major: kestrel is now a tak server (#6)

## Added - CoT (Cursor on Target) server on port 8089 enabling ATAK/iTAK device connectivity - Support for TAK stream protocol and traditional XML CoT messages - TLS/SSL support with automatic fallback to plain TCP - Username/password authentication for CoT connections - Real-time device position tracking with TTL-based expiration (90s default) - API endpoints: `/api/cot/config`, `/api/cot/server-package`, `/api/cot/truststore`, `/api/me/cot-password` - TAK Server section in Settings with QR code for iTAK setup - ATAK password management in Account page for OIDC users - CoT device markers on map showing real-time positions - Comprehensive documentation in `docs/` directory - Environment variables: `COT_PORT`, `COT_TTL_MS`, `COT_REQUIRE_AUTH`, `COT_SSL_CERT`, `COT_SSL_KEY`, `COT_DEBUG` - Dependencies: `fast-xml-parser`, `jszip`, `qrcode` ## Changed - Authentication system supports CoT password management for OIDC users - Database schema includes `cot_password_hash` field - Test suite refactored to follow functional design principles ## Removed - Consolidated utility modules: `authConfig.js`, `authSkipPaths.js`, `bootstrap.js`, `poiConstants.js`, `session.js` ## Security - XML entity expansion protection in CoT parser - Enhanced input validation and SQL injection prevention - Authentication timeout to prevent hanging connections ## Breaking Changes - Port 8089 must be exposed for CoT server. Update firewall rules and Docker/Kubernetes configurations. ## Migration Notes - OIDC users must set ATAK password via Account settings before connecting - Docker: expose port 8089 (`-p 8089:8089`) - Kubernetes: update Helm values to expose port 8089 Co-authored-by: Madison Grubb <madison@elastiflow.com> Reviewed-on: #6
2026-02-17 16:41:41 +00:00
parent b18283d3b3
commit e61e6bc7e3
117 changed files with 5329 additions and 1040 deletions
--- a/app/pages/settings.vue
+++ b/app/pages/settings.vue
@@ -36,6 +36,67 @@
      </div>
    </section>

+    <section class="mb-8">
+      <h3 class="kestrel-section-label">
+        TAK Server (ATAK / iTAK)
+      </h3>
+      <div class="kestrel-card p-4">
+        <p class="mb-3 text-sm text-kestrel-text">
+          Scan this QR code with iTAK (or ATAK) to add this KestrelOS server. You'll be prompted for your KestrelOS username and password after scanning.
+        </p>
+        <div
+          v-if="takQrDataUrl"
+          class="inline-block rounded-lg border border-kestrel-border bg-white p-3"
+        >
+          <img
+            :src="takQrDataUrl"
+            alt="TAK Server QR code"
+            class="h-48 w-48"
+            width="192"
+            height="192"
+          >
+        </div>
+        <p
+          v-else-if="takQrError"
+          class="text-sm text-red-400"
+        >
+          {{ takQrError }}
+        </p>
+        <p
+          v-else
+          class="text-sm text-kestrel-muted"
+        >
+          Loading QR code…
+        </p>
+        <p
+          v-if="takServerString"
+          class="mt-3 text-xs text-kestrel-muted break-all"
+        >
+          {{ takServerString }}
+        </p>
+        <template v-if="cotConfig?.ssl">
+          <p class="mt-3 text-sm text-kestrel-text">
+            This server uses a self-signed certificate. iTAK will not connect until it trusts the cert.
+          </p>
+          <ol class="mt-2 list-decimal list-inside space-y-1 text-sm text-kestrel-text">
+            <li>
+              <strong>Upload server package:</strong> Download below, then in iTAK tap Add Server (+) → Upload server package and select the zip; enter KestrelOS username and password when prompted.
+            </li>
+            <li>
+              <strong>Plain TCP:</strong> Remove or rename <code class="bg-kestrel-surface px-1 rounded">.dev-certs</code>, restart, then in iTAK add the server with SSL disabled.
+            </li>
+          </ol>
+          <a
+            href="/api/cot/server-package"
+            download="kestrelos-itak-server-package.zip"
+            class="kestrel-btn-secondary mt-3 inline-block"
+          >
+            Download server package (zip)
+          </a>
+        </template>
+      </div>
+    </section>
+
    <section>
      <h3 class="kestrel-section-label">
        About
@@ -67,6 +128,11 @@ const tilesMessage = ref('')
 const tilesMessageSuccess = ref(false)
 const tilesLoading = ref(false)

+const cotConfig = ref(null)
+const takQrDataUrl = ref('')
+const takQrError = ref('')
+const takServerString = ref('')
+
 async function loadTilesStored() {
  if (typeof window === 'undefined') return
  try {
@@ -106,7 +172,26 @@ async function onClearTiles() {
  }
 }

+async function loadTakQr() {
+  if (typeof window === 'undefined') return
+  try {
+    const res = await $fetch('/api/cot/config')
+    cotConfig.value = res
+    const hostname = window.location.hostname
+    const port = res?.port ?? 8089
+    const protocol = res?.ssl ? 'ssl' : 'tcp'
+    const str = `KestrelOS,${hostname},${port},${protocol}`
+    takServerString.value = str
+    const QRCode = (await import('qrcode')).default
+    takQrDataUrl.value = await QRCode.toDataURL(str, { width: 192, margin: 1 })
+  }
+  catch (e) {
+    takQrError.value = e?.data?.error ?? e?.message ?? 'Could not load TAK server config.'
+  }
+}
+
 onMounted(() => {
  loadTilesStored()
+  loadTakQr()
 })
 </script>