v0.1.3 update

added PBKDF2 password hashing implementation for compatibility with WebCTRL10.0
improved current location DBID detection when the Javascript SDK is invoked from within nested iframes

Author: cvogt729

config/BUILD_DETAILS

@@ -7,16 +7,16 @@ Compilation Flags:
 --release 11
 
 Runtime Dependencies:
-addonsupport-api-addon-1.10.0
-alarmmanager-api-addon-1.10.0
-bacnet-api-core-1.11.004-20250407.1435r
-datatable-api-addon-1.10.0
-directaccess-api-addon-1.10.0
-logicbuilder-api-addon-1.10.0
-semantics-api-addon-1.10.0
-tomcat-embed-core-9.0.104
-webaccess-api-addon-1.10.0
-xdatabase-api-addon-1.10.0
+addonsupport-api-addon-1.11.0
+alarmmanager-api-addon-1.11.0
+bacnet-api-core-1.11.006-20250512.1103r
+datatable-api-addon-1.11.0
+directaccess-api-addon-1.11.0
+logicbuilder-api-addon-1.11.0
+semantics-api-addon-1.11.0
+tomcat-embed-core-9.0.107
+webaccess-api-addon-1.11.0
+xdatabase-api-addon-1.11.0
 common-9.0.002
 commonbaseutils-2.0.5
 commonexceptions-9.0.002

root/info.xml

@@ -1,6 +1,6 @@
 <extension version="1">
   <name>RestAPI</name>
   <description>Exposes an OpenAPI-compatible REST API.</description>
-  <version>0.1.2</version>
+  <version>0.1.3</version>
   <vendor>Automatic Controls Equipment Systems, Inc.</vendor>
 </extension>

root/webapp/docs/api.js

@@ -30,7 +30,7 @@ class WebCTRLAPIClient {
           this.#dbid = Number(m[1]);
         }else if (window.parent?.document){
           this.#dbid = Array.from(
-            Array.from(window.parent.document.querySelectorAll('IFRAME') ?? []).find(
+            Array.from(window.parent.parent.parent.parent.document.querySelectorAll('IFRAME') ?? []).find(
               iframe => iframe.src.includes('/navpane/')
             )?.contentWindow?.document?.querySelectorAll('IFRAME') ?? []
           ).map(

root/webapp/docs/passwords.ps1

@@ -1,8 +1,13 @@
-# Create a function which computes a password hash compatible with WebCTRL (salted Sha512)
+# Create a function which computes a password hash compatible with WebCTRL (salted Sha512 or PBKDF2)
+# WebCTRL8.0+ is compatible with SSHA512
+# WebCTRL10.0+ is compatible with PBKDF2
 function Get-PasswordHash {
   param(
     [Parameter(Mandatory = $true)]
-    [string]$Password
+    [string]$Password,
+    [Parameter(Mandatory = $false)]
+    [ValidateSet('SSHA512', 'PBKDF2')]
+    [string]$HashType = 'SSHA512'
   )
 
   # Generate 8 bytes of random salt
@@ -11,29 +16,48 @@ function Get-PasswordHash {
   $rng.GetBytes($Salt)
   $rng.Dispose()
 
-  # Convert password to UTF-8 bytes
-  $passwordBytes = [System.Text.Encoding]::UTF8.GetBytes($Password)
-  
-  # Concatenate password and salt
-  $data = New-Object byte[] ($passwordBytes.Length + $Salt.Length)
-  [System.Buffer]::BlockCopy($passwordBytes, 0, $data, 0, $passwordBytes.Length)
-  [System.Buffer]::BlockCopy($Salt, 0, $data, $passwordBytes.Length, $Salt.Length)
-  
-  # Compute SHA-512 hash
-  $sha512 = [System.Security.Cryptography.SHA512]::Create()
-  $hashBytes = $sha512.ComputeHash($data)
-  $sha512.Dispose()
-  
-  # Concatenate hash and salt
-  $result = New-Object byte[] ($hashBytes.Length + $Salt.Length)
-  [System.Buffer]::BlockCopy($hashBytes, 0, $result, 0, $hashBytes.Length)
-  [System.Buffer]::BlockCopy($Salt, 0, $result, $hashBytes.Length, $Salt.Length)
-  
-  # Convert to base64
-  $base64 = [System.Convert]::ToBase64String($result)
-  
-  # Return with {SSHA512} prefix
-  return '{SSHA512}' + $base64
+  if ($HashType -eq 'PBKDF2') {
+    # PBKDF2WithHmacSHA512: 210000 iterations, 512-bit hash
+    $pbkdf2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($Password, $Salt, 210000, [System.Security.Cryptography.HashAlgorithmName]::SHA512)
+    $hashBytes = $pbkdf2.GetBytes(64)  # 512 bits = 64 bytes
+    $pbkdf2.Dispose()
+    
+    # Concatenate hash and salt
+    $result = New-Object byte[] ($hashBytes.Length + $Salt.Length)
+    [System.Buffer]::BlockCopy($hashBytes, 0, $result, 0, $hashBytes.Length)
+    [System.Buffer]::BlockCopy($Salt, 0, $result, $hashBytes.Length, $Salt.Length)
+    
+    # Convert to base64
+    $base64 = [System.Convert]::ToBase64String($result)
+    
+    # Return with {PBKDF2} prefix
+    return '{PBKDF2}' + $base64
+  }
+  else {
+    # Convert password to UTF-8 bytes
+    $passwordBytes = [System.Text.Encoding]::UTF8.GetBytes($Password)
+    
+    # Concatenate password and salt
+    $data = New-Object byte[] ($passwordBytes.Length + $Salt.Length)
+    [System.Buffer]::BlockCopy($passwordBytes, 0, $data, 0, $passwordBytes.Length)
+    [System.Buffer]::BlockCopy($Salt, 0, $data, $passwordBytes.Length, $Salt.Length)
+    
+    # Compute SHA-512 hash
+    $sha512 = [System.Security.Cryptography.SHA512]::Create()
+    $hashBytes = $sha512.ComputeHash($data)
+    $sha512.Dispose()
+    
+    # Concatenate hash and salt
+    $result = New-Object byte[] ($hashBytes.Length + $Salt.Length)
+    [System.Buffer]::BlockCopy($hashBytes, 0, $result, 0, $hashBytes.Length)
+    [System.Buffer]::BlockCopy($Salt, 0, $result, $hashBytes.Length, $Salt.Length)
+    
+    # Convert to base64
+    $base64 = [System.Convert]::ToBase64String($result)
+    
+    # Return with {SSHA512} prefix
+    return '{SSHA512}' + $base64
+  }
 }
 
 # Create a function to validate a given password against the stored hash value
@@ -45,35 +69,64 @@ function Confirm-PasswordHash {
     [string]$Hash
   )
 
-  # Remove the {SSHA512} prefix and decode base64
-  $base64Data = $Hash.Substring(9)  # Remove '{SSHA512}' prefix (9 characters)
-  $data = [System.Convert]::FromBase64String($base64Data)
-  
-  # Extract salt (last 8 bytes) and hash (first len-8 bytes)
-  $len = $data.Length
-  $salt = New-Object byte[] 8
-  $storedHash = New-Object byte[] ($len - 8)
-  
-  # Use BlockCopy to extract salt (last 8 bytes)
-  [System.Buffer]::BlockCopy($data, $len - 8, $salt, 0, 8)
-  # Use BlockCopy to extract hash (first len-8 bytes)
-  [System.Buffer]::BlockCopy($data, 0, $storedHash, 0, $len - 8)
-  
-  # Convert password to UTF-8 bytes
-  $passwordBytes = [System.Text.Encoding]::UTF8.GetBytes($Password)
-  
-  # Concatenate password and salt
-  $dataToHash = New-Object byte[] ($passwordBytes.Length + $salt.Length)
-  [System.Buffer]::BlockCopy($passwordBytes, 0, $dataToHash, 0, $passwordBytes.Length)
-  [System.Buffer]::BlockCopy($salt, 0, $dataToHash, $passwordBytes.Length, $salt.Length)
-  
-  # Compute SHA-512 hash
-  $sha512 = [System.Security.Cryptography.SHA512]::Create()
-  $computedHash = $sha512.ComputeHash($dataToHash)
-  $sha512.Dispose()
-  
-  # Compare the computed hash with the stored hash
-  return Compare-ByteArrays $computedHash $storedHash
+  # Detect hash type based on prefix
+  if ($Hash.StartsWith('{PBKDF2}')) {
+    # Remove the {PBKDF2} prefix and decode base64
+    $base64Data = $Hash.Substring(8)  # Remove '{PBKDF2}' prefix (8 characters)
+    $data = [System.Convert]::FromBase64String($base64Data)
+    
+    # Extract salt (last 8 bytes) and hash (first len-8 bytes)
+    $len = $data.Length
+    $salt = New-Object byte[] 8
+    $storedHash = New-Object byte[] ($len - 8)
+    
+    # Use BlockCopy to extract salt (last 8 bytes)
+    [System.Buffer]::BlockCopy($data, $len - 8, $salt, 0, 8)
+    # Use BlockCopy to extract hash (first len-8 bytes)
+    [System.Buffer]::BlockCopy($data, 0, $storedHash, 0, $len - 8)
+    
+    # Compute PBKDF2 hash with same parameters
+    $pbkdf2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($Password, $salt, 210000, [System.Security.Cryptography.HashAlgorithmName]::SHA512)
+    $computedHash = $pbkdf2.GetBytes(64)  # 512 bits = 64 bytes
+    $pbkdf2.Dispose()
+    
+    # Compare the computed hash with the stored hash
+    return Compare-ByteArrays $computedHash $storedHash
+  }
+  elseif ($Hash.StartsWith('{SSHA512}')) {
+    # Remove the {SSHA512} prefix and decode base64
+    $base64Data = $Hash.Substring(9)  # Remove '{SSHA512}' prefix (9 characters)
+    $data = [System.Convert]::FromBase64String($base64Data)
+    
+    # Extract salt (last 8 bytes) and hash (first len-8 bytes)
+    $len = $data.Length
+    $salt = New-Object byte[] 8
+    $storedHash = New-Object byte[] ($len - 8)
+    
+    # Use BlockCopy to extract salt (last 8 bytes)
+    [System.Buffer]::BlockCopy($data, $len - 8, $salt, 0, 8)
+    # Use BlockCopy to extract hash (first len-8 bytes)
+    [System.Buffer]::BlockCopy($data, 0, $storedHash, 0, $len - 8)
+    
+    # Convert password to UTF-8 bytes
+    $passwordBytes = [System.Text.Encoding]::UTF8.GetBytes($Password)
+    
+    # Concatenate password and salt
+    $dataToHash = New-Object byte[] ($passwordBytes.Length + $salt.Length)
+    [System.Buffer]::BlockCopy($passwordBytes, 0, $dataToHash, 0, $passwordBytes.Length)
+    [System.Buffer]::BlockCopy($salt, 0, $dataToHash, $passwordBytes.Length, $salt.Length)
+    
+    # Compute SHA-512 hash
+    $sha512 = [System.Security.Cryptography.SHA512]::Create()
+    $computedHash = $sha512.ComputeHash($dataToHash)
+    $sha512.Dispose()
+    
+    # Compare the computed hash with the stored hash
+    return Compare-ByteArrays $computedHash $storedHash
+  }
+  else {
+    throw "Unsupported hash format. Expected {SSHA512} or {PBKDF2} prefix."
+  }
 }
 
 # Helper function to compare two byte arrays

src/aces/webctrl/restapi/api/exec/CreateOperator.json

@@ -23,7 +23,7 @@
     "hashed": {
       "type": "boolean",
       "default": false,
-      "description": "Set to true if the password is already hashed. Note that hashed passwords must be prefixed with '{SSHA512}'."
+      "description": "Set to true if the password is already hashed. Note that hashed passwords must be prefixed with '{SSHA512}' (WebCTRL8.0+) or '{PBKDF2}' (WebCTRL10.0+)."
     },
     "temporary": {
       "type": "boolean",