RDKB-62411:Alert message for Invalid password login is not coming as expected

CHANGELOG.md

@@ -4,16 +4,24 @@ All notable changes to this project will be documented in this file. Dates are d
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
+#### [1.4.0](https://github.com/rdkcentral/webui/compare/1.3.0...1.4.0)
+
+- RDKB-61349: [SECVULN] Issuer and audience validation missing [`#65`](https://github.com/rdkcentral/webui/pull/65)
+- XER10-1896: Adding regex to validate client hostname [`#76`](https://github.com/rdkcentral/webui/pull/76)
+- Merge tag '1.3.0' into develop [`1547fb9`](https://github.com/rdkcentral/webui/commit/1547fb9941bcb1c50feb2cb83a36afa0c47eda8f)
+
 #### [1.3.0](https://github.com/rdkcentral/webui/compare/1.2.1...1.3.0)
 
+> 6 November 2025
+
 - RDKB-61788 : Input elements blocked in WebUI can be bypassed in HCM mode [`#40`](https://github.com/rdkcentral/webui/pull/40)
 - RDKB-61758: Removed MoCA option in GUI in bridge mode. [`#66`](https://github.com/rdkcentral/webui/pull/66)
 - RDKB-62246 : Harden WebUI Login - Exclude for sky partner [`#64`](https://github.com/rdkcentral/webui/pull/64)
 - RDKB-61875: 320MHz BW is not greyed out for ax mode in 6G [`#60`](https://github.com/rdkcentral/webui/pull/60)
 - RDKB-62077: Failed to add Parental Control Managed Service with Alway… [`#63`](https://github.com/rdkcentral/webui/pull/63)
 - RDKB-62246 : Harden WebUI Login - Exclude sky dev [`3640651`](https://github.com/rdkcentral/webui/commit/3640651507fcc6b59a0de629aac7a067151da825)
+- Add changelog for release [`6c027d8`](https://github.com/rdkcentral/webui/commit/6c027d8fbc9eb1949c0a89ea498cb0613caa59aa)
 - RDKB-62077: Failed to add Parental Control Managed Service with AlwaysBlock enabled [`aeee8d9`](https://github.com/rdkcentral/webui/commit/aeee8d90f5d68201cd96a8fe9172a96f3845c02d)
-- RDKB-61875: 320MHz BW is not grayed out for ax mode in 6G [`0295e22`](https://github.com/rdkcentral/webui/commit/0295e22210c281a7a7b453cd94e54f18f63d296e)
 
 #### [1.2.1](https://github.com/rdkcentral/webui/compare/1.2.0...1.2.1)
 

source/Styles/xb3/jst/check.jst

@@ -360,7 +360,12 @@ else
                 }
                 if($flag==0){
 //                    session_destroy();
+                   $partnersId = getStr("Device.DeviceInfo.X_RDKCENTRAL-COM_Syndication.PartnerId");
+                   if (strpos($partnersId, "sky-") !== false) {
+                       sendError( '<script type="text/javascript"> alert($.i18n("Username or password is incorrect!"));history.back(); </script>');
+                   } else {
                     sendError( '<script type="text/javascript"> alert($.i18n("Authentication failed. The default password is printed on the bottom or back of your router - use this if you haven’t already changed it."));history.back(); </script>');
+                   }
                 }
             }
             else

source/Styles/xb3/jst/connected_devices_computers.jst

@@ -204,10 +204,10 @@ if($locale=="it" || $locale=="en_GB"){
                 $onlinePrivateNetworkHost[$j.toString()]={};
 			        $onlinePrivateNetworkHost[$j.toString()]['instanceID'] = $i + 1;
 			        array_push($onlinePrivateInstanceArr, $onlinePrivateNetworkHost[$j.toString()]['instanceID']);
-			        if (($Host[$i]['HostName'] == "*") || (strlen($Host[$i]['HostName']) == 0)) 
-			        	$onlinePrivateNetworkHost[$j.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']);
-			        else
-			        	$onlinePrivateNetworkHost[$j.toString()]['HostName'] = $Host[$i.toString()]['HostName'];
+					if ((strlen($Host[$i]['HostName']) != 0) && isValidHostname($Host[$i]['HostName']))
+                                    $onlinePrivateNetworkHost[$j.toString()]['HostName'] = $Host[$i.toString()]['HostName'];
+                    else
+                                    $onlinePrivateNetworkHost[$j.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']);
 			        array_push($onlineHostNameArr, $onlinePrivateNetworkHost[$j.toString()]['HostName']);
                     $onlinePrivateNetworkHost[$j.toString()]['IPv4Address'] = $Host[$i.toString()]['IPv4Address.1.IPAddress'];
                     // IPV6 link-local address
@@ -236,10 +236,10 @@ if($locale=="it" || $locale=="en_GB"){
 				$offlinePrivateNetworkHost[$k]={};
 			        $offlinePrivateNetworkHost[$k.toString()]['instanceID'] = $i + 1;
 				array_push($offlinePrivateInstanceArr, $offlinePrivateNetworkHost[$k.toString()]['instanceID']);
-			        if (($Host[$i]['HostName'] == "*") || (strlen($Host[$i]['HostName']) == 0)) 
-			        	$offlinePrivateNetworkHost[$k.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']);
-			        else
-			        	$offlinePrivateNetworkHost[$k.toString()]['HostName'] = $Host[$i.toString()]['HostName'];
+				if ((strlen($Host[$i]['HostName']) != 0) && isValidHostname($Host[$i]['HostName'])) 
+						$offlinePrivateNetworkHost[$k.toString()]['HostName'] = $Host[$i.toString()]['HostName'];
+			    else
+			        	$offlinePrivateNetworkHost[$k.toString()]['HostName'] = strtoupper($Host[$i.toString()]['PhysAddress']);	
 				array_push($offlineHostNameArr, $offlinePrivateNetworkHost[$k.toString()]['HostName']);				
                     $offlinePrivateNetworkHost[$k.toString()]['IPv4Address'] = $Host[$i.toString()]['IPv4Address.1.IPAddress'];
                     // IPV6 link-local address

source/Styles/xb3/jst/connection_status.jst

@@ -419,8 +419,10 @@ if(($allowEthWan=="true") || ($autoWanEnable=="true")) {
                             	 echo('<span class="value" id="actethwan">Active Ethernet WAN');
                             }else if(strtolower($selectedOperationalMode)=="docsis"){
 				echo('<span class="value" id="actdocwan">Active Docsis WAN');
-                            }else{
+                            }else if($selectedOperationalMode == "auto"){
 				echo('<span class="value" id="actautwan">Active Auto WAN');
+                            }else{
+                                echo('<span class="value" id="unknown">Unknown WAN');
                             }
                           }else{
                             $wan_enable= getStr("Device.Ethernet.X_RDKCENTRAL-COM_WAN.Enabled");

source/Styles/xb3/jst/includes/jwt.jst

@@ -9,6 +9,59 @@ $JWTdir = "/tmp/.jwt/";
 $PUBKEYFILE = $JWTdir + "pubkey.cer";
 $JWTkeyfile = $JWTdir + "keys";
 $KeyURL = "https://login.microsoftonline.com/906aefe9-76a7-4f65-b82d-5ec20775d5aa/discovery/v2.0/keys";
+$expected_issuer = "https://login.microsoftonline.com/" + $tid + "/v2.0";
+
+function GetExpectedAud()
+{
+    var file = "/etc/webui/aud.conf";
+
+    if (!file_exists(file)) {
+        LogStr("aud.conf missing");
+        return "";
+    }
+
+    var lines = file_get_contents(file).split("\n");
+
+    var env = "prod";
+    var expectedAud = "";
+    var line, key, val, pos;
+
+    for (var i = 0; i < lines.length; i++) {
+        line = lines[i];
+
+        pos = strpos(line, "=");
+        if (pos <= 0) continue;
+
+        key = substr(line, 0, pos);
+        val = substr(line, pos + 1);
+
+        if (key == "env") {
+            env = val;
+            break;
+        }
+    }
+
+    var audKey = "aud_" + env;
+    for (var i = 0; i < lines.length; i++) {
+        line = lines[i];
+
+        pos = strpos(line, "=");
+        if (pos <= 0) continue;
+
+        key = substr(line, 0, pos);
+        val = substr(line, pos + 1);
+
+        if (key == audKey) {
+            expectedAud = val;
+            break;
+        }
+    }
+    if (expectedAud == "") {
+        LogStr("No AUD for " + audKey);
+        return "";
+    }
+    return expectedAud;
+}
 
 function VerifyToken($token)
 {
@@ -26,16 +79,10 @@ function VerifyToken($token)
         if( $validtoken == true )
         {
             $decodeddata = base64decode_url( $tokensegs[1] );
-            $decodeddata = trim( $decodeddata, "{}" );
-            $decodeddata = str_replace( '{', '', $decodeddata);
-            $decodeddata = str_replace( '}', '', $decodeddata);
-            $decodeddata = $decodeddata.split('"').join('');
-            $pair = explode( ',', $decodeddata );
-            for ( $k in $pair ) {
-                temp = $pair[$k];
-                list = {};
-                list = explode( ':', temp, 2 );
-                $tokendata[list[0]] = list[1];
+            $tokendata = json_decode($decodeddata, true);
+            if ($tokendata === null) {
+                LogStr("ERROR: Failed to decode JWT payload JSON");
+                return false;
             }
             $validtoken &= VerifyTokenData( $tokendata );
         }
@@ -155,19 +202,32 @@ function VerifyTokenData($tkdata)
     $tokennbf = parseInt( $tkdata['nbf'] );
     $tokenexp = parseInt( $tkdata['exp'] );
 
-    if( ($curtime < $tokenexp)        // current time must be < expiration
-        && ($curtime >= $tokennbf)    // current time must be >= not before time
-        && ($curtime >= $tokeniat) )  // current time must be >= issued at time
+    $skew = 120; // 2-minute drift tolerance
+
+    if( ($curtime < ($tokenexp + $skew))
+        && ($curtime >= ($tokennbf - $skew))
+        && ($curtime >= ($tokeniat - $skew)) )
     {
-        if( $tkdata['tid'] == $tid )
+        // Tenant validation
+        if( $tkdata['tid'] != $tid )
         {
-            $retval = true;
+            LogStr(" : Error: Token fails Tenant ID ");
+            return false;
         }
-        else
+        // Issuer validation
+        if( !isset($tkdata['iss']) || $tkdata['iss'] != $expected_issuer )
+        {
+            LogStr(" : Error: Token fails issuer validation ");
+            return false;
+        }
+        // Audience validation
+        $expected_aud = GetExpectedAud();
+        if( !isset($tkdata['aud']) || $tkdata['aud'] != $expected_aud )
         {
-            $errstr = " : Error: Token fails Tenant ID, tid=" + $tkdata['tid'];
-            LogStr( $errstr );
+            LogStr(" : Error: Token fails audience validation");
+            return false;
         }
+        $retval = true;
     }
     else
     {
@@ -248,10 +308,9 @@ function LogBeginLoginAttempt()
 function LogTokenData($tkdata)
 {
 
-    $email = SHA256($tkdata['email']);
-    $strhex = asc2hex($email);
-    $str = " : OAUTH userId=" + $strhex;
-    $str = $str + "  JWT expiration=" + $tkdata['exp'] ;
+    $objId = SHA256($tkdata['oid']);
+    $strhex = asc2hex($objId);
+    $str = " : OAUTH objectId=" + $objId + "  JWT expiration=" + $tkdata['exp'];
 
     LogStr( $str );
 }

source/Styles/xb3/jst/includes/utility.jst

@@ -1237,20 +1237,18 @@ function current_operationalMode()
                   $selectedOperationalMode=getStr("Device.X_RDKCENTRAL-COM_EthernetWAN.SelectedOperationalMode");
 		  }
         else{
-		if(is_docsis_supported()) {
-                  $docsisEnable =getStr("Device.X_RDK_WanManager.Interface.1.Selection.Enable");
-                  $ethernetEnable =getStr("Device.X_RDK_WanManager.Interface.2.Selection.Enable");
-		} else {
-		  $ethernetEnable = getStr("Device.X_RDK_WanManager.Interface.1.Selection.Enable");
-		  $docsisEnable = "false";
-		}
-
-                  if(($ethernetEnable=="true") && ($docsisEnable=="false")){
-                         $selectedOperationalMode="Ethernet";
-                  }else if(($ethernetEnable=="false") && ($docsisEnable=="true")){
-                         $selectedOperationalMode="DOCSIS";
-                  }else if(($ethernetEnable=="true") && ($docsisEnable=="true")){
-                         $selectedOperationalMode="Auto";
+            $selectedOperationalMode = getStr("Device.X_RDK_WanManager.InterfaceAvailableStatus");
+            if ($selectedOperationalMode == "") {
+                $selectedOperationalMode = "unknown";
+            }
+            else if ($selectedOperationalMode.includes("|")) {
+                //If more than a single WAN is configured
+                $selectedOperationalMode = "auto";
+            }
+            else {
+                // Split the string by comma and extract the first part
+                $parts = $selectedOperationalMode.split(",");
+                $selectedOperationalMode = $parts[0];
             }
         }
          return $selectedOperationalMode;
@@ -1278,4 +1276,14 @@ function get_dhcp_client_interfaces()
 	if($dhcp_client_interfaces.v6 == "") $dhcp_client_interfaces.v6 = "Device.DHCPv6.Client.1";
 	return $dhcp_client_interfaces;
 }
+
+/**
+* Description:
+* verifies the validity of client hostname
+* return true if patten match otherwise false
+*/
+function isValidHostname(hostname) {
+    var $hostnameRegex = /^[a-zA-Z0-9_-]{1,30}$/;
+    return $hostnameRegex.test(hostname);
+}
 ?>

source/Styles/xb6/jst/wireless_network_configuration_onewifi.jst

@@ -1,6 +1,6 @@
 <?%
 /*
  If not stated otherwise in this file or this component's Licenses.txt file the
  following copyright and licenses apply:
 
  Copyright 2018 RDK Management
@@ -808,6 +808,13 @@
 			$("#operation_mode1").prop("disabled", true);
 		}
 	}).trigger("change");
+    $("#wireless_mode3").change(function() {
+            if ("ax"==$("#wireless_mode3").val()) {
+                    $("#channel_bandwidth7").prop("disabled", true);
+            } else if("ax,be"==$("#wireless_mode3").val() || "be"==$("#wireless_mode3").val()) {
+                    $("#channel_bandwidth7").prop("disabled", false);
+            }
+    }).trigger("change");
     $("#channel_number").change(function() {
 		show_extch(document.getElementById("channel_number").value);
 	}).trigger("change");
@@ -1869,7 +1876,9 @@
 	</div>
 	<div class="form-row">
 		<label for="guard_interval800ns" id="wiremess19">Guard Interval:</label>
-		<input type="radio"  name="guard_interval" value="400nsec"  id="guard_interval800ns" checked="checked" /><b>400ns</b>
+		<?% if ("g,n" == $wireless_mode) { ?>
+			<input type="radio"  name="guard_interval" value="400nsec"  id="guard_interval800ns" checked="checked" /><b>400ns</b>
+		<?% } ?>
 		<label for="guard_interval400ns" class="acs-hide"></label>
 		<input type="radio"  name="guard_interval" value="800nsec"  id="guard_interval400ns" <?% if ("800nsec"==$guard_interval) echo( 'checked="checked"');?> /><b>800ns</b>
 		<?% if (strstr($support_mode, "be")){ ?>
@@ -2121,7 +2130,9 @@
 	</div>
 	<div class="form-row odd">
 		<label for="guard_interval800ns1" id="wiremess19">Guard Interval:</label>
-		<input type="radio"  name="guard_interval1" value="400nsec"  id="guard_interval800ns1" checked="checked" /><b>400ns</b>
+		<?% if ("a,n" == $wireless_mode1 || "a,n,ac" == $wireless_mode1) { ?>
+			<input type="radio"  name="guard_interval1" value="400nsec"  id="guard_interval800ns1" checked="checked" /><b>400ns</b>
+		<?% } ?>
 		<label for="guard_interval400ns1" class="acs-hide"></label>
 		<input type="radio"  name="guard_interval1" value="800nsec"  id="guard_interval400ns1" <?% if ("800nsec"==$guard_interval1) echo('checked="checked"');?> /><b>800ns</b>
 		<?% if (strstr($support_mode_5g, "be")){ ?>
@@ -2314,7 +2325,6 @@
 	</div>
 	<div class="form-row odd">
 		<label for="guard_interval800ns1" id="wiremess19">Guard Interval:</label>
-		<input type="radio"  name="guard_interval3" value="400nsec"  id="guard_interval800ns1" checked="checked" /><b>400ns</b>
 		<label for="guard_interval400ns1" class="acs-hide"></label>
 		<input type="radio"  name="guard_interval3" value="800nsec"  id="guard_interval400ns1" <?% if ("800nsec"==$guard_interval3) echo('checked="checked"');?> /><b>800ns</b>
 		<?% if (strstr($support_mode_6g, "be")){ ?>