mirror of
https://github.com/MichMich/MagicMirror.git
synced 2026-05-08 13:48:34 +00:00
fb41d24ef5
## Release Notes Thanks to: @cgillinger, @khassel, @KristjanESPERANTO, @sonnyb9 > ⚠️ This release needs nodejs version >=22.21.1 <23 || >=24 (no change to previous release) [Compare to previous Release v2.35.0](https://github.com/MagicMirrorOrg/MagicMirror/compare/v2.35.0...v2.36.0) This release falls outside the quarterly schedule. We opted for an early release due to: - Security fix for the internal cors proxy - API change of the weather provider smi - Several bug fixes ### Breaking Changes The cors proxy is now disabled by default. If required, it must be explicitly enabled in the `config.js` file. See the [documentation](https://docs.magicmirror.builders/configuration/cors.html). ### ⚠️ Security You can find several publicly accessible MagicMirror² instances. This should never be done. Doing so makes your entire configuration, including secrets and API keys, publicly visible. Furthermore, it allows attackers to target the host; this is only prevented beginning with this release. Public MagicMirror² instances should always run behind a reverse proxy with authentication. ### [core] - Prepare Release 2.36.0 (#4126) - Allow HTTPFetcher to pass through 304 responses (#4120) - fix(http-fetcher): fall back to reloadInterval after retries exhausted (#4113) - config endpoint must handle functions in module configs (#4106) - fix replaceSecretPlaceholder (#4104) - restrict replaceSecretPlaceholder to cors with allowWhitelist (#4102) - fix: prevent crash when config is undefined in socket handler (#4096) - fix cors function for alpine linux (#4091) - fix(cors): prevent SSRF via DNS rebinding (#4090) - add option to disable or restrict cors endpoint (#4087) - fix: prevent SSRF via /cors endpoint by blocking private/reserved IPs (#4084) - chore: add permissions section to enforce pull-request rules workflow (#4079) - update version for develop ### [dependencies] - update dependencies (#4124) - chore: update dependencies (#4088) - refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080) ### [modules/newsfeed] - fix(newsfeed): prevent duplicate parse error callback when using pipeline (#4083) ### [modules/updatenotification] - fix(updatenotification): harden git command execution + simplify checkUpdates (#4115) - fix(tests): correct import path for git_helper module in updatenotification tests (#4078) ### [modules/weather] - fix(weather): use nearest openmeteo hourly data (#4123) - fix(weather): avoid loading state after reconnect (#4121) - weather: fix UV index display and add WeatherFlow precipitation (#4108) - fix(weather): restore OpenWeatherMap v2.5 support (#4101) - fix(weather): use stable instanceId to prevent duplicate fetchers (#4092) - SMHI: migrate to SNOW1gv1 API (replace deprecated PMP3gv2) (#4082) ### [testing] - ci(actions): set explicit token permissions (#4114) - fix(http_fetcher): use undici.fetch when dispatcher is present (#4097) - ci(codeql): also scan develop branch on push and PR (#4086) - refactor: replace implicit global config with explicit global.config (#4085) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: sam detweiler <sdetweil@gmail.com> Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com> Co-authored-by: Veeck <github@veeck.de> Co-authored-by: veeck <gitkraken@veeck.de> Co-authored-by: Magnus <34011212+MagMar94@users.noreply.github.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: DevIncomin <56730075+Developer-Incoming@users.noreply.github.com> Co-authored-by: Nathan <n8nyoung@gmail.com> Co-authored-by: mixasgr <mixasgr@users.noreply.github.com> Co-authored-by: Savvas Adamtziloglou <savvas-gr@greeklug.gr> Co-authored-by: Konstantinos <geraki@gmail.com> Co-authored-by: OWL4C <124401812+OWL4C@users.noreply.github.com> Co-authored-by: BugHaver <43462320+bughaver@users.noreply.github.com> Co-authored-by: BugHaver <43462320+lsaadeh@users.noreply.github.com> Co-authored-by: Bugsounet - Cédric <github@bugsounet.fr> Co-authored-by: Koen Konst <koenspero@gmail.com> Co-authored-by: Koen Konst <c.h.konst@avisi.nl> Co-authored-by: dathbe <github@beffa.us> Co-authored-by: Marcel <m-idler@users.noreply.github.com> Co-authored-by: Kevin G. <crazylegstoo@gmail.com> Co-authored-by: Jboucly <33218155+jboucly@users.noreply.github.com> Co-authored-by: Jboucly <contact@jboucly.fr> Co-authored-by: Jarno <54169345+jarnoml@users.noreply.github.com> Co-authored-by: Jordan Welch <JordanHWelch@gmail.com> Co-authored-by: Blackspirits <blackspirits@gmail.com> Co-authored-by: Samed Ozdemir <samed@xsor.io> Co-authored-by: in-voker <58696565+in-voker@users.noreply.github.com> Co-authored-by: Andrés Vanegas Jiménez <142350+angeldeejay@users.noreply.github.com> Co-authored-by: cgillinger <christian.gillinger@gmail.com> Co-authored-by: Sonny B <43247590+sonnyb9@users.noreply.github.com> Co-authored-by: sonnyb9 <sonnyb9@users.noreply.github.com>
212 lines
5.9 KiB
JavaScript
212 lines
5.9 KiB
JavaScript
"use strict";
|
|
|
|
const electron = require("electron");
|
|
const core = require("./app");
|
|
const Log = require("./logger");
|
|
|
|
// Config
|
|
let config = process.env.config ? JSON.parse(process.env.config) : {};
|
|
// Module to control application life.
|
|
const app = electron.app;
|
|
|
|
/*
|
|
* Per default electron is started with --disable-gpu flag, if you want the gpu enabled,
|
|
* you must set the env var ELECTRON_ENABLE_GPU=1 on startup.
|
|
* See https://www.electronjs.org/docs/latest/tutorial/offscreen-rendering for more info.
|
|
*/
|
|
if (process.env.ELECTRON_ENABLE_GPU !== "1") {
|
|
app.disableHardwareAcceleration();
|
|
}
|
|
|
|
// Module to create native browser window.
|
|
const BrowserWindow = electron.BrowserWindow;
|
|
|
|
/*
|
|
* Keep a global reference of the window object, if you don't, the window will
|
|
* be closed automatically when the JavaScript object is garbage collected.
|
|
*/
|
|
let mainWindow;
|
|
|
|
/**
|
|
*
|
|
*/
|
|
function createWindow () {
|
|
|
|
/*
|
|
* see https://www.electronjs.org/docs/latest/api/screen
|
|
* Create a window that fills the screen's available work area.
|
|
*/
|
|
let electronSize = (800, 600);
|
|
try {
|
|
electronSize = electron.screen.getPrimaryDisplay().workAreaSize;
|
|
} catch {
|
|
Log.warn("Could not get display size, using defaults ...");
|
|
}
|
|
|
|
let electronSwitchesDefaults = ["autoplay-policy", "no-user-gesture-required"];
|
|
app.commandLine.appendSwitch(...new Set(electronSwitchesDefaults, config.electronSwitches));
|
|
let electronOptionsDefaults = {
|
|
width: electronSize.width,
|
|
height: electronSize.height,
|
|
icon: "favicon.svg",
|
|
x: 0,
|
|
y: 0,
|
|
darkTheme: true,
|
|
webPreferences: {
|
|
contextIsolation: true,
|
|
nodeIntegration: false,
|
|
zoomFactor: config.zoom
|
|
},
|
|
backgroundColor: "#000000"
|
|
};
|
|
|
|
electronOptionsDefaults.show = false;
|
|
electronOptionsDefaults.frame = false;
|
|
electronOptionsDefaults.transparent = true;
|
|
electronOptionsDefaults.hasShadow = false;
|
|
electronOptionsDefaults.fullscreen = true;
|
|
|
|
const electronOptions = Object.assign({}, electronOptionsDefaults, config.electronOptions);
|
|
|
|
if (process.env.MOCK_DATE !== undefined) {
|
|
// if we are running tests and we want to mock the current date
|
|
const fakeNow = new Date(process.env.MOCK_DATE).valueOf();
|
|
Date = class extends Date {
|
|
constructor (...args) {
|
|
if (args.length === 0) {
|
|
super(fakeNow);
|
|
} else {
|
|
super(...args);
|
|
}
|
|
}
|
|
};
|
|
const __DateNowOffset = fakeNow - Date.now();
|
|
const __DateNow = Date.now;
|
|
Date.now = () => __DateNow() + __DateNowOffset;
|
|
}
|
|
|
|
// Create the browser window.
|
|
mainWindow = new BrowserWindow(electronOptions);
|
|
|
|
/*
|
|
* and load the index.html of the app.
|
|
* If config.address is not defined or is an empty string (listening on all interfaces), connect to localhost
|
|
*/
|
|
|
|
let prefix;
|
|
if ((config.tls !== null && config.tls) || config.useHttps) {
|
|
prefix = "https://";
|
|
} else {
|
|
prefix = "http://";
|
|
}
|
|
|
|
let address = (config.address === void 0) | (config.address === "") | (config.address === "0.0.0.0") ? (config.address = "localhost") : config.address;
|
|
const port = process.env.MM_PORT || config.port;
|
|
mainWindow.loadURL(`${prefix}${address}:${port}`);
|
|
|
|
// Open the DevTools if run with "node --run start:dev"
|
|
if (process.argv.includes("dev")) {
|
|
if (process.env.mmTestMode) {
|
|
// if we are running tests
|
|
const devtools = new BrowserWindow(electronOptions);
|
|
mainWindow.webContents.setDevToolsWebContents(devtools.webContents);
|
|
}
|
|
mainWindow.webContents.openDevTools();
|
|
}
|
|
|
|
// simulate mouse move to hide black cursor on start
|
|
mainWindow.webContents.on("dom-ready", () => {
|
|
mainWindow.webContents.sendInputEvent({ type: "mouseMove", x: 0, y: 0 });
|
|
});
|
|
|
|
// Set responders for window events.
|
|
mainWindow.on("closed", function () {
|
|
mainWindow = null;
|
|
});
|
|
|
|
//remove response headers that prevent sites of being embedded into iframes if configured
|
|
mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
|
|
let curHeaders = details.responseHeaders;
|
|
if (config.ignoreXOriginHeader || false) {
|
|
curHeaders = Object.fromEntries(Object.entries(curHeaders).filter((header) => !(/x-frame-options/i).test(header[0])));
|
|
}
|
|
|
|
if (config.ignoreContentSecurityPolicy || false) {
|
|
curHeaders = Object.fromEntries(Object.entries(curHeaders).filter((header) => !(/content-security-policy/i).test(header[0])));
|
|
}
|
|
|
|
callback({ responseHeaders: curHeaders });
|
|
});
|
|
|
|
mainWindow.once("ready-to-show", () => {
|
|
mainWindow.show();
|
|
});
|
|
}
|
|
|
|
// Quit when all windows are closed.
|
|
app.on("window-all-closed", function () {
|
|
if (process.env.mmTestMode) {
|
|
// if we are running tests
|
|
app.quit();
|
|
} else {
|
|
createWindow();
|
|
}
|
|
});
|
|
|
|
app.on("activate", function () {
|
|
|
|
/*
|
|
* On OS X it's common to re-create a window in the app when the
|
|
* dock icon is clicked and there are no other windows open.
|
|
*/
|
|
if (mainWindow === null) {
|
|
createWindow();
|
|
}
|
|
});
|
|
|
|
/*
|
|
* This method will be called when SIGINT is received and will call
|
|
* each node_helper's stop function if it exists. Added to fix #1056
|
|
*
|
|
* Note: this is only used if running Electron. Otherwise
|
|
* core.stop() is called by process.on("SIGINT"... in `app.js`
|
|
*/
|
|
app.on("before-quit", async (event) => {
|
|
Log.log("Shutting down server...");
|
|
event.preventDefault();
|
|
setTimeout(() => {
|
|
process.exit(0);
|
|
}, 3000); // Force-quit after 3 seconds.
|
|
await core.stop();
|
|
process.exit(0);
|
|
});
|
|
|
|
/**
|
|
* Handle errors from self-signed certificates
|
|
*/
|
|
app.on("certificate-error", (event, webContents, url, error, certificate, callback) => {
|
|
event.preventDefault();
|
|
callback(true);
|
|
});
|
|
|
|
if (process.env.clientonly) {
|
|
app.whenReady().then(() => {
|
|
Log.log("Launching client viewer application.");
|
|
createWindow();
|
|
});
|
|
}
|
|
|
|
/*
|
|
* Start the core application if server is run on localhost
|
|
* This starts all node helpers and starts the webserver.
|
|
*/
|
|
if (["localhost", "127.0.0.1", "::1", "::ffff:127.0.0.1", undefined].includes(config.address)) {
|
|
core.start().then((c) => {
|
|
config = c;
|
|
app.whenReady().then(() => {
|
|
Log.log("Launching application.");
|
|
createWindow();
|
|
});
|
|
});
|
|
}
|