kenmirrors/MagicMirror
1
0
Fork 0
mirror of https://github.com/MichMich/MagicMirror.git synced 2026-04-24 06:47:07 +00:00
Code Issues Projects Releases Wiki Activity
Files
6cb3e24c2a759795a9fac59f80bef0ac2bbfaa72
MagicMirror/js/server.js
Karsten Hassel 9dd964e004 change loading config.js, allow variables in config.js and try to protect sensitive data (#4029) 
## Loading `config.js`

### Previously

Loaded on server-side in `app.js` and in the browser by including
`config.js` in `index.html`. The web server has an endpoint `/config`
providing the content of server loaded `config.js`.

### Now

Loaded only on server-side in `app.js`. The browser loads the content
using the web server endpoint `/config`. So the server has control what
to provide to the clients.

Loading the `config.js` was moved to `Utils.js` so that
`check_config.js` can use the same functions.

## Using environment variables in `config.js`

### Previously

Environment variables were not allowed in `config.js`. The workaround
was to create a `config.js.template` with curly braced bash variables
allowed. While starting the app the `config.js.template` was converted
via `envsub` into a `config.js`.

### Now

Curly braced bash variables are allowed in `config.js`. Because only the
server loads `config.js` he can substitute the variables while loading.

## Secrets in MagicMirror²

To be honest, this is a mess.

### Previously

All content defined in the `config` directory was reachable from the
browser. Everyone with access to the site could see all stuff defined in
the configuration e.g. using the url http://ip:8080/config. This
included api keys and other secrets.

So sharing a MagicMirror² url to others or running MagicMirror² without
authentication as public website was not possible.

### Now

With this PR we add (beta) functionality to protect sensitive data. This
is only possible for modules running with a `node_helper`. For modules
running in the browser only (e.g. default `weather` module), there is no
way to hide data (per construction). This does not mean, that every
module with `node_helper` is safe, e.g. the default `calendar` module is
not safe because it uses the calendar url's as sort of id and sends them
to the client.

For adding more security you have to set `hideConfigSecrets: true` in
`config.js`. With this:
- `config/config.env` is not deliverd to the browser
- the contents of environment variables beginning with `SECRET_` are not
published to the clients

This is a first step to protect sensitive data and you can at least
protect some secrets.
2026-02-06 00:21:35 +01:00

160 lines
5.1 KiB
JavaScript
Raw Blame History

const fs = require("node:fs");
const http = require("node:http");
const https = require("node:https");
const path = require("node:path");
const express = require("express");
const helmet = require("helmet");
const socketio = require("socket.io");
const Log = require("logger");
const { cors, getHtml, getVersion, getStartup, getEnvVars } = require("#server_functions");
const { ipAccessControl } = require(`${__dirname}/ip_access_control`);
const vendor = require(`${__dirname}/vendor`);
/**
* Server
* @param {object} configObj The MM config full and redacted
* @class
*/
function Server (configObj) {
const config = configObj.fullConf;
const app = express();
const port = process.env.MM_PORT || config.port;
const serverSockets = new Set();
let server = null;
/**
* Opens the server for incoming connections
* @returns {Promise} A promise that is resolved when the server listens to connections
*/
this.open = function () {
return new Promise((resolve) => {
if (config.useHttps) {
const options = {
key: fs.readFileSync(config.httpsPrivateKey),
cert: fs.readFileSync(config.httpsCertificate)
};
server = https.Server(options, app);
} else {
server = http.Server(app);
}
const io = socketio(server, {
cors: {
origin: /.*$/,
credentials: true
},
allowEIO3: true,
pingInterval: 120000, // server → client ping every 2 mins
pingTimeout: 120000 // wait up to 2 mins for client pong
});
server.on("connection", (socket) => {
serverSockets.add(socket);
socket.on("close", () => {
serverSockets.delete(socket);
});
});
Log.log(`Starting server on port ${port} ... `);
// Add explicit error handling BEFORE calling listen so we can give user-friendly feedback
server.once("error", (err) => {
if (err && err.code === "EADDRINUSE") {
const bindAddr = config.address || "localhost";
const portInUseMessage = [
"",
"────────────────────────────────────────────────────────────────",
` PORT IN USE: ${bindAddr}:${port}`,
"",
" Another process (most likely another MagicMirror instance)",
" is already using this port.",
"",
" Stop the other process (free the port) or use a different port.",
"────────────────────────────────────────────────────────────────"
].join("\n");
Log.error(portInUseMessage);
return;
}
Log.error("Failed to start server:", err);
});
server.listen(port, config.address || "localhost");
if (config.ipWhitelist instanceof Array && config.ipWhitelist.length === 0) {
Log.warn("You're using a full whitelist configuration to allow for all IPs");
}
app.use(ipAccessControl(config.ipWhitelist));
app.use(helmet(config.httpHeaders));
app.use("/js", express.static(__dirname));
if (config.hideConfigSecrets) {
app.get("/config/config.env", (req, res) => {
res.status(404).send("<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot GET /config/config.env</pre>\n</body>\n</html>");
});
}
let directories = ["/config", "/css", "/favicon.svg", "/defaultmodules", "/modules", "/node_modules/animate.css", "/node_modules/@fontsource", "/node_modules/@fortawesome", "/translations", "/tests/configs", "/tests/mocks"];
for (const [key, value] of Object.entries(vendor)) {
const dirArr = value.split("/");
if (dirArr[0] === "node_modules") directories.push(`/${dirArr[0]}/${dirArr[1]}`);
}
const uniqDirs = [...new Set(directories)];
for (const directory of uniqDirs) {
app.use(directory, express.static(path.resolve(global.root_path + directory)));
}
const getConfig = (req, res) => {
if (config.hideConfigSecrets) {
res.send(configObj.redactedConf);
} else {
res.send(configObj.fullConf);
}
};
app.get("/cors", async (req, res) => await cors(req, res));
app.get("/version", (req, res) => getVersion(req, res));
app.get("/config", (req, res) => getConfig(req, res));
app.get("/startup", (req, res) => getStartup(req, res));
app.get("/env", (req, res) => getEnvVars(req, res));
app.get("/", (req, res) => getHtml(req, res));
// Reload endpoint for watch mode - triggers browser reload
app.get("/reload", (req, res) => {
Log.info("Reload request received, notifying all clients");
io.emit("RELOAD");
res.status(200).send("OK");
});
server.on("listening", () => {
resolve({
app,
io
});
});
});
};
/**
* Closes the server and destroys all lingering connections to it.
* @returns {Promise} A promise that resolves when server has successfully shut down
*/
this.close = function () {
return new Promise((resolve) => {
for (const socket of serverSockets.values()) {
socket.destroy();
}
server.close(resolve);
});
};
}
module.exports = Server;
Reference in New Issue View Git Blame Copy Permalink