Hi
I am working on some security updates, that involves locking down some RED.httpAdmin
endpoints.
RED.httpAdmin.get(
'/zwave-js/cfg-version',
RED.auth.needsPermission('flows.read'),
function (req, res) {
delete require.cache[require.resolve('zwave-js/package.json')];
const ZWaveJSPackage = require('zwave-js/package.json');
res.json({
zwjsversion: ZWaveJSPackage.version,
zwjscfgversion: ZWaveJSPackage.dependencies['@zwave-js/config'],
moduleversion: ModulePackage.version
});
}
);
This is called upon from oneditprepare
$.ajax({
url: '/zwave-js/cfg-version',
cache: false,
dataType: 'json',
method: 'GET',
success: function (data) {
$('#MOD_Version').val(data.moduleversion);
$('#ZWJS_Version').val(data.zwjsversion);
$('#ZWJS_CFGVersion').val(data.zwjscfgversion);
}
});
however, it seems this does not include the Bearer token, In the header - and of course we get 401 Unauthorized .
I read you setup the ajax framework to include the Bearer?
Am I missing something?
Other $.ajax calls do include the header - i.e. in my js file that drives a custom UI tab,
this seems to be limited to the HTML file -> oneditprepare
Thank you please!