Implement security features and enhance UI interactions

- Added a new security management system, allowing for admin password setup and UI locking mechanisms.
- Introduced a security tab in the settings for configuring lock UI styles and managing admin access.
- Updated the controller script to handle security status checks and UI updates based on security state.
- Enhanced the message list and upload log widgets to support additional metadata, including descriptions.
- Improved CSS styles for the controller and lock icons to enhance visual feedback and user interaction.
- Updated server routes to include security management, ensuring proper access control for configuration changes.

Author: sfc-gh-rgoldin

.gitignore

@@ -277,3 +277,5 @@ uploads/
 *.pem
 ssl/
 scripts/.DS_Store
+
+.plan/

defaultConfig.json

@@ -20,8 +20,7 @@
         "sslCertFile": "/ssl/cert.pem"
       },
       "mdns": { "enabled": false },
-      "sspd": { "enabled": false },
-      "services": {}
+      "sspd": { "enabled": false }
     },
     "services": {
       "protocol": "http://",
@@ -42,6 +41,12 @@
       "sendLogMessages":  false
     }
   },
+  "security": {
+    "enabled": false,
+    "lockUiStyle": "LOCKED_VISIBLE",
+    "adminPasswordSalt": "",
+    "adminPasswordHash": ""
+  },
   "dashboard": { "startPage": "index.html" },
   "log": {
     "app": {

pages/index.html

@@ -54,6 +54,7 @@
 
     <link id="cssref_intellibrite" rel="stylesheet" type="text/css" href="themes/intellibrite.css" />
     <link id="cssref_widgets" rel="stylesheet" type="text/css" href="themes/widgets.css" />
+    <link id="cssref_controller" rel="stylesheet" type="text/css" href="themes/controller.css" />
     <link id="cssref_config" rel="stylesheet" type="text/css" href="themes/configPage.css" />
     <link id="cssref_dash" rel="stylesheet" type="text/css" href="themes/dashboard.css" />
     <script type="text/javascript">

pages/messageManager.html

@@ -27,6 +27,7 @@
     <link rel="stylesheet" type="text/css" href="jquery-ui/jquery-ui.theme.css" />
     <link rel="stylesheet" type="text/css" href="font-awesome/css/all.css" />
     <link rel="stylesheet" type="text/css" href="themes/widgets.css" />
+    <link rel="stylesheet" type="text/css" href="themes/controller.css" />
     <link rel="stylesheet" type="text/css" href="themes/vlist.css" />
     <link rel="stylesheet" type="text/css" href="themes/messageManager.css" />
     <!-- Blank stylesheet for message responses -->

scripts/controller.js

@@ -1,7 +1,7 @@
 (function ($) {
     $.widget("pic.messageList", {
         options: {
-            receivingMessages: false, pinScrolling: false, changesOnly: false, messageKeys: {}, contexts: {}, messages: {}, portFilters: [], filters: [], rowIds: [], ports: [], expandedRows: {}, loadedFilename: null
+            receivingMessages: false, pinScrolling: false, changesOnly: false, messageKeys: {}, contexts: {}, messages: {}, portFilters: [], filters: [], rowIds: [], ports: [], expandedRows: {}, loadedFilename: null, loadedDescription: null
         },
         _create: function () {
             var self = this, o = self.options, el = self.element;
@@ -1496,7 +1496,11 @@
             var self = this, o = self.options, el = self.element;
             var titleSpan = el.find('div.picMessageListTitle:first > span');
             if (o.loadedFilename) {
-                titleSpan.text('Messages - Loaded from ' + o.loadedFilename);
+                var title = 'Messages - Loaded from ' + o.loadedFilename;
+                if (o.loadedDescription) {
+                    title += ' - ' + o.loadedDescription;
+                }
+                titleSpan.text(title);
             }
             else {
                 titleSpan.text('Messages');
@@ -1509,8 +1513,9 @@
                 if (o.receivingMessages) {
                     el.find('div.picStartLogs > i').removeClass('far').addClass('fas');
                     el.find('div.picStartLogs').addClass('selected');
-                    // Clear the loaded filename when starting live logging
+                    // Clear the loaded filename and description when starting live logging
                     o.loadedFilename = null;
+                    o.loadedDescription = null;
                     self._updateTitle();
                 }
                 else {

scripts/messages/messageList/messageList.widget.js

@@ -14,8 +14,9 @@
             $('<hr></hr>').appendTo(line);
             line = $('<div></div>').appendTo(div);
             var fset = $('<fieldset></fieldset>').appendTo(line);
-            $('<legend></legend>').appendTo(fset).text('Options');
+            $('<legend></legend>').appendTo(fset).text('Description');
             line = $('<div></div>').appendTo(fset);
+            $('<div></div>').appendTo(line).inputField({ binding: 'description', labelText: '', inputAttrs: { style: { width: '100%' } } });
             //$('<div></div>').appendTo(line).pickList({
             //    displayColumn:0,
             //    labelText: 'Playback To', binding: 'playbackTo',
@@ -61,10 +62,11 @@
                         }
                         else {
                             msgList.clear();
-                            // Store the filename and update the title
+                            // Store the filename, description and update the title
                             var msgListWidget = $('div.picMessages:first').data('pic-messageList');
                             if (msgListWidget && filename) {
                                 msgListWidget.options.loadedFilename = filename;
+                                msgListWidget.options.loadedDescription = opts.description || '';
                                 msgListWidget._updateTitle();
                             }
                             self._processNextMessage(msgList, progress[0], data);

scripts/messages/messageList/uploadLog.widget.js

@@ -264,6 +264,21 @@ function makeBool(val) {
     }
     return false;
 }
+function _redactForLog(url, data) {
+    try {
+        var u = (url || '').toString().toLowerCase();
+        // Redact any security-related payloads (passwords, pins, etc.)
+        if (u.indexOf('/security/') !== -1) {
+            return { redacted: true };
+        }
+        // Redact common sensitive keys if present
+        var s = (typeof data === 'string') ? data : JSON.stringify(data);
+        if (typeof s === 'string' && s.match(/password|pin|secret|token/i)) {
+            return { redacted: true };
+        }
+    } catch (e) { }
+    return data;
+}
 // PUT and Delete for ReST calls.
 jQuery.each(["put", "delete"], function (i, method) {
     jQuery[method] = function (url, data, callback, type) {
@@ -343,13 +358,15 @@ jQuery.each(['get', 'put', 'delete', 'post'], function (i, method) {
         successCallback = $.mergeCallbacks(successCallback, cbShowSuccess);
         errorCallback = $.mergeCallbacks(errorCallback, cbShowError);
         completeCallback = $.mergeCallbacks(completeCallback, cbComplete);
-        console.log({ method: method, url: url, data: typeof data === 'string' ? data : JSON.stringify(data) });
+        console.log({ method: method, url: url, data: _redactForLog(url, (typeof data === 'string' ? data : JSON.stringify(data))) });
+        // Treat null like undefined (prevents "?null" from being appended on GET requests)
+        if (data === null) data = undefined;
         return jQuery.ajax({
             url: serviceUrl,
             type: method,
             dataType: 'json',
             contentType: 'application/json; charset=utf-8',
-            data: typeof data === 'string' ? data : JSON.stringify(data),
+            data: typeof data === 'undefined' ? undefined : (typeof data === 'string' ? data : JSON.stringify(data)),
             error: errorCallback,
             success: successCallback,
             complete: completeCallback
@@ -421,13 +438,15 @@ jQuery.each(['get', 'put', 'delete', 'post'], function (i, method) {
         successCallback = $.mergeCallbacks(successCallback, cbShowSuccess);
         errorCallback = $.mergeCallbacks(errorCallback, cbShowError);
         completeCallback = $.mergeCallbacks(completeCallback, cbComplete);
-        console.log({ method: method, url: url, data: typeof data === 'string' ? data : JSON.stringify(data) });
+        console.log({ method: method, url: url, data: _redactForLog(url, (typeof data === 'string' ? data : JSON.stringify(data))) });
+        // Treat null like undefined (prevents "?null" from being appended on GET requests)
+        if (data === null) data = undefined;
         return jQuery.ajax({
             url: serviceUrl,
             type: method,
             dataType: 'json',
             contentType: 'application/json; charset=utf-8',
-            data: typeof data === 'string' ? data : JSON.stringify(data),
+            data: typeof data === 'undefined' ? undefined : (typeof data === 'string' ? data : JSON.stringify(data)),
             error: errorCallback,
             success: successCallback,
             complete: completeCallback
@@ -482,14 +501,16 @@ jQuery.each(['get', 'put', 'delete', 'post'], function (i, method) {
         successCallback = $.mergeCallbacks(successCallback, cbShowSuccess);
         errorCallback = $.mergeCallbacks(errorCallback, cbShowError);
         completeCallback = $.mergeCallbacks(completeCallback, cbComplete);
-        console.log({ method: method, url: url, data: typeof data === 'string' ? data : JSON.stringify(data) });
+        console.log({ method: method, url: url, data: _redactForLog(url, (typeof data === 'string' ? data : JSON.stringify(data))) });
+        // Treat null like undefined (prevents "?null" from being appended on GET requests)
+        if (data === null) data = undefined;
         return jQuery.ajax({
             url: serviceUrl,
             type: method,
             dataType: 'binary',
             processData: false,
             contentType: 'application/json; charset=utf-8',
-            data: typeof data === 'string' ? data : JSON.stringify(data),
+            data: typeof data === 'undefined' ? undefined : (typeof data === 'string' ? data : JSON.stringify(data)),
             cache: false,
             xhrFields: { responseType: 'blob' },
             error: errorCallback,
@@ -4333,6 +4354,24 @@ $.pic.modalDialog.closeDialog = function (el) {
     return dlg;
 };
 $.pic.modalDialog.createApiError = function (err, options) {
+    try {
+        // For guest-facing security flows, don't show stack traces.
+        // Example: /security/unlock invalid password should show a simple message.
+        if (err && err.httpCode === 401 && err.error && typeof err.error.message === 'string' &&
+            err.error.message.toLowerCase().indexOf('invalid admin password') !== -1) {
+            return $.pic.modalDialog.createConfirm('dlgIncorrectPassword', {
+                autoOpen: false,
+                height: 'auto',
+                width: '22rem',
+                modal: true,
+                title: 'Incorrect Password',
+                message: '<div class="info-message">Incorrect password.</div>',
+                buttons: [
+                    { text: 'Close', icon: '<i class="far fa-window-close"></i>', click: function () { $.pic.modalDialog.closeDialog(this); } }
+                ]
+            });
+        }
+    } catch (e) { }
     var opt = typeof options !== 'undefined' && options !== null ? options : {
         autoOpen: false,
         height: 'auto',

scripts/widgets.js

@@ -15,6 +15,7 @@ import { UploadRoute, BackgroundUpload } from "./upload/upload";
 import { setTimeout } from "timers";
 import { ConfigRoute } from "./api/Config";
 import { MessagesRoute } from "./api/Messages";
+import { SecurityRoute } from "./api/Security";
 import { Timestamp, utils } from "./Constants";
 import { RelayRoute, njsPCRelay } from "./relay/relayRoute";
 import { Namespace, RemoteSocket, Server as SocketIoServer, Socket } from "socket.io";
@@ -155,10 +156,16 @@ export class HttpServer extends ProtoServer {
             this.app.use('/jquery-ui', express.static(path.join(process.cwd(), '/node_modules/jquery-ui-dist/'), { maxAge: '60d' }));
             this.app.use('/jquery-ui-touch-punch', express.static(path.join(process.cwd(), '/node_modules/jquery-ui-touch-punch-c/'), { maxAge: '60d' }));
             this.app.use('/font-awesome', express.static(path.join(process.cwd(), '/node_modules/@fortawesome/fontawesome-free/'), { maxAge: '60d' }));
-            this.app.use('/scripts', express.static(path.join(process.cwd(), '/scripts/'), { maxAge: '1d' }));
+            // Do not aggressively cache app scripts; we ship updates by replacing files in-place.
+            this.app.use('/scripts', (req, res, next) => {
+                res.setHeader('Cache-Control', 'no-store');
+                next();
+            });
+            this.app.use('/scripts', express.static(path.join(process.cwd(), '/scripts/'), { maxAge: 0 }));
             this.app.use('/themes', express.static(path.join(process.cwd(), '/themes/'), { maxAge: '1d' }));
             this.app.use('/icons', express.static(path.join(process.cwd(), '/themes/icons'), { maxAge: '1d' }));
             RelayRoute.initRoutes(this.app);
+            SecurityRoute.initRoutes(this.app);
             ConfigRoute.initRoutes(this.app);
             MessagesRoute.initRoutes(this.app);
             UploadRoute.initRoutes(this.app);
@@ -304,6 +311,7 @@ export class HttpsServer extends HttpServer {
                 return value;
             });
 
+	    SecurityRoute.initRoutes(this.app);
 	    ConfigRoute.initRoutes(this.app);
 	    // StateRoute.initRoutes(this.app);
 	    // UtilitiesRoute.initRoutes(this.app);
@@ -317,10 +325,16 @@ export class HttpsServer extends HttpServer {
             this.app.use('/jquery-ui', express.static(path.join(process.cwd(), '/node_modules/jquery-ui-dist/'), { maxAge: '60d' }));
             this.app.use('/jquery-ui-touch-punch', express.static(path.join(process.cwd(), '/node_modules/jquery-ui-touch-punch-c/'), { maxAge: '60d' }));
             this.app.use('/font-awesome', express.static(path.join(process.cwd(), '/node_modules/@fortawesome/fontawesome-free/'), { maxAge: '60d' }));
-            this.app.use('/scripts', express.static(path.join(process.cwd(), '/scripts/'), { maxAge: '1d' }));
+            // Do not aggressively cache app scripts; we ship updates by replacing files in-place.
+            this.app.use('/scripts', (req, res, next) => {
+                res.setHeader('Cache-Control', 'no-store');
+                next();
+            });
+            this.app.use('/scripts', express.static(path.join(process.cwd(), '/scripts/'), { maxAge: 0 }));
             this.app.use('/themes', express.static(path.join(process.cwd(), '/themes/'), { maxAge: '1d' }));
             this.app.use('/icons', express.static(path.join(process.cwd(), '/themes/icons'), { maxAge: '1d' }));
             RelayRoute.initRoutes(this.app);
+            SecurityRoute.initRoutes(this.app);
             ConfigRoute.initRoutes(this.app);
             MessagesRoute.initRoutes(this.app);
             UploadRoute.initRoutes(this.app);

server/Server.ts

@@ -8,6 +8,7 @@ import { config } from "../config/Config";
 import { logger } from "../logger/Logger";
 import { versionCheck } from '../config/VersionCheck';
 import { njsPCRelay } from "../relay/relayRoute";
+import { securityService } from "../security/SecurityService";
 export class ConfigRoute {
     public static initRoutes(app: express.Application) {
         app.get('/config/serviceUri', (req, res, next) => {
@@ -22,6 +23,7 @@ export class ConfigRoute {
         });
         app.put('/config/serviceUri', async (req, res, next) => {
             try {
+                securityService.requireUnlocked();
                 let srv = extend(true, {}, config.getSection('web.services'), req.body);
                 config.setSection('web.services', srv);
                 njsPCRelay.init();
@@ -97,11 +99,24 @@ export class ConfigRoute {
             catch (err) { console.log(err); return res.status(500).send(err); }
         });
         app.get('/config/:section', (req, res) => { return res.status(200).send(config.getSection(req.params.section)); });
-        app.put('/config/:section', (req, res) => {
+        app.put('/config/:section', (req, res, next) => {
             try {
-                config.setSection(req.params.section, req.body);
+                securityService.requireUnlocked();
+                // Protect critical nested config sections from accidental clobbering.
+                // Example: /config/web.services should not allow deleting protocol/ip/port by sending a partial object.
+                if (req.params.section === 'web.services') {
+                    const merged = extend(true, {}, config.getSection('web.services'), req.body);
+                    config.setSection('web.services', merged);
+                }
+                else if (req.params.section === 'security') {
+                    const merged = extend(true, {}, config.getSection('security'), req.body);
+                    config.setSection('security', merged);
+                }
+                else {
+                    config.setSection(req.params.section, req.body);
+                }
             }
-            catch (err) { return res.status(400).send(new Error(err)); }
+            catch (err) { return next(err); }
             return res.status(200).send(config.getSection(req.params.section));
         });
         app.get('/options', (req, res) => {