github Yeraze/meshmonitor v2.4.3
v2.4.3 - CSRF Token Protection & BASE_URL Compatibility
on GitHub

latest releases: v2.21.4, v2.21.3, v2.21.2-test...
2 months ago

๐Ÿ”’ Security Improvements

CSRF Token Protection

This release implements comprehensive CSRF (Cross-Site Request Forgery) token protection across the entire application. All mutation requests (POST, PUT, DELETE, PATCH) now properly include CSRF tokens to prevent unauthorized actions.

Key Changes:

  • Created reusable useCsrfFetch hook for React components
  • Added getHeadersWithCsrf() helper to API service for centralized token management
  • Implemented automatic token refresh on 403 errors in API service
  • Added fallback to sessionStorage for token persistence

BASE_URL Compatibility

Fixed 403 Forbidden errors when running the application with a custom BASE_URL (e.g., /meshmonitor) in reverse proxy configurations.

Improvements:

  • Automatic BASE_URL detection from pathname
  • Intelligent app route filtering for multi-segment paths
  • Consistent CSRF endpoint discovery across all contexts

๐Ÿ› ๏ธ Components Updated

React Components (7 files)

  • App.tsx - Message sending with CSRF protection
  • SettingsTab.tsx - Settings save/reset operations
  • AutoTracerouteSection.tsx - Traceroute interval configuration
  • AutoAcknowledgeSection.tsx - Auto-acknowledge settings
  • AutoAnnounceSection.tsx - Auto-announce settings
  • Dashboard.tsx - Telemetry favorites management
  • TelemetryGraphs.tsx - Chart favoriting functionality

API Service Methods (22 updated)

All mutation methods now include CSRF tokens:

  • Message operations: sendMessage(), sendTraceroute()
  • Node management: refreshNodes(), purgeNodes()
  • Data operations: purgeTelemetry(), purgeMessages(), clearRecordHolderSegment()
  • Device config: setDeviceConfig(), setLoRaConfig(), setPositionConfig(), setMQTTConfig(), setNeighborInfoConfig(), setNodeOwner()
  • System operations: rebootDevice(), restartContainer(), disconnectFromNode(), reconnectToNode()
  • Config requests: requestConfig(), requestModuleConfig()
  • Settings: updateTracerouteInterval(), setTracerouteIntervalMinutes()

๐Ÿ› Bug Fixes

Rate Limiter Configuration

Fixed rate limiter validation issues when running behind reverse proxies with TRUST_PROXY=1:

  • Disabled express-rate-limit built-in validation (validate: false)
  • Properly configured trustProxy option for accurate client IP detection
  • Prevents "Misconfigured express-rate-limit" errors

CSRF Context

  • Fixed CsrfProvider to properly detect BASE_URL from API service
  • Added robust error handling with sessionStorage fallback
  • Improved logging for debugging CSRF-related issues

๐Ÿ“‹ Configuration

Environment Variables

This release works seamlessly with:

  • BASE_URL - Custom path prefix (e.g., /meshmonitor)
  • TRUST_PROXY=1 - For reverse proxy deployments
  • COOKIE_SECURE=true/false - Flexible cookie security settings
  • ALLOWED_ORIGINS - Comma-separated list of allowed CORS origins

Deployment Scenarios Tested

โœ… Root path deployment (BASE_URL=/)
โœ… Subpath deployment (BASE_URL=/meshmonitor)
โœ… HTTP development environments
โœ… HTTPS production environments
โœ… Reverse proxy configurations (nginx, Traefik, etc.)

๐Ÿ”„ Upgrade Notes

Breaking Changes

None - this is a backward-compatible security enhancement.

Recommendations

  1. Ensure TRUST_PROXY is set correctly if behind a reverse proxy
  2. Configure ALLOWED_ORIGINS to match your deployment domain(s)
  3. Test CSRF-protected operations (sending messages, saving settings) after upgrade

๐Ÿ“Š Testing

All 614 tests passing:

  • โœ… Component integration tests
  • โœ… API service tests
  • โœ… Authentication & authorization tests
  • โœ… Server-side security tests

๐Ÿš€ What's Next

v2.4.4 (Planned Improvements)

  • Enhanced error recovery for CSRF token refresh in App.tsx
  • Improved token management consistency
  • Reduced production logging verbosity
  • Additional test coverage for edge cases

๐Ÿ“ Full Changelog

See PR #188 for detailed code changes and discussion.

๐Ÿค– Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com

๐Ÿš€ MeshMonitor v2.4.3

๐Ÿ“ฆ Installation

Docker (recommended): 

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:v2.4.3

๐Ÿงช Testing

โœ… All tests passed
โœ… TypeScript checks passed
โœ… Docker images built for linux/amd64, linux/arm64, linux/arm/v7

๐Ÿ“‹ Changes

See commit history for detailed changes.

Check out latest releases or
releases around Yeraze/meshmonitor v2.4.3

Don't miss a new meshmonitor release

NewReleases is sending notifications on new releases.

Get notifications