You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Here are some key observations to aid the review process:
⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 No relevant tests
🔒 Security concerns
Credential leak: screenly_inject.js enters and submits the configured username/password without checking that it is running on the expected Puzzel login origin. A malicious or accidentally configured dashboard_url could receive those credentials if it serves fields with the same IDs.
The injection script fills and submits credentials based only on field IDs, without verifying the current host or login path. If dashboard_url is misconfigured or redirects to a non-Puzzel page that contains matching selectors, the app can submit the configured Puzzel credentials to that page. Add an explicit location.hostname/path check before using screenly_settings.username or screenly_settings.password.
if(document.querySelector('#Input_Username')){if(!setValue('#Input_Username',screenly_settings.username)){console.log('[screenly_inject] Username field not found.')}else{constsubmitBtn=document.querySelector('button.submit-button[type="submit"]:not(.hidden)',)if(submitBtn){submitBtn.click()}else{console.log('[screenly_inject] Submit button not found.')}}}// Step 2 — password fieldif(document.querySelector('#Input_Password')){if(!setValue('#Input_Password',screenly_settings.password)){
The manifest still points the icon URL at puzzle-dashboard while this app was added under puzzel-dashboard. If the hosted path follows the app directory name, the icon will 404 in the app listing.
Latest suggestions up to cf11e1b
Explore these optional code suggestions:
Category
Suggestion
Impact
Possible issue
Fix manifest identification
Set a concrete id value so the manifest does not serialize id as null, which can cause deployment or app identification failures. Also update the icon path to match the renamed puzzel-dashboard directory so the asset URL does not point at the old app path.
Why: The id: field is blank and likely serializes to null, which can break manifest validation or app identification. The icon URL also appears to use puzzle-dashboard instead of the PR's puzzel-dashboard path, so this is a relevant deployment-quality fix.
Medium
Prevent duplicate login submission
Avoid running the password-step logic in the same injection pass after submitting the username step. If both fields are present in the DOM, the current code can click the submit button twice or submit the wrong step before navigation completes.
if (document.querySelector('#Input_Username')) {
if (!setValue('#Input_Username', screenly_settings.username)) {
console.log('[screenly_inject] Username field not found.')
} else {
const submitBtn = document.querySelector(
'button.submit-button[type="submit"]:not(.hidden)',
)
if (submitBtn) {
submitBtn.click()
} else {
console.log('[screenly_inject] Submit button not found.')
}
}
-}+} else if (document.querySelector('#Input_Password')) {-// Step 2 — password field-if (document.querySelector('#Input_Password')) {-
Suggestion importance[1-10]: 6
__
Why: The existing code uses two independent if blocks, so both login branches can run if both #Input_Username and #Input_Password exist in the DOM. Changing the second branch to else if is a reasonable defensive fix, though the actual Puzzel flow may normally expose only one field at a time.
Low
Avoid invalid credential submission
Guard against missing credential values before assigning them to an input. Without this, undefined or null can be converted into literal field values and submitted to the login form.
function setValue(selector, value) {
const el = document.querySelector(selector)
- if (!el) return false+ if (!el || value == null) return false
el.value = value
el.dispatchEvent(new Event('change', { bubbles: true }))
return true
}
Suggestion importance[1-10]: 5
__
Why: Guarding value == null prevents undefined or null credentials from being assigned to login inputs and submitted. This is a valid robustness improvement, but it is limited in impact and still allows empty strings from the configured defaults.
screenly.signalReadyForRendering() is called immediately after assigning dashboard.src, so the player may start rendering while the iframe is still blank or loading. Wait for the iframe load event before signaling readiness when dashboard_url is present.
Why: The suggestion accurately targets the dashboard.src assignment and improves ready_signal correctness by avoiding rendering while the iframe may still be blank. It is a meaningful reliability improvement, though it could leave the app unready if the iframe never fires load.
Medium
Possible issue
Retry asynchronous login form
Auth0 pages often render form fields asynchronously after the page load event, so a single immediate lookup can miss the inputs and permanently skip login. Retry briefly until the fields and submit button exist before filling and clicking them.
Why: The suggestion is contextually relevant because Auth0 login elements can appear after the injected script runs, and retrying makes the auto-login flow more robust. Using the existing setReactValue helper is also sensible for React-controlled fields.
Medium
Security
Validate embedded URL scheme
Assigning dashboard_url directly to iframe.src allows unsafe schemes such as javascript: or unexpected local URLs if the setting is misconfigured. Validate that url uses http: or https: before loading it.
if (url) {
- document.getElementById('dashboard').src = url+ const dashboardUrl = new URL(url)++ if (['http:', 'https:'].includes(dashboardUrl.protocol)) {+ document.getElementById('dashboard').src = dashboardUrl.href+ } else {+ console.log('[puzzel-dashboard] Invalid dashboard URL protocol.')+ }
}
Suggestion importance[1-10]: 4
__
Why: Restricting dashboard_url to http: and https: is a reasonable hardening step for an embedded iframe. However, the proposed new URL(url) can throw on malformed input and the suggestion does not actually address local/private URLs despite mentioning them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Renames the
puzzle-dashboarddirectory topuzzel-dashboardto match the intended app name.PR Type
Enhancement, Documentation
Description
Adds Puzzel dashboard Edge App
Embeds configured dashboard URL fullscreen
Automates two-step Puzzel login
Documents settings and deployment
Diagram Walkthrough
File Walkthrough
screenly_inject.js
Automate Puzzel two-step login flowedge-apps/puzzel-dashboard/screenly_inject.js
#Input_Usernamefromscreenly_settings.username.#Input_Passwordfromscreenly_settings.password.index.html
Embed configured dashboard in fullscreen iframeedge-apps/puzzel-dashboard/index.html
screenly.js?version=1for Screenly integration.srcfromdashboard_urland signals readiness.README.md
Document Puzzel dashboard app usageedge-apps/puzzel-dashboard/README.md
screenly.yml
Configure Puzzel Edge App manifestedge-apps/puzzel-dashboard/screenly.yml
ready_signalintegration.