Merge pull request #6836 from nightscout/dev

## Welcome to Release 14.2 Sweet Liquorice!

This release focuses on improving the overall security of Nightscout. 14.2 adds a new method for Nightscout to notify you of various security issues in your setup. After upgrading to the this release, if Nightscout wants to tell you something about the system security, you'll see a red megaphone appear in the Nightscout web client. To see the messages, you'll have to sign in using your API-SECRET or a token that's got administration privileges. Full details of the messages can be found in the Nightscout documentation: https://nightscout.github.io/nightscout/security/

Advance warning regarding future releases: we are likely to make compatibility breaking changes in upcoming releases that will change how the authentication flows with the Nightscout API works, along with changes to validation of data sent to Nightscout. If you're an app developer and are using the Nightscout APIs in your application, please join our Discord channel to learn about the changes are they're implemented. You can join the channel here: https://discord.gg/zg7CvCQ

Nightscout translations are now made in Crowdin. This is very easy even for non-technical folks, so please join and contribute! https://crowdin.com/project/nightscout

Note if you're running your instance with a very old MongoDB version, your installation might break. We've tested the release using MongoDB 4.2 and 4.4.

## New Features and Improvements

* Administration messages support
* Bolus bubble rendering in Nightscout UI is now more configurable, see the new Settings in the client settings panel
* You can now configure Nightscout to disable battery alarms during night
* Security improvement: treatments and CGM entries sent over the REST API V1 are now filtered for XSS injection code
* A lot of work has been put into localization, huge thanks to all the contributors
* Reports now remember the settings you've chosen across sessions
* Alexa integration now supports Spanish
* Fixed a bug with AAPS updating CGM values after Dexcom rounds the value
* Added support for Portuguese and Slovenian
* Support for Traditional Chinese has been removed until we find a contributor to help with translating more of the software. The next release will remove support for Japanese unless a larger portion of the text has been translated by time of release.

## For developers 

* APIV3 results are now wrapped differently from before
* Webpack was upgraded to V5
* Client JS bundling was simplified to just one bundle, cutting down bundling time to ~50% of current
* Removed cache invalidation token from bundling process and generating it on server boot
* Security improvement: generate strong persistent random string on deploy to use for JWT signing instead of api_secret
* Security improvement: moved api-secret and JWT signing to a separate centralized security component and deletes api_secret from environment, so it's not accessible elsewhere
* Security improvement: Clients can now send the api_secret using SHA512
* Moved some server components away from project root to make it easier to see what code runs in server vs client
* Fixes some issues reported by linter

Author: sulkaharo

.eslintrc.js

@@ -1,23 +1,35 @@
 module.exports = {
-    "plugins": [ ],
-    "extends": [
-      "eslint:recommended"
+    'plugins': [
+      'security'
     ],
-    "parser": "babel-eslint",
-    "env": {
-      "browser": true,
-      "commonjs": true,
-      "es6": true,
-      "node": true,
-      "mocha": true,
-      "jquery": true
+    'extends': [
+      'eslint:recommended',
+      'plugin:security/recommended'
+    ],
+    'parser': 'babel-eslint',
+    'env': {
+      'browser': true,
+      'commonjs': true,
+      'es6': true,
+      'node': true,
+      'mocha': true,
+      'jquery': true
     },
-    "rules": {
-      "no-unused-vars": [
-        "error",
+    'rules': {
+      'security/detect-object-injection' : 0,
+      'no-unused-vars': [
+        'error',
         {
-          "varsIgnorePattern": "should|expect"
+          'varsIgnorePattern': 'should|expect'
         }
       ]
-    }
+    },
+    'overrides': [
+      {
+        'files': ['lib/client/*.js'],
+        'rules': {
+          'security/detect-object-injection': 0
+        }
+      }
+    ],
   };

.github/workflows/codeql-analysis.yml

@@ -25,6 +25,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/dev' && github.repository_owner == 'nightscout'
 
     strategy:
       fail-fast: false

.gitignore

@@ -9,6 +9,7 @@ bundle/bundle.out.js
 *.iml
 my.env
 my.*.env
+*.pem
 
 static/bower_components/
 .*.sw?
@@ -28,5 +29,4 @@ npm-debug.log
 /cgm-remote-monitor.njsproj
 /cgm-remote-monitor.sln
 /obj/Debug
-/bin
 /*.bat

Dockerfile

@@ -15,4 +15,4 @@ RUN npm install && \
 
 EXPOSE 1337
 
-CMD ["node", "server.js"]
+CMD ["node", "lib/server/server.js"]

Procfile

@@ -1 +1 @@
-web: node server.js
+web: node lib/server/server.js

README.md

@@ -104,6 +104,7 @@ See [CONTRIBUTING.md](CONTRIBUTING.md)
         - [`bage` (Battery Age)](#bage-battery-age)
         - [`treatmentnotify` (Treatment Notifications)](#treatmentnotify-treatment-notifications)
         - [`basal` (Basal Profile)](#basal-basal-profile)
+        - [`bolus` (Bolus Rendering)](#bolus-bolus-rendering)
         - [`bridge` (Share2Nightscout bridge)](#bridge-share2nightscout-bridge)
         - [`mmconnect` (MiniMed Connect bridge)](#mmconnect-minimed-connect-bridge)
         - [`pump` (Pump Monitoring)](#pump-pump-monitoring)
@@ -294,6 +295,8 @@ To learn more about the Nightscout API, visit https://YOUR-SITE.com/api-docs/ or
 ### Predefined values for your browser settings (optional)
 
   * `TIME_FORMAT` (`12`)- possible values `12` or `24`
+  * `DAY_START` (`7.0`) - time for start of day (0.0 - 24.0) for features using day time / night time options
+  * `DAY_END` (`21.0`) - time for end of day (0.0 - 24.0) for features using day time / night time options
   * `NIGHT_MODE` (`off`) - possible values `on` or `off`
   * `SHOW_RAWBG` (`never`) - possible values `always`, `never` or `noise`
   * `CUSTOM_TITLE` (`Nightscout`) - Title for the main view
@@ -311,7 +314,6 @@ To learn more about the Nightscout API, visit https://YOUR-SITE.com/api-docs/ or
     * The `linear` option has equidistant tick marks; the range used is dynamic so that space at the top of chart isn't wasted.
     * The `log-dynamic` is similar to the default `log` options, but uses the same dynamic range and the `linear` scale.
   * `EDIT_MODE` (`on`) - possible values `on` or `off`. Enables the icon allowing for editing of treatments in the main view.
-  * `BOLUS_RENDER_OVER` (1) - U value over which the bolus values are rendered on the chart if the 'x U and Over' option is selected. This value can be an integer or a float, e.g. 0.3, 1.5, 2, etc...
 
 ### Predefined values for your server settings (optional)
   * `INSECURE_USE_HTTP` (`false`) - Redirect unsafe http traffic to https. Possible values `false`, or `true`. Your site redirects to `https` by default. If you don't want that from Nightscout, but want to implement that with a Nginx or Apache proxy, set `INSECURE_USE_HTTP` to `true`. Note: This will allow (unsafe) http traffic to your Nightscout instance and is not recommended.
@@ -468,12 +470,20 @@ To learn more about the Nightscout API, visit https://YOUR-SITE.com/api-docs/ or
   * `BAGE_URGENT` (`360`) - If time since last `Pump Battery Change` matches `BAGE_URGENT` hours, user will be issued a persistent warning of overdue change (default of 360 hours is 15 days).
 
 ##### `treatmentnotify` (Treatment Notifications)
-  Generates notifications when a treatment has been entered and snoozes alarms minutes after a treatment.  Default snooze is 10 minutes, and can be set using the `TREATMENTNOTIFY_SNOOZE_MINS` [extended setting](#extended-settings).
+  Generates notifications when a treatment has been entered and snoozes alarms minutes after a treatment.
+  * `TREATMENTNOTIFY_SNOOZE_MINS` (`10`) - Number of minutes to snooze notifications after a treatment is entered
+  * `TREATMENTNOTIFY_INCLUDE_BOLUSES_OVER` (`0`) - U value over which the bolus will trigger a notification and snooze alarms
 
 ##### `basal` (Basal Profile)
   Adds the Basal pill visualization to display the basal rate for the current time.  Also enables the `bwp` plugin to calculate correction temp basal suggestions.  Uses the `basal` field from the [treatment profile](#treatment-profile). Also uses the extended setting:
   * `BASAL_RENDER` (`none`) - Possible values are `none`, `default`, or `icicle` (inverted)
 
+##### `bolus` (Bolus Rendering)
+  Settings to configure Bolus rendering
+  * `BOLUS_RENDER_OVER` (`0`) - U value over which the bolus labels use the format defined in `BOLUS_RENDER_FORMAT`. This value can be an integer or a float, e.g. 0.3, 1.5, 2, etc.
+  * `BOLUS_RENDER_FORMAT` (`default`) - Possible values are `hidden`, `default` (with leading zero and U), `concise` (with U, without leading zero), and `minimal` (without leading zero and U).
+  * `BOLUS_RENDER_FORMAT_SMALL` (`default`) - Possible values are `hidden`, `default` (with leading zero and U), `concise` (with U, without leading zero), and `minimal` (without leading zero and U).
+  
 ##### `bridge` (Share2Nightscout bridge)
   Glucose reading directly from the Dexcom Share service, uses these extended settings:
   * `BRIDGE_USER_NAME` - Your username for the Share service.
@@ -511,6 +521,7 @@ To learn more about the Nightscout API, visit https://YOUR-SITE.com/api-docs/ or
   * `PUMP_URGENT_BATT_P` (`20`) - The % of the pump battery remaining, an urgent alarm will be triggered when dropping below this threshold.
   * `PUMP_WARN_BATT_V` (`1.35`) - The voltage (if percent isn't available) of the pump battery, a warning will be triggered when dropping below this threshold.
   * `PUMP_URGENT_BATT_V` (`1.30`) - The  voltage (if percent isn't available) of the pump battery, an urgent alarm will be triggered when dropping below this threshold.
+  * `PUMP_WARN_BATT_QUIET_NIGHT` (`false`) - Do not generate battery alarms at night.
 
 ##### `openaps` (OpenAPS)
   Integrated OpenAPS loop monitoring, uses these extended settings: