kenmirrors/MagicMirror
1
0
Fork 0
mirror of https://github.com/MichMich/MagicMirror.git synced 2026-04-23 22:37:01 +00:00
Code Issues Projects Releases Wiki Activity
Files
b9481d27fa13f85c793cfcbf3b166ea4ed8b06ed
MagicMirror/js/server_functions.js
Karsten Hassel 9dd964e004 change loading config.js, allow variables in config.js and try to protect sensitive data (#4029) 
## Loading `config.js`

### Previously

Loaded on server-side in `app.js` and in the browser by including
`config.js` in `index.html`. The web server has an endpoint `/config`
providing the content of server loaded `config.js`.

### Now

Loaded only on server-side in `app.js`. The browser loads the content
using the web server endpoint `/config`. So the server has control what
to provide to the clients.

Loading the `config.js` was moved to `Utils.js` so that
`check_config.js` can use the same functions.

## Using environment variables in `config.js`

### Previously

Environment variables were not allowed in `config.js`. The workaround
was to create a `config.js.template` with curly braced bash variables
allowed. While starting the app the `config.js.template` was converted
via `envsub` into a `config.js`.

### Now

Curly braced bash variables are allowed in `config.js`. Because only the
server loads `config.js` he can substitute the variables while loading.

## Secrets in MagicMirror²

To be honest, this is a mess.

### Previously

All content defined in the `config` directory was reachable from the
browser. Everyone with access to the site could see all stuff defined in
the configuration e.g. using the url http://ip:8080/config. This
included api keys and other secrets.

So sharing a MagicMirror² url to others or running MagicMirror² without
authentication as public website was not possible.

### Now

With this PR we add (beta) functionality to protect sensitive data. This
is only possible for modules running with a `node_helper`. For modules
running in the browser only (e.g. default `weather` module), there is no
way to hide data (per construction). This does not mean, that every
module with `node_helper` is safe, e.g. the default `calendar` module is
not safe because it uses the calendar url's as sort of id and sends them
to the client.

For adding more security you have to set `hideConfigSecrets: true` in
`config.js`. With this:
- `config/config.env` is not deliverd to the browser
- the contents of environment variables beginning with `SECRET_` are not
published to the clients

This is a first step to protect sensitive data and you can at least
protect some secrets.
2026-02-06 00:21:35 +01:00

190 lines
5.6 KiB
JavaScript
Raw Blame History

const fs = require("node:fs");
const path = require("node:path");
const Log = require("logger");
const startUp = new Date();
/**
* Gets the startup time.
* @param {Request} req - the request
* @param {Response} res - the result
*/
function getStartup (req, res) {
res.send(startUp);
}
/**
* A method that forwards HTTP Get-methods to the internet to avoid CORS-errors.
*
* Example input request url: /cors?sendheaders=header1:value1,header2:value2&expectedheaders=header1,header2&url=http://www.test.com/path?param1=value1
*
* Only the url-param of the input request url is required. It must be the last parameter.
* @param {Request} req - the request
* @param {Response} res - the result
* @returns {Promise<void>} A promise that resolves when the response is sent
*/
async function cors (req, res) {
try {
const urlRegEx = "url=(.+?)$";
let url;
const match = new RegExp(urlRegEx, "g").exec(req.url);
if (!match) {
url = `invalid url: ${req.url}`;
Log.error(url);
return res.status(400).send(url);
} else {
url = match[1];
const headersToSend = getHeadersToSend(req.url);
const expectedReceivedHeaders = geExpectedReceivedHeaders(req.url);
Log.log(`cors url: ${url}`);
const response = await fetch(url, { headers: headersToSend });
if (response.ok) {
for (const header of expectedReceivedHeaders) {
const headerValue = response.headers.get(header);
if (header) res.set(header, headerValue);
}
const data = await response.text();
res.send(data);
} else {
throw new Error(`Response status: ${response.status}`);
}
}
} catch (error) {
// Only log errors in non-test environments to keep test output clean
if (process.env.mmTestMode !== "true") {
Log.error(`Error in CORS request: ${error}`);
}
res.status(500).json({ error: error.message });
}
}
/**
* Gets headers and values to attach to the web request.
* @param {string} url - The url containing the headers and values to send.
* @returns {object} An object specifying name and value of the headers.
*/
function getHeadersToSend (url) {
const headersToSend = { "User-Agent": getUserAgent() };
const headersToSendMatch = new RegExp("sendheaders=(.+?)(&|$)", "g").exec(url);
if (headersToSendMatch) {
const headers = headersToSendMatch[1].split(",");
for (const header of headers) {
const keyValue = header.split(":");
if (keyValue.length !== 2) {
throw new Error(`Invalid format for header ${header}`);
}
headersToSend[keyValue[0]] = decodeURIComponent(keyValue[1]);
}
}
return headersToSend;
}
/**
* Gets the headers expected from the response.
* @param {string} url - The url containing the expected headers from the response.
* @returns {string[]} headers - The name of the expected headers.
*/
function geExpectedReceivedHeaders (url) {
const expectedReceivedHeaders = ["Content-Type"];
const expectedReceivedHeadersMatch = new RegExp("expectedheaders=(.+?)(&|$)", "g").exec(url);
if (expectedReceivedHeadersMatch) {
const headers = expectedReceivedHeadersMatch[1].split(",");
for (const header of headers) {
expectedReceivedHeaders.push(header);
}
}
return expectedReceivedHeaders;
}
/**
* Gets the HTML to display the magic mirror.
* @param {Request} req - the request
* @param {Response} res - the result
*/
function getHtml (req, res) {
let html = fs.readFileSync(path.resolve(`${global.root_path}/index.html`), { encoding: "utf8" });
html = html.replace("#VERSION#", global.version);
html = html.replace("#TESTMODE#", global.mmTestMode);
res.send(html);
}
/**
* Gets the MagicMirror version.
* @param {Request} req - the request
* @param {Response} res - the result
*/
function getVersion (req, res) {
res.send(global.version);
}
/**
* Gets the preferred `User-Agent`
* @returns {string} `User-Agent` to be used
*/
function getUserAgent () {
const defaultUserAgent = `Mozilla/5.0 (Node.js ${Number(process.version.match(/^v(\d+\.\d+)/)[1])}) MagicMirror/${global.version}`;
if (typeof config === "undefined") {
return defaultUserAgent;
}
switch (typeof config.userAgent) {
case "function":
return config.userAgent();
case "string":
return config.userAgent;
default:
return defaultUserAgent;
}
}
/**
* Gets environment variables needed in the browser.
* @returns {object} environment variables key: values
*/
function getEnvVarsAsObj () {
const obj = { modulesDir: `${config.foreignModulesDir}`, defaultModulesDir: `${config.defaultModulesDir}`, customCss: `${config.customCss}` };
if (process.env.MM_MODULES_DIR) {
obj.modulesDir = process.env.MM_MODULES_DIR.replace(`${global.root_path}/`, "");
}
if (process.env.MM_CUSTOMCSS_FILE) {
obj.customCss = process.env.MM_CUSTOMCSS_FILE.replace(`${global.root_path}/`, "");
}
return obj;
}
/**
* Gets environment variables needed in the browser.
* @param {Request} req - the request
* @param {Response} res - the result
*/
function getEnvVars (req, res) {
const obj = getEnvVarsAsObj();
res.send(obj);
}
/**
* Get the config file path from environment or default location
* @returns {string} The absolute config file path
*/
function getConfigFilePath () {
// Ensure root_path is set (for standalone contexts like watcher)
if (!global.root_path) {
global.root_path = path.resolve(`${__dirname}/../`);
}
// Check environment variable if global not set
if (!global.configuration_file && process.env.MM_CONFIG_FILE) {
global.configuration_file = process.env.MM_CONFIG_FILE;
}
return path.resolve(global.configuration_file || `${global.root_path}/config/config.js`);
}
module.exports = { cors, getHtml, getVersion, getStartup, getEnvVars, getEnvVarsAsObj, getUserAgent, getConfigFilePath };
Reference in New Issue View Git Blame Copy Permalink