change loading config.js, allow variables in config.js and try to protect sensitive data#4029
Merged
KristjanESPERANTO merged 1 commit intoMagicMirrorOrg:developfrom Feb 5, 2026
Merged
Conversation
…variables in config.js - centralize loadConfig in Utils for use in app and check_config - add functionality to hide secrets in browser (only for node_helper modules), per default off
Collaborator
|
Wow, that's great! 👏 I'm in the process of rewriting the weather modules to be server-side. That would also make them a bit more secure 🙂 |
Collaborator
|
Nice! |
Merged
KristjanESPERANTO
pushed a commit
that referenced
this pull request
Feb 7, 2026
- fix copy/paste typo in redacted replacement - create redacted content only if hideConfigSecrets is true follow up for #4029
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Loading
config.jsPreviously
Loaded on server-side in
app.jsand in the browser by includingconfig.jsinindex.html. The web server has an endpoint/configproviding the content of server loadedconfig.js.Now
Loaded only on server-side in
app.js. The browser loads the content using the web server endpoint/config. So the server has control what to provide to the clients.Loading the
config.jswas moved toUtils.jsso thatcheck_config.jscan use the same functions.Using environment variables in
config.jsPreviously
Environment variables were not allowed in
config.js. The workaround was to create aconfig.js.templatewith curly braced bash variables allowed. While starting the app theconfig.js.templatewas converted viaenvsubinto aconfig.js.Now
Curly braced bash variables are allowed in
config.js. Because only the server loadsconfig.jshe can substitute the variables while loading.Secrets in MagicMirror²
To be honest, this is a mess.
Previously
All content defined in the
configdirectory was reachable from the browser. Everyone with access to the site could see all stuff defined in the configuration e.g. using the url http://ip:8080/config. This included api keys and other secrets.So sharing a MagicMirror² url to others or running MagicMirror² without authentication as public website was not possible.
Now
With this PR we add (beta) functionality to protect sensitive data. This is only possible for modules running with a
node_helper. For modules running in the browser only (e.g. defaultweathermodule), there is no way to hide data (per construction). This does not mean, that every module withnode_helperis safe, e.g. the defaultcalendarmodule is not safe because it uses the calendar url's as sort of id and sends them to the client.For adding more security you have to set
hideConfigSecrets: trueinconfig.js. With this:config/config.envis not deliverd to the browserSECRET_are not published to the clientsThis is a first step to protect sensitive data and you can at least protect some secrets.