From d3b7b8ba9bc87bf05e7c559d25977adb6bb4323c Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Sat, 31 Jan 2026 18:37:21 +0100
Subject: [PATCH] fix(mitmproxy): Fix alerts display by reading from correct
 log path

The RPCD was looking for alerts in /tmp/secubox-mitm-alerts.json but
the analytics addon writes to /var/log/crowdsec/secubox-mitm.log in
JSONL format (one JSON object per line).

Changes:
- RPCD: Read from container's /var/log/crowdsec/secubox-mitm.log
- RPCD: Convert JSONL to JSON array using awk
- JS: Handle new field names (source_ip, timestamp, request)

Alerts now display correctly in LuCI dashboard.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../resources/view/mitmproxy/status.js        | 13 +++++--
 .../root/usr/libexec/rpcd/luci.mitmproxy      | 37 +++++++++++--------
 2 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/package/secubox/luci-app-mitmproxy/htdocs/luci-static/resources/view/mitmproxy/status.js b/package/secubox/luci-app-mitmproxy/htdocs/luci-static/resources/view/mitmproxy/status.js
index f9c3ce90..a44c38be 100644
--- a/package/secubox/luci-app-mitmproxy/htdocs/luci-static/resources/view/mitmproxy/status.js
+++ b/package/secubox/luci-app-mitmproxy/htdocs/luci-static/resources/view/mitmproxy/status.js
@@ -263,6 +263,12 @@ return view.extend({
 								E('th', { 'class': 'th' }, _('Time'))
 							])
 						].concat(alerts.slice(-20).reverse().map(function(alert) {
+							// Handle both old format (method/path) and new format (request)
+							var requestStr = alert.request || ((alert.method || 'GET') + ' ' + (alert.path || '-'));
+							var sourceIp = alert.source_ip || alert.ip || '-';
+							var timeStr = alert.timestamp || alert.time || '';
+							var timeDisplay = timeStr ? timeStr.split('T')[1].split('.')[0] : '-';
+
 							return E('tr', { 'class': 'tr' }, [
 								E('td', { 'class': 'td' }, [
 									E('span', {
@@ -271,13 +277,12 @@ return view.extend({
 								]),
 								E('td', { 'class': 'td' }, (alert.pattern || alert.type || '-').replace(/_/g, ' ')),
 								E('td', { 'class': 'td', 'style': 'max-width: 300px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;' },
-									(alert.method || 'GET') + ' ' + (alert.path || '-')),
+									requestStr),
 								E('td', { 'class': 'td' }, [
-									alert.ip || '-',
+									sourceIp,
 									alert.country ? E('span', { 'style': 'margin-left: 4px; color: #666;' }, '(' + alert.country + ')') : null
 								]),
-								E('td', { 'class': 'td', 'style': 'white-space: nowrap; color: #666;' },
-									alert.time ? alert.time.split('T')[1].split('.')[0] : '-')
+								E('td', { 'class': 'td', 'style': 'white-space: nowrap; color: #666;' }, timeDisplay)
 							]);
 						})))
 					]) :
diff --git a/package/secubox/luci-app-mitmproxy/root/usr/libexec/rpcd/luci.mitmproxy b/package/secubox/luci-app-mitmproxy/root/usr/libexec/rpcd/luci.mitmproxy
index 828f06e8..a55e46f0 100755
--- a/package/secubox/luci-app-mitmproxy/root/usr/libexec/rpcd/luci.mitmproxy
+++ b/package/secubox/luci-app-mitmproxy/root/usr/libexec/rpcd/luci.mitmproxy
@@ -339,31 +339,36 @@ do_stop() { [ -x /etc/init.d/mitmproxy ] && /etc/init.d/mitmproxy stop >/dev/nul
 do_restart() { [ -x /etc/init.d/mitmproxy ] && /etc/init.d/mitmproxy restart >/dev/null 2>&1; echo '{"success":true}'; }
 
 get_alerts() {
-	# Read alerts from container
-	local alerts_file="/tmp/secubox-mitm-alerts.json"
-	local container_alerts=""
+	# Read alerts from container's JSONL log file
+	# The analytics addon writes one JSON object per line to /var/log/crowdsec/secubox-mitm.log
+	local log_file="/var/log/crowdsec/secubox-mitm.log"
+	local max_alerts=50
+	local alerts_json="[]"
 
-	# Try to get alerts from LXC container
+	# Try to get last N alerts from LXC container and convert JSONL to JSON array
 	if command -v lxc-attach >/dev/null 2>&1; then
-		container_alerts=$(lxc-attach -n "$LXC_NAME" -- cat /tmp/secubox-mitm-alerts.json 2>/dev/null)
+		# Read last N lines, wrap in JSON array
+		local lines=$(lxc-attach -n "$LXC_NAME" -- tail -n "$max_alerts" "$log_file" 2>/dev/null)
+		if [ -n "$lines" ]; then
+			# Convert JSONL to JSON array: join lines with commas, wrap in brackets
+			alerts_json=$(echo "$lines" | awk '
+				BEGIN { printf "[" }
+				NR > 1 { printf "," }
+				{ printf "%s", $0 }
+				END { printf "]" }
+			')
+		fi
 	fi
 
-	# Fall back to host path if container method fails
-	if [ -z "$container_alerts" ] || [ "$container_alerts" = "[]" ]; then
-		[ -f "$alerts_file" ] && container_alerts=$(cat "$alerts_file" 2>/dev/null)
+	# Validate JSON - if invalid, return empty array
+	if ! echo "$alerts_json" | jsonfilter -e '@' >/dev/null 2>&1; then
+		alerts_json="[]"
 	fi
 
-	# Default to empty array
-	[ -z "$container_alerts" ] && container_alerts="[]"
-
-	json_init
-	json_add_boolean "success" 1
-
-	# Output raw alerts array
 	cat <<EOFJ
 {
 	"success": true,
-	"alerts": $container_alerts,
+	"alerts": $alerts_json,
 	"timestamp": "$(date -Iseconds)"
 }
 EOFJ