Merge pull request #32 from nightscout/dev

sync dev
nightscout · Apr 16, 2019 · eafc1de · eafc1de
2 parents 09b0785 + 6223212
commit eafc1de
Show file tree

Hide file tree

Showing 25 changed files with 4,483 additions and 1,595 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -3,11 +3,12 @@
 **Table of Contents**
 
 - [Contributing to cgm-remote-monitor](#contributing-to-cgm-remote-monitor)
-  - [Design](#design)
+  - [Design & new features](#design--new-features)
   - [Develop on `dev`](#develop-on-dev)
   - [Style Guide](#style-guide)
   - [Create a prototype](#create-a-prototype)
   - [Submit a pull request](#submit-a-pull-request)
+  - [Bug fixing](#bug-fixing)
   - [Comments and issues](#comments-and-issues)
   - [Co-ordination](#co-ordination)
   - [Other Dev Tips](#other-dev-tips)
@@ -162,6 +163,7 @@ Also if you can't code, it's possible to contribute by improving the documentati
 [@tynbendad]: https://github.com/tynbendad
 [@unsoluble]: https://github.com/unsoluble
 [@viderehh]: https://github.com/viderehh
+[@OpossumGit]: https://github.com/OpossumGit
 
 | Contribution area                     | List of contributors |
 | ------------------------------------- | ---------------------------------- |
@@ -227,7 +229,7 @@ Languages with less than 90% coverage will be removed in a future Nightscout ver
 | Suomi (`fi`)|[@sulkaharo] |OK|
 | Français (`fr`)|Please volunteer|OK|
 | עברית (`he`)|Please volunteer|OK|
-| Hrvatski (`hr`)|Please volunteer|Needs attention: 47.8%|
+| Hrvatski (`hr`)|[@OpossumGit]|Needs attention: 47.8% - committed 100% to dev|
 | Italiano (`it`)|Please volunteer|OK|
 | 日本語 (`ja`)|[@LuminaryXion]|Working on this|
 | 한국어 (`ko`)|Please volunteer|Needs attention: 80.6%|
@@ -250,5 +252,5 @@ Languages with less than 90% coverage will be removed in a future Nightscout ver
 | ------------------------------------- | -------------------- |
 | All active developers: | [@jasoncalabrese] [@jpcunningh] [@jweismann] [@komarserjio] [@mdomox] [@MilosKozak] [@PieterGit] [@rickfriele] [@sulkaharo]
 | All active testers/documentors: | [@danamlewis] [@jamieowendexcom] [@mcdafydd] [@oteroos] [@rarneson] [@tynbendad] [@unsoluble]
-| All active translators: | [@apanasef] [@jizhongwen] [@viderehh] [@herzogmedia] [@LuminaryXion]
+| All active translators: | [@apanasef] [@jizhongwen] [@viderehh] [@herzogmedia] [@LuminaryXion] [@OpossumGit]
 
diff --git a/README.md b/README.md
@@ -48,6 +48,11 @@ Community maintained fork of the
 **Table of Contents**
 
 - [Install](#install)
+  - [Supported configurations:](#supported-configurations)
+  - [Minimum browser requirements for viewing the site:](#minimum-browser-requirements-for-viewing-the-site)
+  - [Windows installation software requirements:](#windows-installation-software-requirements)
+  - [Installation notes for users with nginx or Apache reverse proxy for SSL/TLS offloading:](#installation-notes-for-users-with-nginx-or-apache-reverse-proxy-for-ssltls-offloading)
+  - [Installation notes for Microsoft Azure, Windows:](#installation-notes-for-microsoft-azure-windows)
 - [Usage](#usage)
   - [Updating my version?](#updating-my-version)
   - [What is my mongo string?](#what-is-my-mongo-string)
@@ -60,7 +65,7 @@ Community maintained fork of the
     - [Alarms](#alarms)
     - [Core](#core)
     - [Predefined values for your browser settings (optional)](#predefined-values-for-your-browser-settings-optional)
-    - [Views](#views)
+    - [Predefined values for your server settings (optional)](#predefined-values-for-your-server-settings-optional)
     - [Plugins](#plugins)
       - [Default Plugins](#default-plugins)
         - [`delta` (BG Delta)](#delta-bg-delta)
@@ -108,7 +113,7 @@ Community maintained fork of the
 
 # Install
 
-Supported configurations:
+## Supported configurations:
 
 If you plan to use Nightscout, we recommend using [Heroku](http://www.nightscout.info/wiki/welcome/set-up-nightscout-using-heroku), as Nightscout can reach the usage limits of the free Azure plan and cause it to shut down for hours or days. If you end up needing a paid tier, the $7/mo Heroku plan is also much cheaper than the first paid tier of Azure. Currently, the only added benefit to choosing the $7/mo Heroku plan vs the free Heroku plan is a section showing site use metrics for performance (such as response time). This has limited benefit to the average Nightscout user. In short, Heroku is the free and best option for Nightscout hosting.
 
@@ -118,7 +123,7 @@ If you plan to use Nightscout, we recommend using [Heroku](http://www.nightscout
 - Linux based install (Debian, Ubuntu, Raspbian) install with own Node.JS and MongoDB install (see software requirements below)
 - Windows based install with own Node.JS and MongoDB install (see software requirements below)
 
-Minimum browser requirements for viewing the site:
+## Minimum browser requirements for viewing the site:
 
 - Android 4
 - Chrome 68
@@ -129,9 +134,9 @@ Minimum browser requirements for viewing the site:
 - Safari 11
 - Opera: 54
 
-Windows installation software requirements:
+## Windows installation software requirements:
 
-- [Node.js](http://nodejs.org/) Latest Node 8 LTS (Node 8.15.1 or later) or Node 10 LTS (Node 10.15.2 or later; Node 10.14.1 works for Azure). Use [Install instructions for Node](https://nodejs.org/en/download/package-manager/) or use `setup.sh`)
+- [Node.js](http://nodejs.org/) Latest Node 8 LTS (Node 8.15.1 or later) or Node 10 LTS (Node 10.15.2 or later; Node 10.14.1 works for Azure). Node versions that do not have the latest security patches will not work. Use [Install instructions for Node](https://nodejs.org/en/download/package-manager/) or use `setup.sh`)
 - [MongoDB](https://www.mongodb.com/download-center?jmp=nav#community) 3.x or later. MongoDB 2.4 is only supported for Raspberry Pi.
 
 As a non-root user clone this repo then install dependencies into the root of the project:
@@ -140,7 +145,15 @@ As a non-root user clone this repo then install dependencies into the root of th
 $ npm install
 ```
 
-Installation notes for Microsoft Azure, Windows: 
+## Installation notes for users with nginx or Apache reverse proxy for SSL/TLS offloading:
+
+- Set `INSECURE_USE_HTTP` to `false`, to be able to use non secure HTTP connections to Nightscout server
+- Your site redirects insecure connections to `https` by default. If you don't want that and use a Nginx or Apache proxy, set `INSECURE_USE_HTTP` to `true`. This will allow (unsafe) http traffic.
+- In case you use a proxy. Do not use an external network interfaces for hosting Nightscout. Make sure the unsecure port is not available from a remote network connection
+- HTTP Strict Transport Security (HSTS) headers are enabled by default, use settings `SECURE_HSTS_HEADER` and `SECURE_HSTS_HEADER_*`
+- See [Predefined values for your server settings](#predefined-values-for-your-server-settings-optional) for more details
+
+## Installation notes for Microsoft Azure, Windows: 
 
 - If deploying the software to Microsoft Azure, you must set ** in the app settings for *WEBSITE_NODE_DEFAULT_VERSION* and *SCM_COMMAND_IDLE_TIMEOUT* **before** you deploy the latest Nightscout or the site deployment will likely fail. Other hosting environments do not require this setting. Please use:
 ```
@@ -279,13 +292,14 @@ To learn more about the Nightscout API, visit https://YOUR-SITE.com/api-docs.htm
   * `EDIT_MODE` (`on`) - possible values `on` or `off`. Enable or disable icon allowing enter treatments edit mode
 
 ### Predefined values for your server settings (optional)
-  * `INSECURE_USE_HTTP` (`false`) - Redirect http url's to https. Possible values `false`, or `true`.
+  * `INSECURE_USE_HTTP` (`false`) - Redirect unsafe http traffic to https. Possible values `false`, or `true`. Your site redirects to `https` by default. If you don't want that from Nightscout, but want to implement that with a Nginx or Apache proxy, set `INSECURE_USE_HTTP` to `true`. Note: This will allow (unsafe) http traffic to your Nightscout instance and is not recommended.
   * `SECURE_HSTS_HEADER` (`true`) - Add HTTP Strict Transport Security (HSTS) header. Possible values `false`, or `true`.
   * `SECURE_HSTS_HEADER_INCLUDESUBDOMAINS` (`false`) - includeSubdomains options for HSTS. Possible values `false`, or `true`.
   * `SECURE_HSTS_HEADER_PRELOAD` (`false`) - ask for preload in browsers for HSTS. Possible values `false`, or `true`.
-  * `SECURE_CSP` (`false`) - Add Content Security Policy headers. Possible values `false`, or `true`.  Currently Nightscout is not yet compatible with CSP.
-
- ### Views
+  * `SECURE_CSP` (`false`) - Add Content Security Policy headers. Possible values `false`, or `true`.
+  * `SECURE_CSP_REPORT_ONLY` (`false`) - If set to `true` allows to experiment with policies by monitoring (but not enforcing) their effects. Possible values `false`, or `true`.
+
+  ### Views
 
   There are a few alternate web views available that display a simplified BG stream. Append any of these to your Nightscout URL:
   * `/clock.html` - Shows current BG. Grey text on a black background.

diff --git a/app.js b/app.js
@@ -16,15 +16,17 @@ function create(env, ctx) {
     app.enable('trust proxy'); // Allows req.secure test on heroku https connections.
     var insecureUseHttp = env.insecureUseHttp;
     var secureHstsHeader = env.secureHstsHeader;
-    console.info('Security settings: INSECURE_USE_HTTP=',insecureUseHttp,', SECURE_HSTS_HEADER=',secureHstsHeader);
     if (!insecureUseHttp) {
+        console.info('Redirecting http traffic to https because INSECURE_USE_HTTP=', insecureUseHttp);
         app.use((req, res, next) => {
-        if (req.header('x-forwarded-proto') !== 'https')
+        if (req.header('x-forwarded-proto') == 'https' || req.secure) {
+            next();
+        } else {
             res.redirect(`https://${req.header('host')}${req.url}`);
-        else
-            next()
+        }
         })
         if (secureHstsHeader) { // Add HSTS (HTTP Strict Transport Security) header
+          console.info('Enabled SECURE_HSTS_HEADER (HTTP Strict Transport Security)');
           const helmet = require('helmet');
           var includeSubDomainsValue = env.secureHstsHeaderIncludeSubdomains;
           var preloadValue = env.secureHstsHeaderPreload;
@@ -34,19 +36,46 @@ function create(env, ctx) {
               includeSubDomains: includeSubDomainsValue,
               preload: preloadValue
             }
-          }))
+          }));
           if (env.secureCsp) {
+            var secureCspReportOnly= env.secureCspReportOnly;
+            if (secureCspReportOnly) {
+              console.info( 'Enabled SECURE_CSP (Content Security Policy header). Not enforcing. Report only.' );
+            } else {
+              console.info( 'Enabled SECURE_CSP (Content Security Policy header). Enforcing.' );
+            }
             app.use(helmet.contentSecurityPolicy({ //TODO make NS work without 'unsafe-inline'
               directives: {
                 defaultSrc: ["'self'"],
                 styleSrc: ["'self'", 'https://fonts.googleapis.com/',"'unsafe-inline'"],
                 scriptSrc: ["'self'", "'unsafe-inline'"],
-                fontSrc: [ "'self'", 'https://fonts.gstatic.com/']
-              }
+                fontSrc: [ "'self'", 'https://fonts.gstatic.com/', 'data:'],
+                imgSrc: [ "'self'", 'data:'],
+                objectSrc: ["'none'"], // Restricts <object>, <embed>, and <applet> elements
+                reportUri: '/report-violation',
+                frameAncestors: ["'none'"], // Clickjacking protection, using frame-ancestors
+                baseUri: ["'none'"], // Restricts use of the <base> tag
+                formAction: ["'self'"], // Restricts where <form> contents may be submitted
+              },
+              reportOnly: secureCspReportOnly
             }));
+            app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));
+            app.use(helmet.featurePolicy({ features: { payment: ["'none'"], } }));
+            app.use(bodyParser.json({type: ['json', 'application/csp-report'] }))
+              app.post('/report-violation', (req, res) => {
+                if (req.body) {
+                  console.log('CSP Violation: ', req.body) }
+                else {
+                  console.log('CSP Violation: No data received!')
+                }
+                res.status(204).end()
+              })
           }
         }
      }
+     else { 
+       console.info('Security settings: INSECURE_USE_HTTP=',insecureUseHttp,', SECURE_HSTS_HEADER=',secureHstsHeader);
+     }
 
     app.set('view engine', 'ejs');
     // this allows you to render .html files as templates in addition to .ejs
@@ -139,6 +168,12 @@ function create(env, ctx) {
         res.sendFile(__dirname + '/swagger.json');
     });
 
+    // expose swagger.yaml
+    app.get('/swagger.yaml', function(req, res) {
+        res.sendFile(__dirname + '/swagger.yaml');
+    });
+
+
 /*
     if (env.settings.isEnabled('dumps')) {
         var heapdump = require('heapdump');

diff --git a/docs/plugins/maker-setup.md b/docs/plugins/maker-setup.md
@@ -1,3 +1,24 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+**Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*
+
+- [Nightscout/IFTTT Maker](#nightscoutifttt-maker)
+  - [Overview](#overview)
+      - [Note: There have been some recent reports of the IFTTT service delaying Nightscout alarms. Be sure to test your implementation before relying solely on its alerts. Pushover is an alternate push notification service that might be worth considering as well.](#note-there-have-been-some-recent-reports-of-the-ifttt-service-delaying-nightscout-alarms-be-sure-to-test-your-implementation-before-relying-solely-on-its-alerts-pushover-is-an-alternate-push-notification-service-that-might-be-worth-considering-as-well)
+  - [Events](#events)
+  - [Creating an Applet](#creating-an-applet)
+    - [1. Choose a Service](#1-choose-a-service)
+    - [2. Choose a Trigger](#2-choose-a-trigger)
+    - [3. Complete the Trigger field](#3-complete-the-trigger-field)
+    - [4. Create an Action](#4-create-an-action)
+    - [5. Complete Action Fields](#5-complete-action-fields)
+    - [6. Review and Finish](#6-review-and-finish)
+    - [7. Get your Maker Key](#7-get-your-maker-key)
+    - [8. Configure your Nightscout site](#8-configure-your-nightscout-site)
+    - [9. Configure the IFTTT mobile app](#9-configure-the-ifttt-mobile-app)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
 **Table of Contents**
 
 - [Nightscout/IFTTT Maker](#nightscoutifttt-maker)

diff --git a/env.js b/env.js
@@ -61,7 +61,7 @@ function setSSL() {
   env.secureHstsHeaderIncludeSubdomains = readENVTruthy("SECURE_HSTS_HEADER_INCLUDESUBDOMAINS", false);
   env.secureHstsHeaderPreload= readENVTruthy("SECURE_HSTS_HEADER_PRELOAD", false);
   env.secureCsp = readENVTruthy("SECURE_CSP", false);
-
+  env.secureCspReportOnly = readENVTruthy("SECURE_CSP_REPORT_ONLY", false);
 }
 
 // A little ugly, but we don't want to read the secret into a var

diff --git a/lib/client/index.js b/lib/client/index.js
@@ -1077,8 +1077,6 @@ client.load = function load(serverSettings, callback) {
   $('.foodcontrol').toggle(client.settings.enable.indexOf('food') > -1);
   // hide cob control if not enabled
   $('.cobcontrol').toggle(client.settings.enable.indexOf('cob') > -1);
-  // hide profile controls if not enabled
-  $('.profilecontrol').toggle(client.settings.enable.indexOf('profile') > -1);
   container.toggleClass('has-minor-pills', client.plugins.hasShownType('pill-minor', client.settings));
 
   function prepareEntries ( ) {