Dashboard with internal / external detection via ui_control safe?

Hi!

I made a flow to detect whether a client comes from internal net or from the internet via port forwarding and switch on/off the desired groups.

[{"id":"9dc0c3cc.e12318","type":"ui_ui_control","z":"90b5fc30.4ddc6","name":"","events":"all","x":300,"y":140,"wires":[["782ec1ee.d9dbc8"]]},{"id":"d4a07d23.61b47","type":"inject","z":"90b5fc30.4ddc6","name":"Init UI","topic":"","payload":"","payloadType":"date","repeat":"","crontab":"","once":true,"onceDelay":0.1,"x":130,"y":140,"wires":[["9dc0c3cc.e12318"]]},{"id":"2f35f118.4b0b9e","type":"file","z":"90b5fc30.4ddc6","name":"Protocol website access","filename":"dashboard.txt","appendNewline":true,"createDir":false,"overwriteFile":"false","encoding":"none","x":1250,"y":120,"wires":[[]]},{"id":"29ebdfe8.b6ad08","type":"function","z":"90b5fc30.4ddc6","name":"Protocol","func":"zeit = new Date().toLocaleString();\n\nmsg.payload = zeit+\": call from \"+msg.socketip+\" ID:\"+msg.socketid;\n\n\nreturn msg;","outputs":1,"noerr":0,"x":900,"y":120,"wires":[["2f35f118.4b0b9e"]]},{"id":"782ec1ee.d9dbc8","type":"switch","z":"90b5fc30.4ddc6","name":"","property":"socketip","propertyType":"msg","rules":[{"t":"eq","v":"192.168.2.2","vt":"str"},{"t":"cont","v":"192.168.2","vt":"str"},{"t":"else"}],"checkall":"false","repair":false,"outputs":3,"x":490,"y":140,"wires":[["72b1c083.cf6c88","29ebdfe8.b6ad08"],["2bd9a816.82db4"],["29ebdfe8.b6ad08","7a8cc4d2.d39ddc"]],"outputLabels":["","Intern","Extern"]},{"id":"59c447f7.1e166","type":"ui_ui_control","z":"90b5fc30.4ddc6","name":"","events":"all","x":920,"y":200,"wires":[["4718f512.23e66c"]]},{"id":"2bd9a816.82db4","type":"change","z":"90b5fc30.4ddc6","name":"Internal","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"group\":{\"hide\":[\"Tab_External\",\"Tab_User1\"],\"show\":[\"Tab_Internal\"]}}","tot":"jsonata"}],"action":"","property":"","from":"","to":"","reg":false,"x":660,"y":160,"wires":[["59c447f7.1e166"]]},{"id":"7a8cc4d2.d39ddc","type":"change","z":"90b5fc30.4ddc6","name":"External","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"group\":{\"show\":[\"Tab_External\"],\"hide\":[\"Tab_Internal\",\"Tab_User1\"]}}","tot":"jsonata"}],"action":"","property":"","from":"","to":"","reg":false,"x":660,"y":200,"wires":[["59c447f7.1e166"]]},{"id":"4718f512.23e66c","type":"debug","z":"90b5fc30.4ddc6","name":"","active":false,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","x":1150,"y":200,"wires":[]},{"id":"72b1c083.cf6c88","type":"change","z":"90b5fc30.4ddc6","name":"User1","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"group\":{\"show\":[\"Tab_User1\"],\"hide\":[\"Tab_Internal\",\"Tab_External\"]}}","tot":"json"}],"action":"","property":"","from":"","to":"","reg":false,"x":650,"y":100,"wires":[["59c447f7.1e166"]]}]

So the client with IP address 192.168.2.2 gets the group Tab_User1, all other local users (192.168.2.x) get Tab_Internal and users from the internet get the group Tab_External.
User1 and external users will be logged in a ASCII file.

The internal group can switch on/off light or heaters, however the external group can only see the state of a switch.

Is that safe or is it possible for the client to "show" groups, which have been "hidden" by ui_control?

No, I don't believe it to be safe. Open your developer tools and look at the full contents of the page. I think that you will find all the other data is there and can be exposed very easily.

Dashboard is a "Single Page App" (SPA).

IP Address checks can never be entirely safe since IP addresses can be spoofed (recognising the difference between an Internet routable address and an internally routable address (192.168.x.x, 10.x.x.x, etc) is a little more safe if you have your edge firewalls correctly configured.

But you still have all the info in the single page app so you would also need to only deliver the hidden part of the UI dynamically once the user and their location had been verified. Not sure if that is possible with Dashboard.

I did a wget of the dashboard site and did not find any string from the External or User1 groups, but also not from the groups, which are displayed.

The firefox inspector showed only those groups which are displayed and not hidden:

<ui-card-panel ng-repeat="group in main.selectedTab.items" id="TAB_internal" ...

So it seems to be safe, but I have disabled all port forwarding and will use my VPN instead.

I would double-check that - if you "know" the url of the hidden tab eg ... /ui/#!/1 or /2 etc then you may well be able to get to the data. Not hard to guess what may come after /1 etc...

But I do NOT have a second tab, only Groups, which I enable / disable via

{"group":{"show":["Tab_Group1"],"hide":["Tab_group2","Tab_group3"]}}

I do not get another view, if I change the /ui/#!/1 to /ui/#!/2 or /ui/#!/3.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.