-
Notifications
You must be signed in to change notification settings - Fork 71.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v2/properties world readable with AUTH_DEFAULT_ROLES=denied #7546
Comments
Oof ping @bewest |
Thanks for the report. I think there are several parts of the API that remain active when
Any others? |
Of the affected endpoints, these two respond with information from the database:
These would be the files affected.
It looks like the definition of |
These endpoints should be protected as reported in #7546.
@cryptoluks, thanks again for the high quality bug report. There are patches available for testing on the |
* minimum attempt to protect /api/v2/ endpoints These endpoints should be protected as reported in #7546. * remove spurious line Co-authored-by: Sulka Haro <sulka@sulka.net>
commit ec83b57 Merge: 867fc96 a09e586 Author: Sulka Haro <sulka@sulka.net> Date: Sun Feb 26 19:47:56 2023 +0200 Merge branch 'master' into dev commit 867fc96 Author: Marcin Juraszek <mail@marcinjuraszek.com> Date: Sun Feb 26 09:31:55 2023 -0800 Ensure indexes for Roles and Subjects collections as part of boot (nightscout#7902) * Allow DELETE via PATCH/UPDATE operation too * rollback wrong commit * Ensure indexes for Roles and Subjects collections as part of boot --------- Co-authored-by: Milos Kozak <m.kozak@sysop.cz> commit a4d07cd Merge: 97a4ee7 d7f4432 Author: Ben West <bewest@gmail.com> Date: Sat Feb 25 09:26:06 2023 -0800 Merge pull request nightscout#7911 from nightscout/wip/sulka/fix_entries_api Fixes nightscout#7910 LGTM, tests work, merging. commit d7f4432 Author: Sulka Haro <sulka@sulka.net> Date: Sat Feb 25 13:44:34 2023 +0200 * Add a unit test to check the /entries endpoint returns values in correct order * Fix a bug in CGM entry insertion, where entries that were inserted without a dateString but with a numeric date were always using the current time commit 32b2376 Author: Sulka Haro <sulka@sulka.net> Date: Sat Feb 25 11:20:45 2023 +0200 Fixes nightscout#7910 commit 97a4ee7 Merge: ac1a7d1 93df3c4 Author: Ben West <bewest@gmail.com> Date: Tue Feb 21 09:38:14 2023 -0800 Merge pull request nightscout#7905 from nightscout/wip/bewest/fix-timezone-test cheat for tests across different time zones commit 93df3c4 Author: Ben West <bewest@gmail.com> Date: Tue Feb 21 09:29:44 2023 -0800 cheat for tests across different time zones There is a bug generating the window for time ranges across different timezones, which results in different queries wrapping around day boundaries. This provides the fixture with three variants of the queries, in some ways better documenting the bug, and allowing the tests to pass. commit ac1a7d1 Author: Petr Ondrusek <34578008+PetrOndrusek@users.noreply.github.com> Date: Sat Feb 18 15:12:47 2023 +0100 Api3 remove auth token (nightscout#6863) * APIv3: removing authorization by accessToken from codebase and adjusting tests * APIv3: updating docs --------- Co-authored-by: Petr Ondrůšek <petr.ondrusek@okin.eu> Co-authored-by: Sulka Haro <sulka@sulka.net> commit 89d7eb6 Author: Milos Kozak <m.kozak@sysop.cz> Date: Sat Feb 18 15:07:02 2023 +0100 Alarm sockets for api v3 (nightscout#7858) * Alarm sockets for api v3 * Migrate to alarm websockets * Fix unit tests --------- Co-authored-by: Sulka Haro <sulka@sulka.net> commit 4e1f364 Author: Sulka Haro <sulka@sulka.net> Date: Sat Feb 18 10:26:56 2023 +0200 Fix loading JWT when auth subject has no permissions (nightscout#7894) * Fix an issue reported by Milos, when a JWT is loaded with a subject that has no permissions * Add unit test to cover this case commit 0f69153 Author: Michael Kroes <michael@kroes.email> Date: Sat Feb 18 08:10:49 2023 +0100 Added charging state to the uploader battery pill when it's provided by AAPSClientV3. (nightscout#7873) Co-authored-by: Sulka Haro <sulka@sulka.net> commit d1fe8f5 Author: Michael Kroes <michael@kroes.email> Date: Sat Feb 18 08:00:04 2023 +0100 Fixed pushover callbacks not being processed (nightscout#7876) Co-authored-by: Sulka Haro <sulka@sulka.net> commit 2795892 Author: Sulka Haro <sulka@sulka.net> Date: Mon Feb 13 12:52:11 2023 +0200 Add event type to event on treatment notify if it's missing (nightscout#7888) commit adc70b7 Author: bjornoleh <63544115+bjornoleh@users.noreply.github.com> Date: Thu Feb 9 04:43:53 2023 +0100 Add logging limits to all services (mongo, nightscout and traefik) (nightscout#7884) Parameters defined in x-logging extension field with options: max-size: '10m' max-file: '5' commit 903669a Merge: 3b7528a a805939 Author: Ben West <bewest@gmail.com> Date: Sat Jan 28 09:16:09 2023 -0800 Merge pull request nightscout#7857 from nightscout/wip/bewest/daytoday-redo-03 Wip/bewest/daytoday redo 03 commit a805939 Author: Ben West <bewest@gmail.com> Date: Fri Jan 27 10:16:56 2023 -0800 fix test with fixtures both ways commit 664efe6 Merge: 48d1ae3 5d3268a Author: Ben West <bewest@gmail.com> Date: Fri Jan 27 08:07:48 2023 -0800 Merge branch 'wip/bewest/daytoday-redo-03' of github.com:nightscout/cgm-remote-monitor into wip/bewest/daytoday-redo-03 commit 48d1ae3 Author: Ben West <bewest@gmail.com> Date: Fri Jan 27 08:07:29 2023 -0800 tweak tests/logging commit 5d3268a Merge: b376239 3b7528a Author: Ben West <bewest@gmail.com> Date: Fri Jan 27 08:01:37 2023 -0800 Merge branch 'dev' into wip/bewest/daytoday-redo-03 commit 3b7528a Author: Ben West <bewest@gmail.com> Date: Thu Jan 26 22:42:26 2023 -0800 minimum attempt to protect /api/v2/ endpoints (nightscout#7554) * minimum attempt to protect /api/v2/ endpoints These endpoints should be protected as reported in nightscout#7546. * remove spurious line Co-authored-by: Sulka Haro <sulka@sulka.net> commit d185cf6 Author: Sulka Haro <sulka@sulka.net> Date: Fri Jan 27 08:34:46 2023 +0200 Update Mongo URL parser to 1.0.2 to fix issues Scott H found (nightscout#7606) * Update Mongo URL parser to 1.0.2 to fix issues Scott H found * Reset the lockfile * Update lock to include new component commit b376239 Merge: 10dd236 250b808 Author: Ben West <bewest@gmail.com> Date: Thu Jan 26 13:09:57 2023 -0800 Merge branch 'dev' into wip/bewest/daytoday-redo-03 commit 10dd236 Author: Ben West <bewest@gmail.com> Date: Thu Jan 26 12:52:32 2023 -0800 daytoday: Align start of day with data across zones This change correctly aligns the name of the day in the current zone with the start of the data for the equivalent day in the profile's zone. This makes it so that viewing a day to day report in any timezone works going both east and west directions. commit f6b2d4f Author: Ben West <bewest@gmail.com> Date: Thu Jan 26 11:43:43 2023 -0800 Revert "Revert "clock at the end of the day is 23:59:59.999"" This reverts commit a4f9271. commit a4f9271 Author: Ben West <bewest@gmail.com> Date: Thu Jan 26 11:42:36 2023 -0800 Revert "clock at the end of the day is 23:59:59.999" This reverts commit f51fac9. commit 8e0ec88 Merge: 0ee0712 6a543c8 Author: Ben West <bewest@gmail.com> Date: Tue Jan 24 11:00:16 2023 -0800 Merge branch 'wip/bewest/daytoday-redo-03' of github.com:nightscout/cgm-remote-monitor into wip/bewest/daytoday-redo-03 commit 0ee0712 Author: Ben West <bewest@gmail.com> Date: Tue Jan 24 10:59:40 2023 -0800 redact console log lines commit 250b808 Author: Sulka Haro <sulka@sulka.net> Date: Tue Jan 24 20:54:18 2023 +0200 New Crowdin updates (nightscout#7808) * New translations en.json (German) * New translations en.json (Russian) commit 6a543c8 Merge: f51fac9 28e75a6 Author: Sulka Haro <sulka@sulka.net> Date: Tue Jan 24 20:15:54 2023 +0200 Merge branch 'dev' into wip/bewest/daytoday-redo-03 commit 28e75a6 Author: Sulka Haro <sulka@sulka.net> Date: Tue Jan 24 20:04:48 2023 +0200 Possibly fix Loop time zones not being recognised in profile editor and reports (nightscout#7833) * * Change profile editor so it works when client uploads profiles where string case doesn't match editor expectations * Re-enable culling down time zone data sent to client * Add a workaround to fix Loop uploading non-ISO compliant time zone identifier commit f51fac9 Author: Ben West <bewest@gmail.com> Date: Mon Jan 23 08:45:10 2023 -0800 clock at the end of the day is 23:59:59.999 Ensure that the test fixtures will return; the previous changes correctly forward the time to end of day across zones and datelines. One side effect is that the date formatted for the end of the day uses all the microseconds for the day as well. This changes the query from the form of 23:59:59.000Z to 23:59:59.999Z. This also ensures that anything that happens during that one second will be included rather than excluded. commit 8983713 Author: Ben West <bewest@gmail.com> Date: Mon Jan 23 08:30:50 2023 -0800 ensure daily reports dates translate to profile timezone To illustrate the difference, I used chrome "sensors" feature to change my timezone to one that spans the dateline. > moment.tz('2023-01-19', 'America/Los_Angeles').endOf('day').format( ) '2023-01-19T23:59:59-08:00' > moment.tz(moment('2023-01-19'), 'America/Los_Angeles').endOf('day').format( ) '2023-01-18T23:59:59-08:00' The old code uses a string replacement, which is equivalent to the first test. This causes the dates on the reports to be off by one, as well as risks the data wrapping around the dateline so it can't be seen. For example, replacing "23:59:59" with "00:00:00" in the first example doesn't correctly wrap around the dateline. The patch introduces a way to parse the dates requested in the browser's time zone, and then translates them to the profile's timezone. The difference is shown in the second example above. With this change, the correct date label should be rendered, and the data should start at midnight without wrapping around the dateline. commit 0330e13 Author: Ben West <bewest@gmail.com> Date: Mon Jan 23 08:23:04 2023 -0800 ensure timezones assigned once in daily reports This fixes the label on the days in the daytoday charts. Passing a moment object that is already zoned prevents toLocaleDateString from reinterpreting the zone information when the date is already relative to the profile. This also ensures that the datefilter is adjusted to the profile's zone rather than truncating the time to the end or beginning of the day. This should prevent incorrectly wrapping arounnd the dateline. commit a47b367 Author: Ben West <bewest@gmail.com> Date: Sun Jan 15 09:59:44 2023 -0800 pin start of day in profile's timezone This more closely mirrors logic in loopalyzer, as well as the intent from the surrounding code in reportclient.js. commit 0541e2a Author: Ben West <bewest@gmail.com> Date: Sat Jan 14 17:49:52 2023 -0800 daytoday reports are always in the profile's time zone Midnight for the profile should always be at the start of the day (midnight) for the chart. commit 0426b01 Author: Sulka Haro <sulka@sulka.net> Date: Tue Jan 24 19:48:51 2023 +0200 Fix api v3 users seeing gaps in CGM data (nightscout#7853) * Change runtime cache to support item timestamp be defined in either mills or date field. * Fix typo * Return mills in v1 api when returning data from cache * Also parse created_at in the cache * Fix copy paste error commit 26a8cf1 Author: Sulka Haro <sulka@sulka.net> Date: Tue Jan 24 19:43:45 2023 +0200 Downgrade jsdom to version 11.11.0 (nightscout#7851) * rollback compatibility issues for tests Revert "Bump jsonwebtoken from 8.5.1 to 9.0.0 (nightscout#7787)" This rolls back changes to node_modules via package-lock.json as a result of new dependencies. More work is needed before involving these changes. Without this rollback, the tests do consistently complete within the allowed time in a reproducible way. * Test Github Actions with jsdom 11.11.0 * Upgrade github actions as requested by the actions runner * Lock generated using 6.14.18 * Upgrade actions/checkout@v2 to v3 * restore jsonwebtoken upgrade Co-authored-by: Ben West <bewest@gmail.com> commit 05de94e Author: Sulka Haro <sulka@sulka.net> Date: Mon Jan 23 16:20:53 2023 +0200 Delete v3 api identifiers when cloning a record in profile editor (nightscout#7839) * Delete v3 api identifiers when cloning a record * Refactored to use lodash omit * Move cleaning logic to correct function, add _id to list of cleaned properties * Add back a line that was accidentally deleted * profileeditor: add created_at, srvModified too on save to simulate API v3 Co-authored-by: Milos Kozak <m.kozak@sysop.cz> commit c343719 Author: Milos Kozak <m.kozak@sysop.cz> Date: Tue Jan 17 14:06:38 2023 +0100 apiv3 fix patch operation (nightscout#7807) Co-authored-by: Sulka Haro <sulka@sulka.net> commit bc8ccc8 Author: Sulka Haro <sulka@sulka.net> Date: Sun Jan 15 12:50:25 2023 +0200 Merge master to dev so Git is in sync (nightscout#7834) * Allow DELETE via PATCH/UPDATE operation too * rollback wrong commit Co-authored-by: Milos Kozak <m.kozak@sysop.cz> commit fd701e9 Author: Sulka Haro <sulka@sulka.net> Date: Thu Jan 12 07:59:41 2023 +0200 Fixes a bug introduced in nightscout#7273 (nightscout#7825) * Fixes a bug introduced in nightscout#7273 * Oops somehow managed to commit a wrong file version * Cleaner code based on feedback from Ben commit c1de8a5 Author: Sulka Haro <sulka@sulka.net> Date: Mon Jan 9 19:31:41 2023 +0200 Disabling some date magic from Careportal that's breaking date entry commit bdcb706 Author: Sulka Haro <sulka@sulka.net> Date: Fri Jan 6 12:09:34 2023 +0200 Generate package-lock with npm 6 to fix deployment issues on various cloud providers commit 3636f37 Author: Sulka Haro <sulka@sulka.net> Date: Thu Jan 5 18:43:15 2023 +0200 Update actions/checkout action to v3 commit 30216aa Author: Sulka Haro <sulka@sulka.net> Date: Thu Jan 5 18:35:33 2023 +0200 Update codeQL actions to v2 commit 6bccede Author: Sulka Haro <sulka@sulka.net> Date: Thu Jan 5 18:25:35 2023 +0200 Change automated tests to run against the major Mongo releases from last two years commit 8e59864 Author: Sulka Haro <sulka@sulka.net> Date: Thu Jan 5 14:08:29 2023 +0200 Adding USE_NPM_INSTALL to the Heroku deploy file so new deploys work commit 3a06295 Author: Sulka Haro <sulka@sulka.net> Date: Sun Jan 1 19:14:59 2023 +0200 Refactor moment to be loaded from ctx (nightscout#7331) * Experimental branch that replaces momentjs with dayjs in the client * Revert unintentional change * feat * Turns out dayjs is a no-go, but this has some good restructuring so submitting that commit e1f75cb Author: Sulka Haro <sulka@sulka.net> Date: Sun Jan 1 13:26:46 2023 +0200 Change viewport scale to fix layout on iPhone (nightscout#7623) commit 2dfc471 Author: Dion Nicolaas <dion@nicolaas.net> Date: Sun Jan 1 12:17:26 2023 +0100 Forwarded fix (nightscout#7593) * Use 'forwarded' always Getting the remote IP from the socket doesn't work behind a reverse proxy. 'Forwarded' is there to fix there, but wasn't used here. * Consistently use getRemoteIP() throughout Stay in line with other modules that do this * Use getRemoteIP consistently One more missing case; in this file it isn't helpful, but it is consistent with other files. Co-authored-by: Sulka Haro <sulka@sulka.net> commit ba76940 Author: Jörg Schömer <joerg@joerg-schoemer.de> Date: Sun Jan 1 12:05:17 2023 +0100 Fix Server error (nightscout#7784) * check if d1 is not nil before call getTime Co-authored-by: Sulka Haro <sulka@sulka.net> commit 6ad4ef1 Author: Sulka Haro <sulka@sulka.net> Date: Sun Jan 1 12:57:57 2023 +0200 Update socket.io and uuid packages (nightscout#7793) * This commit updates the uuid and socket.io packages to latest versions and enables compression over websocket * Drop the compression threshold down to 512 bytes * Enable http compression down to 512 bytes and request long poll transport only, as per current release * Add the socket.io-client back in * Use polling with the NS client * Update express to latest in 4.x line, fix tests commit 6834822 Author: Sulka Haro <sulka@sulka.net> Date: Sun Jan 1 12:47:13 2023 +0200 Update package-lock so it matches the package.json commit ad7706d Merge: 79e80c5 05bbc55 Author: Sulka Haro <sulka@sulka.net> Date: Sun Jan 1 12:45:56 2023 +0200 Merge branch 'master' into dev commit 79e80c5 Author: Sulka Haro <sulka@sulka.net> Date: Fri Dec 30 22:39:03 2022 +0200 New Crowdin updates (nightscout#7238) * New translations en.json (Hungarian) * New translations en.json (Turkish) * New translations en.json (Hungarian) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Arabic) * New translations en.json (Turkish) * New translations en.json (Slovak) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Hungarian) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Estonian) * New translations en.json (Estonian) * New translations en.json (Estonian) * New translations en.json (Norwegian Bokmal) * New translations en.json (Portuguese, Brazilian) * New translations en.json (Italian) * New translations en.json (Italian) * New translations en.json (Portuguese, Brazilian) * New translations en.json (Portuguese, Brazilian) * New translations en.json (Portuguese, Brazilian) * New translations en.json (Portuguese, Brazilian) * New translations en.json (Ukrainian) * New translations en.json (Ukrainian) * New translations en.json (Ukrainian) * New translations en.json (Ukrainian) * New translations en.json (German) * New translations en.json (Spanish) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Turkish) * New translations en.json (Estonian) * New translations en.json (Estonian) commit bd40046 Author: Sulka Haro <sulka@sulka.net> Date: Fri Dec 30 22:15:48 2022 +0200 Change the SHA1 validation to be case insensitive (nightscout#7780) Co-authored-by: Ben West <bewest@gmail.com> commit 8594a2d Author: Sulka Haro <sulka@sulka.net> Date: Fri Dec 30 20:31:13 2022 +0200 Regenerated package-lock with newer NPM and fixed a unit test that broke as a result commit 4aa0657 Merge: 2c6ba28 bcfe437 Author: Ben West <bewest@gmail.com> Date: Wed Nov 16 09:53:39 2022 -0800 Merge pull request nightscout#7513 from gestrich/bugfix/remove-remote-override-otp Remove unused OTP field from Remote Override form. commit bcfe437 Merge: 3213835 2c6ba28 Author: Ben West <bewest@gmail.com> Date: Wed Nov 16 08:50:46 2022 -0800 Merge branch 'dev' into bugfix/remove-remote-override-otp commit 2c6ba28 Merge: 09c9f81 ed7fdf7 Author: Ben West <bewest@gmail.com> Date: Tue Nov 1 13:33:07 2022 -0700 Merge pull request nightscout#7647 from k2s/fix-empty-import-config Fix empty import config commit ed7fdf7 Author: Martin Minka <martin.minka@gmail.com> Date: Sat Oct 29 11:22:28 2022 +0200 fix don't print error about IMPORT_CONFIG if not defined commit e78a63f Author: Martin Minka <martin.minka@gmail.com> Date: Sat Oct 29 11:21:44 2022 +0200 fix formatting of empty spaces commit 0fd05c2 Author: Martin Minka <martin.minka@gmail.com> Date: Sat Oct 29 11:19:56 2022 +0200 fix webpack 5 in Lerna commit 09c9f81 Merge: 74ce49c dbce9db Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 14:34:01 2022 -0700 Merge pull request nightscout#7570 from nightscout/wip/bewest/code-ql-analysis codeql text/html injection in food.js commit dbce9db Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 14:24:57 2022 -0700 codeql text/html injection in food.js commit 74ce49c Merge: 8706658 1db4047 Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 12:39:26 2022 -0700 Merge pull request nightscout#7569 from nightscout/wip/bewest/code-ql-analysis Wip/bewest/code ql analysis commit 1db4047 Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 12:33:31 2022 -0700 avoid HTML injection See if this makes codeql happy. commit 2e1ee38 Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 12:27:59 2022 -0700 inject text instead of HTML name Avoid HTML injection called out by CODEQL. commit 8706658 Merge: a8da747 aed9998 Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 12:18:20 2022 -0700 Merge pull request nightscout#7526 from sulkaharo/new_cache_location New build artefact cache location commit aed9998 Merge: 2e4551ef a8da747 Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 12:11:46 2022 -0700 Merge branch 'dev' into new_cache_location commit a8da747 Merge: 2e7f695 64d93e6 Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 12:10:27 2022 -0700 Merge pull request nightscout#7568 from nightscout/wip/bewest/PieterGit-dev20220815 Wip/bewest/pieter git dev20220815 commit 64d93e6 Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 11:51:58 2022 -0700 allow any LTS version The '^' prefix makes this meaingless, there's no reason to refuse to run less than 16.16.0 if it's still some 16.x. commit 9f622c2 Merge: 2e7f695 3c516d5 Author: Ben West <bewest@gmail.com> Date: Sat Oct 1 11:46:39 2022 -0700 Merge branch 'dev20220815' of github.com:PieterGit/cgm-remote-monitor into PieterGit-dev20220815 commit 2e7f695 Author: Ben West <bewest@gmail.com> Date: Fri Sep 30 14:27:27 2022 -0700 initialize new dev area post-release commit 2e4551e Merge: 6978a90 df85fd2 Author: Sulka Haro <sulka@sulka.net> Date: Tue Aug 30 15:06:39 2022 +0300 Merge branch 'dev' into new_cache_location commit 6978a90 Author: Sulka Haro <sulka@sulka.net> Date: Tue Aug 30 13:16:29 2022 +0300 Fix package running the post script commit 6c03dcd Author: Sulka Haro <sulka@sulka.net> Date: Tue Aug 30 12:54:10 2022 +0300 Remove mkdir from package.json and change key generation to a post script commit ec3cf94 Author: Sulka Haro <sulka@sulka.net> Date: Tue Aug 30 12:49:01 2022 +0300 * Fix tests * Change | to && in package.json commit a6eb156 Author: Sulka Haro <sulka@sulka.net> Date: Mon Aug 29 10:40:55 2022 +0300 Fix app.js commit 37a2a0d Author: Sulka Haro <sulka@sulka.net> Date: Mon Aug 29 10:28:09 2022 +0300 Try .cache in node_modules commit 7b01d49 Author: Sulka Haro <sulka@sulka.net> Date: Sun Aug 28 09:37:04 2022 +0300 Experimenting around changing build artefact location to go to node_modules, so the content is retained across cached builds in various PAAS environments commit 3c516d5 Author: PieterGit <pieterg@gmail.com> Date: Tue Aug 16 15:49:49 2022 +0200 support > 0.25% of browerslist, see if we can support iOS 9.3.x as well... commit 4a64be2 Author: PieterGit <pieterg@gmail.com> Date: Tue Aug 16 15:13:04 2022 +0200 remove two critical vulnerabilities in npm packages. Remove codacy-coverage pacakge (see issue nightscout#7515 ). commit b7ee1bf Author: PieterGit <pieterg@gmail.com> Date: Tue Aug 16 13:48:17 2022 +0200 upgrade mocha to 8.4.0 and nodemon to 2.0.19 and recreate package-lock.json with node v10.24.1 commit 652baed Author: PieterGit <pieterg@gmail.com> Date: Mon Aug 15 23:30:15 2022 +0200 update all webpack related plugins to latest version commit 0a81915 Author: PieterGit <pieterg@gmail.com> Date: Mon Aug 15 23:02:32 2022 +0200 drop Node 18 support for now commit fb4d467 Author: PieterGit <pieterg@gmail.com> Date: Mon Aug 15 17:44:08 2022 +0200 update Node requirements. This is a follow up from nightscout#7417 since @bewest already merged his branch to dev add NodeJS 16.x support. drop NodeJS 12.x support.It reached End-of-Life status on 30 April 2022 allow NodeJS 18.x support to run for CI upgrade webpack and webpack-cli update browserlist and browser documentation, config is now at .browserslistrc update README.md for browsers and Node versions fix typos in comments in lib/client/hashauth.js and webpack/webpack.config from nightscout#7440 commit 3213835 Merge: a5fcc84 df85fd2 Author: Ben West <bewest@gmail.com> Date: Sun Aug 14 10:56:33 2022 -0700 Merge branch 'dev' into bugfix/remove-remote-override-otp commit a5fcc84 Merge: 1a83292 a5c67b5 Author: Ben West <bewest@gmail.com> Date: Sun Aug 14 10:41:22 2022 -0700 Merge branch 'dev' into bugfix/remove-remote-override-otp commit 1a83292 Author: Bill Gestrich <3207996+gestrich@users.noreply.github.com> Date: Sun Aug 14 06:48:20 2022 -0400 Remove unused OTP field from Remote Override form.
Describe the bug
/api/v2/properties
endpoint not authenticated.To Reproduce
Grab any nightscout server which has env
AUTH_DEFAULT_ROLES=denied
active and test endpoint:Expected behavior
All API endpoints should follow the
AUTH_DEFAULT_RULES
setting.Your setup information
latest 195f1356c335
,latest_dev 184a46dbce10
and several public instances.ENABLE: careportal rawbg iob bridge
Additional context
Found out about the v2 API after iOS nightguard got glucose values without providing any token.
Please let me know if this maybe desired behavior for some legacy devices, as nightguard called it Pebble API. As sugarmate and the webinterface seemingly can work without
v2/properties
this maybe should be optional or at least mentioned in the hardening part of the docs.The text was updated successfully, but these errors were encountered: