joachim/location-mqtt-tracker-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix MQTT topic pattern for OwnTracks and implement privacy isolation

Browse Source 
CRITICAL FIX: The OwnTracks app publishes to owntracks/<username>/<device_id>,
not owntracks/owntrack/<device_id>. This was causing data delivery failures
and privacy violations.

Changes:
- Fix ACL topic pattern: owntracks/<username>/# (was: owntracks/owntrack/<device_id>)
- Backend now uses MQTT_ADMIN_USERNAME for global subscription
- Update UI forms and placeholders with correct pattern
- Update email template with correct topic format
- Enable Mosquitto ACL file for user isolation
- Add migration script for existing ACL rules
- Update documentation (README, GEMINI.md)

Privacy & Security:
- Each user isolated at MQTT broker level via ACL
- Backend subscribes with admin credentials to owntracks/+/+
- Web UI filters data by parent_user_id for additional security
- GDPR compliant multi-layer defense in depth

Files changed:
- lib/mqtt-db.ts - Updated createDefaultRule() to use username
- app/api/mqtt/credentials/route.ts - Pass username to ACL creation
- app/admin/mqtt/page.tsx - UI forms and state management
- emails/mqtt-credentials.tsx - Email template topic pattern
- lib/mqtt-subscriber.ts - Use admin credentials from env
- mosquitto/config/mosquitto.conf - Enable ACL enforcement
- README.md, GEMINI.md - Documentation updates
- scripts/fix-acl-topic-patterns.js - Migration script
- MQTT_TOPIC_FIX.md - Detailed implementation guide

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Joachim Hummel
2025-11-29 21:49:31 +00:00
parent e78d961f11
commit 31c0e1f572
10 changed files with 340 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
mosquitto/config/mosquitto.conf
View File

@@ -22,12 +22,13 @@ log_type information
log_timestamp true
# Authentifizierung
# Startet initially mit anonymous access, wird durch Sync konfiguriert
# Aktiviert bei Erstinstallation - Admin User wird durch Sync konfiguriert
# allow_anonymous false
allow_anonymous true
# password_file /mosquitto/config/password.txt
password_file /mosquitto/config/password.txt
# Access Control List
# acl_file /mosquitto/config/acl.txt
acl_file /mosquitto/config/acl.txt
# Connection Settings
max_connections -1