="node-input-elementIds"><i class="fa fa-list"></i> Element IDs</label>
         <input type="text" id="node-input-elementIds" placeholder="comma-separated element IDs">
     </div>
+    <div class="form-row">
+        <div id="i3x-history-browser"></div>
+    </div>
     <div class="form-row">
         <label for="node-input-startTime"><i class="fa fa-clock-o"></i> Start Time</label>
         <input type="text" id="node-input-startTime" placeholder="ISO 8601 or relative (e.g. -1h, -7d)">
@@ -50,6 +53,7 @@
     <p>Uses <code>POST /objects/history</code>. Time values support both ISO 8601 and
     relative notation: <code>-30s</code> (seconds), <code>-5m</code> (minutes), <code>-1h</code> (hours),
     <code>-7d</code> (days), <code>-1w</code> (weeks).</p>
+    <p>Use the <b>Browse</b> button to visually select elements from the server.</p>
 </script>
 <script type="text/javascript">
@@ -71,5 +75,15 @@
         label: function () {
             return this.name || this.elementIds || "i3x history";
         },
+        oneditprepare: function () {
+            if (window.I3XBrowser) {
+                this._browser = I3XBrowser.create({
+                    container: "#i3x-history-browser",
+                    serverField: "#node-input-server",
+                    targetField: "#node-input-elementIds",
+                    mode: "multi",
+                });
+            }
+        },
     });
 </script>

package/nodes/i3x-history.js CHANGED Viewed

@@ -3,7 +3,7 @@
  */
 "use strict";
-const { bindServer, parseIds, safeSend } = require("../lib/node-utils");
+const { bindServer, parseIds, safeSend, statusError, clampMaxDepth } = require("../lib/node-utils");
 /**
  * Resolve relative time strings like "-1h", "-7d", "-30m" to ISO 8601.
@@ -28,8 +28,7 @@ module.exports = function (RED) {
         node.elementIds = config.elementIds || "";
         node.startTime = config.startTime || "";
         node.endTime = config.endTime || "";
-        node.maxDepth = parseInt(config.maxDepth, 10);
-        if (isNaN(node.maxDepth)) node.maxDepth = 1;
+        node.maxDepth = clampMaxDepth(config.maxDepth);
         if (!bindServer(node, RED, config.server)) return;
@@ -46,18 +45,19 @@ module.exports = function (RED) {
             const startTime = resolveTime(msg.startTime || node.startTime);
             const endTime = resolveTime(msg.endTime || node.endTime);
-            const maxDepth = msg.maxDepth !== undefined ? parseInt(msg.maxDepth, 10) : node.maxDepth;
+            const maxDepth = msg.maxDepth !== undefined ? clampMaxDepth(msg.maxDepth) : node.maxDepth;
             node.status({ fill: "blue", shape: "dot", text: "querying..." });
             try {
                 const result = await client.readHistory(ids, { startTime, endTime, maxDepth });
                 msg.payload = result;
-                node.status({ fill: "green", shape: "dot", text: "ok" });
+                const count = Array.isArray(result) ? result.length : 1;
+                node.status({ fill: "green", shape: "dot", text: count + " record" + (count !== 1 ? "s" : "") });
                 send(msg);
                 if (done) done();
             } catch (err) {
-                node.status({ fill: "red", shape: "ring", text: err.message.substring(0, 32) });
+                node.status({ fill: "red", shape: "ring", text: statusError(err.message) });
                 if (done) done(err); else node.error(err, msg);
             }
         });

package/nodes/i3x-read.html CHANGED Viewed

@@ -11,6 +11,9 @@
         <label for="node-input-elementIds"><i class="fa fa-list"></i> Element IDs</label>
         <input type="text" id="node-input-elementIds" placeholder="comma-separated element IDs">
     </div>
+    <div class="form-row">
+        <div id="i3x-read-browser"></div>
+    </div>
     <div class="form-row">
         <label for="node-input-maxDepth"><i class="fa fa-level-down"></i> Max Depth</label>
         <input type="number" id="node-input-maxDepth" placeholder="1" min="0" step="1">
@@ -37,6 +40,8 @@
     <h3>Details</h3>
     <p>Uses <code>POST /objects/value</code>. The <code>maxDepth</code> parameter controls whether
     child component values are included recursively.</p>
+    <p>Use the <b>Browse</b> button to visually select elements from the server,
+    or provide element IDs via <code>msg.elementIds</code> at runtime.</p>
 </script>
 <script type="text/javascript">
@@ -56,5 +61,15 @@
         label: function () {
             return this.name || this.elementIds || "i3x read";
         },
+        oneditprepare: function () {
+            if (window.I3XBrowser) {
+                this._browser = I3XBrowser.create({
+                    container: "#i3x-read-browser",
+                    serverField: "#node-input-server",
+                    targetField: "#node-input-elementIds",
+                    mode: "multi",
+                });
+            }
+        },
     });
 </script>

package/nodes/i3x-read.js CHANGED Viewed

@@ -3,7 +3,7 @@
  */
 "use strict";
-const { bindServer, parseIds, safeSend } = require("../lib/node-utils");
+const { bindServer, parseIds, safeSend, statusError, clampMaxDepth } = require("../lib/node-utils");
 module.exports = function (RED) {
     function I3XReadNode(config) {
@@ -11,8 +11,7 @@ module.exports = function (RED) {
         const node = this;
         node.elementIds = config.elementIds || "";
-        node.maxDepth = parseInt(config.maxDepth, 10);
-        if (isNaN(node.maxDepth)) node.maxDepth = 1;
+        node.maxDepth = clampMaxDepth(config.maxDepth);
         if (!bindServer(node, RED, config.server)) return;
@@ -27,18 +26,19 @@ module.exports = function (RED) {
                 return;
             }
-            const maxDepth = msg.maxDepth !== undefined ? parseInt(msg.maxDepth, 10) : node.maxDepth;
+            const maxDepth = msg.maxDepth !== undefined ? clampMaxDepth(msg.maxDepth) : node.maxDepth;
             node.status({ fill: "blue", shape: "dot", text: "requesting..." });
             try {
                 const result = await client.readValues(ids, { maxDepth });
                 msg.payload = result;
-                node.status({ fill: "green", shape: "dot", text: "ok" });
+                const count = Array.isArray(result) ? result.length : 1;
+                node.status({ fill: "green", shape: "dot", text: count + " value" + (count !== 1 ? "s" : "") });
                 send(msg);
                 if (done) done();
             } catch (err) {
-                node.status({ fill: "red", shape: "ring", text: err.message.substring(0, 32) });
+                node.status({ fill: "red", shape: "ring", text: statusError(err.message) });
                 if (done) done(err); else node.error(err, msg);
             }
         });