]> Piment Noir Git Repositories - e-mobility-charging-stations-simulator.git/commitdiff
repositories / e-mobility-charging-stations-simulator.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ab9d929)
fix(ui-server): harden CSMS credential handling in supervision URL flow
authorJérôme Benoit <jerome.benoit@sap.com>
Wed, 22 Apr 2026 18:54:58 +0000 (20:54 +0200)
committerJérôme Benoit <jerome.benoit@sap.com>
Wed, 22 Apr 2026 18:54:58 +0000 (20:54 +0200)
- Add autocomplete="off" on supervision password inputs
- Reject colon in supervisionUser via Zod regex (RFC 7617)
- Strip credentials from broadcast channel error response payloads

src/charging-station/ChargingStation.ts patch | blob | blame | history
src/charging-station/broadcast-channel/ChargingStationWorkerBroadcastChannel.ts patch | blob | blame | history
src/charging-station/ui-server/mcp/MCPToolSchemas.ts patch | blob | blame | history
ui/web/src/components/actions/AddChargingStations.vue patch | blob | blame | history
ui/web/src/components/actions/SetSupervisionUrl.vue patch | blob | blame | history

diff --git a/src/charging-station/ChargingStation.ts b/src/charging-station/ChargingStation.ts
index 674825e1c14b60f48fa516c13a52ca97c77fb03a..2cb492c3cab3f47bea9cc6a21f703340113a46cc 100644 (file)
--- a/src/charging-station/ChargingStation.ts
+++ b/src/charging-station/ChargingStation.ts
@@ -994,9 +994,9 @@ export class ChargingStation extends EventEmitter {
 
   /**
    * Updates the supervision server URL and optionally the CSMS basic auth credentials.
-   * @param url
-   * @param supervisionUser
-   * @param supervisionPassword
+   * @param url - The new supervision server URL
+   * @param supervisionUser - CSMS basic auth user (undefined preserves existing)
+   * @param supervisionPassword - CSMS basic auth password (undefined preserves existing)
    */
   public setSupervisionUrl (
     url: string,
diff --git a/src/charging-station/broadcast-channel/ChargingStationWorkerBroadcastChannel.ts b/src/charging-station/broadcast-channel/ChargingStationWorkerBroadcastChannel.ts
index 95b14718a70324a7504a732b0890a693964cc9e8..297ed559504bbd68b3dcb115883e447866243ae7 100644 (file)
--- a/src/charging-station/broadcast-channel/ChargingStationWorkerBroadcastChannel.ts
+++ b/src/charging-station/broadcast-channel/ChargingStationWorkerBroadcastChannel.ts
@@ -527,6 +527,8 @@ export class ChargingStationWorkerBroadcastChannel extends WorkerBroadcastChanne
           `${this.chargingStation.logPrefix()} ${moduleName}.requestHandler: Handle request error:`,
           error
         )
+        delete requestPayload.supervisionPassword
+        delete requestPayload.supervisionUser
         responsePayload = {
           command,
           errorDetails: error instanceof OCPPError ? error.details : undefined,
diff --git a/src/charging-station/ui-server/mcp/MCPToolSchemas.ts b/src/charging-station/ui-server/mcp/MCPToolSchemas.ts
index 30c910989dea22d1d2a6f6e6690ed415edeb7bb7..660320d06e4163fb8cfa7f2958ed6a76823ddc6f 100644 (file)
--- a/src/charging-station/ui-server/mcp/MCPToolSchemas.ts
+++ b/src/charging-station/ui-server/mcp/MCPToolSchemas.ts
@@ -69,6 +69,7 @@ const chargingStationOptionsSchema = z.object({
     .describe('OCPP server supervision URL(s)'),
   supervisionUser: z
     .string()
+    .regex(/^[^:]*$/, 'must not contain ":"')
     .optional()
     .describe('CSMS basic auth user used on the supervision WebSocket'),
 })
@@ -349,6 +350,7 @@ export const mcpToolSchemas = new Map<ProcedureName, MCPToolSchema>([
           .describe('CSMS basic auth password used on the supervision WebSocket'),
         supervisionUser: z
           .string()
+          .regex(/^[^:]*$/, 'must not contain ":"')
           .optional()
           .describe('CSMS basic auth user used on the supervision WebSocket'),
         url: z.url().describe('The OCPP server supervision URL to set'),
diff --git a/ui/web/src/components/actions/AddChargingStations.vue b/ui/web/src/components/actions/AddChargingStations.vue
index 8a7f3264ebc22d7f46b5096ddd2229ecd264d5aa..1d7c4a76cd993472b5852fe5ec89713b83f3a9a0 100644 (file)
--- a/ui/web/src/components/actions/AddChargingStations.vue
+++ b/ui/web/src/components/actions/AddChargingStations.vue
@@ -76,6 +76,7 @@
       <input
         id="supervision-password"
         v-model="state.supervisionPassword"
+        autocomplete="off"
         class="supervision-password"
         name="supervision-password"
         placeholder="<password>"
diff --git a/ui/web/src/components/actions/SetSupervisionUrl.vue b/ui/web/src/components/actions/SetSupervisionUrl.vue
index cb761991b0017c0d7c9bf47ae9780414e38ed09f..9faedaa3acf295f332c932999b6e8f39c137e38b 100644 (file)
--- a/ui/web/src/components/actions/SetSupervisionUrl.vue
+++ b/ui/web/src/components/actions/SetSupervisionUrl.vue
@@ -25,6 +25,7 @@
   <input
     id="supervision-password"
     v-model="state.supervisionPassword"
+    autocomplete="off"
     class="supervision-password"
     name="supervision-password"
     placeholder="<password>"
Charging stations simulator mirror - https://github.com/SAP/e-mobility-charging-stations-simulator