speedtest-tracker icon indicating copy to clipboard operation
speedtest-tracker copied to clipboard

Published 20 hours ago verified publisher icon alexjustesen

⚠️ Embedding the public dashboard - BREAKING CHANGE

Open alexjustesen opened this issue 1 year ago • 9 comments

⚠️ Breaking change

For those embedding their Speedtest Tracker public dashboards as of 0.14.2 this will be broken and stop functioning. TL;DR: Not secure, don't like that.

📜 Description

As of v0.14.1 embedding the public dashboard into something like Home Assistant's dashboard or using an iframe was broken because of CORS and requiring a CSRF token to validate the request.

0.14.2-beta series tested removing CSRF protections on the dashboard. During exploration of this solution it was discovered that in Livewire, the package used to provide reactivity, there currently isn't a good way of disabling this on a specific route.

The solution was to disable CSRF protection on ALL livewire/* requests which could open an attack surface for dashboards exposed to the internet. This isn't an acceptable solution IMO.

🔗 Past linked issues

  • #411
  • #752

🤔 Proposed solution

Develop a new dashboard that is specifically for embedding into websites or other dashboards like Home Assistant. The dashboard should improve upon the current performance issues and not compromise security for features.

🛣️ Possible solutions

  • If Livewire releases a 1st party easy way of disabling csrf on read-only requests, I'll used that https://github.com/livewire/livewire/discussions/7563
  • Build a new dashboard that leverages an API instead of Livewire to update charts and metrics

🙋‍♂️ FAQs

  • What's the risk in just disabling csrf?: Cross Site Request Forgery (CSRFC) provides protection against requests and actions that don't originate from the authenticated user or the application.
  • Will the public dashboard keep working?: Yes, you just won't be able to embed it within another dashboard or website.
  • When do you plan on bringing back embeddable dashboards?: Once I'm through fixing data issues in the next major release (v0.16.0) I'll be pivoting back to developing a secure and performant solution.

👇 I'll be tracking all research and updates in the comments below. Feel free to ask any questions or provide input.

alexjustesen avatar Dec 28 '23 14:12 alexjustesen

#1027 removes code related to embedding the public dashboard.

alexjustesen avatar Dec 28 '23 15:12 alexjustesen

Design idea, the dashboard should be big and bold so KPI's, charts and data are easily readable.

image Tempest weather station dashboard

alexjustesen avatar Dec 30 '23 14:12 alexjustesen

any news here?

ZoXx avatar Feb 07 '24 12:02 ZoXx

any news here?

None yet, DQ issues need to be resolved first.

alexjustesen avatar Feb 07 '24 12:02 alexjustesen

Not sure if this is news, but with the latest Home Assistant release (2024.4) I can simply embed the public dashboard via the new "Webpage" dashboard type. I just tried it and it works perfectly

fischerphilipp avatar Apr 04 '24 15:04 fischerphilipp

iobroker hasnt this feature. Need still public dashboard site for seeing it.

ZoXx avatar Apr 04 '24 15:04 ZoXx

Unfortunately I have to correct myself: Embedding the public dashboard works until you try to select a time interval other than the default "last 24h". If you select "last week" or "last month" you get a browser error saying "This page has expired. Would you like to refresh the page?"

fischerphilipp avatar Apr 05 '24 08:04 fischerphilipp

Any news @alexjustesen ? 🙂

ZoXx avatar Apr 24 '24 08:04 ZoXx

Explore using https://wire-elements.dev/blog/embed-livewire-components-using-wire-extender

alexjustesen avatar Jun 11 '24 12:06 alexjustesen