major: kestrel is now a tak server (#6)
All checks were successful
ci/woodpecker/push/push Pipeline was successful
All checks were successful
ci/woodpecker/push/push Pipeline was successful
## Added - CoT (Cursor on Target) server on port 8089 enabling ATAK/iTAK device connectivity - Support for TAK stream protocol and traditional XML CoT messages - TLS/SSL support with automatic fallback to plain TCP - Username/password authentication for CoT connections - Real-time device position tracking with TTL-based expiration (90s default) - API endpoints: `/api/cot/config`, `/api/cot/server-package`, `/api/cot/truststore`, `/api/me/cot-password` - TAK Server section in Settings with QR code for iTAK setup - ATAK password management in Account page for OIDC users - CoT device markers on map showing real-time positions - Comprehensive documentation in `docs/` directory - Environment variables: `COT_PORT`, `COT_TTL_MS`, `COT_REQUIRE_AUTH`, `COT_SSL_CERT`, `COT_SSL_KEY`, `COT_DEBUG` - Dependencies: `fast-xml-parser`, `jszip`, `qrcode` ## Changed - Authentication system supports CoT password management for OIDC users - Database schema includes `cot_password_hash` field - Test suite refactored to follow functional design principles ## Removed - Consolidated utility modules: `authConfig.js`, `authSkipPaths.js`, `bootstrap.js`, `poiConstants.js`, `session.js` ## Security - XML entity expansion protection in CoT parser - Enhanced input validation and SQL injection prevention - Authentication timeout to prevent hanging connections ## Breaking Changes - Port 8089 must be exposed for CoT server. Update firewall rules and Docker/Kubernetes configurations. ## Migration Notes - OIDC users must set ATAK password via Account settings before connecting - Docker: expose port 8089 (`-p 8089:8089`) - Kubernetes: update Helm values to expose port 8089 Co-authored-by: Madison Grubb <madison@elastiflow.com> Reviewed-on: #6
This commit was merged in pull request #6.
This commit is contained in:
79
docs/atak-itak.md
Normal file
79
docs/atak-itak.md
Normal file
@@ -0,0 +1,79 @@
|
||||
# ATAK and iTAK
|
||||
|
||||
KestrelOS acts as a **TAK Server**. ATAK (Android) and iTAK (iOS) connect on **port 8089** (CoT). Devices relay positions to each other and appear on the KestrelOS map.
|
||||
|
||||
## Connection
|
||||
|
||||
**Host:** KestrelOS hostname/IP
|
||||
**Port:** `8089` (CoT)
|
||||
**SSL:** Enable if server uses TLS (`.dev-certs/` or production cert)
|
||||
|
||||
**Authentication:**
|
||||
- **Username:** KestrelOS identifier
|
||||
- **Password:** Login password (local) or ATAK password (OIDC; set in **Account**)
|
||||
|
||||
## ATAK (Android)
|
||||
|
||||
1. **Settings** → **Network** → **Connections** → Add **TAK Server**
|
||||
2. Set **Host** and **Port** (`8089`)
|
||||
3. Enable **Use Authentication**, enter username/password
|
||||
4. Save and connect
|
||||
|
||||
## iTAK (iOS)
|
||||
|
||||
**Option A - QR code (easiest):**
|
||||
1. KestrelOS **Settings** → **TAK Server** → Scan QR with iTAK
|
||||
2. Enter username/password when prompted
|
||||
|
||||
**Option B - Manual:**
|
||||
1. **Settings** → **Network** → Add **TAK Server**
|
||||
2. Set **Host**, **Port** (`8089`), enable SSL if needed
|
||||
3. Enable **Use Authentication**, enter username/password
|
||||
4. Save and connect
|
||||
|
||||
## Self-Signed Certificate (iTAK)
|
||||
|
||||
If server uses self-signed cert (`.dev-certs/`):
|
||||
|
||||
**Upload server package:**
|
||||
1. KestrelOS **Settings** → **TAK Server** → **Download server package (zip)**
|
||||
2. Transfer to iPhone (AirDrop, email, Safari)
|
||||
3. iTAK: **Settings** → **Network** → **Servers** → **+** → **Upload server package**
|
||||
4. Enter username/password
|
||||
|
||||
**Or use plain TCP:**
|
||||
1. Stop KestrelOS, remove `.dev-certs/`, restart
|
||||
2. Add server with **SSL disabled**
|
||||
|
||||
**ATAK (Android):** Download trust store from `https://your-server/api/cot/truststore`, import `.p12` (password: `kestrelos`), or use server package/plain TCP.
|
||||
|
||||
## OIDC Users
|
||||
|
||||
OIDC users must set an **ATAK password** first:
|
||||
1. Sign in with OIDC
|
||||
2. **Account** → **ATAK / device password** → set password
|
||||
3. Use KestrelOS username + ATAK password in TAK client
|
||||
|
||||
## Configuration
|
||||
|
||||
| Variable | Default | Description |
|
||||
|----------|---------|-------------|
|
||||
| `COT_PORT` | `8089` | CoT server port |
|
||||
| `COT_TTL_MS` | `90000` | Device timeout (~90s) |
|
||||
| `COT_REQUIRE_AUTH` | `true` | Require authentication |
|
||||
| `COT_SSL_CERT` | `.dev-certs/cert.pem` | TLS cert path |
|
||||
| `COT_SSL_KEY` | `.dev-certs/key.pem` | TLS key path |
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
**"Error authenticating" with no `[cot]` logs:**
|
||||
- Connection not reaching server (TLS handshake failed or firewall blocking)
|
||||
- Check server logs show `[cot] CoT server listening on 0.0.0.0:8089`
|
||||
- Verify port `8089` (not `3000`) and firewall allows it
|
||||
- For TLS: trust cert (server package) or use plain TCP
|
||||
|
||||
**"Error authenticating" with `[cot]` logs:**
|
||||
- Username must be KestrelOS identifier
|
||||
- Password must match (local: login password; OIDC: ATAK password)
|
||||
|
||||
**Devices not on map:** They appear only while sending updates; drop off after TTL (~90s).
|
||||
Reference in New Issue
Block a user