Fix MQTT topic pattern for OwnTracks and implement privacy isolation

CRITICAL FIX: The OwnTracks app publishes to owntracks/<username>/<device_id>, not owntracks/owntrack/<device_id>. This was causing data delivery failures and privacy violations. Changes: - Fix ACL topic pattern: owntracks/<username>/# (was: owntracks/owntrack/<device_id>) - Backend now uses MQTT_ADMIN_USERNAME for global subscription - Update UI forms and placeholders with correct pattern - Update email template with correct topic format - Enable Mosquitto ACL file for user isolation - Add migration script for existing ACL rules - Update documentation (README, GEMINI.md) Privacy & Security: - Each user isolated at MQTT broker level via ACL - Backend subscribes with admin credentials to owntracks/+/+ - Web UI filters data by parent_user_id for additional security - GDPR compliant multi-layer defense in depth Files changed: - lib/mqtt-db.ts - Updated createDefaultRule() to use username - app/api/mqtt/credentials/route.ts - Pass username to ACL creation - app/admin/mqtt/page.tsx - UI forms and state management - emails/mqtt-credentials.tsx - Email template topic pattern - lib/mqtt-subscriber.ts - Use admin credentials from env - mosquitto/config/mosquitto.conf - Enable ACL enforcement - README.md, GEMINI.md - Documentation updates - scripts/fix-acl-topic-patterns.js - Migration script - MQTT_TOPIC_FIX.md - Detailed implementation guide 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-29 21:49:31 +00:00
parent e78d961f11
commit 31c0e1f572
10 changed files with 340 additions and 19 deletions
--- a/lib/mqtt-db.ts
+++ b/lib/mqtt-db.ts
@@ -204,12 +204,12 @@ export const mqttAclRuleDb = {
  },

  /**
-   * Erstelle Default ACL Regel für ein Device (owntracks/owntrack/[device-id]/#)
+   * Erstelle Default ACL Regel für ein Device (owntracks/[username]/#)
   */
-  createDefaultRule: (deviceId: string): MqttAclRule => {
+  createDefaultRule: (deviceId: string, username: string): MqttAclRule => {
    return mqttAclRuleDb.create({
      device_id: deviceId,
-      topic_pattern: `owntracks/owntrack/${deviceId}/#`,
+      topic_pattern: `owntracks/${username}/#`,
      permission: 'readwrite'
    });
  },
--- a/lib/mqtt-subscriber.ts
+++ b/lib/mqtt-subscriber.ts
@@ -198,8 +198,9 @@ export function initMQTTSubscriber(): MQTTSubscriber {
  }

  const brokerUrl = process.env.MQTT_BROKER_URL || 'mqtt://localhost:1883';
-  const username = process.env.MQTT_USERNAME;
-  const password = process.env.MQTT_PASSWORD;
+  // Use admin credentials for backend subscriber (full access to all topics)
+  const username = process.env.MQTT_ADMIN_USERNAME || process.env.MQTT_USERNAME;
+  const password = process.env.MQTT_ADMIN_PASSWORD || process.env.MQTT_PASSWORD;

  mqttSubscriber = new MQTTSubscriber(brokerUrl, username, password);
  mqttSubscriber.connect();