fix(mitmproxy): Fix web UI token access and transparent mode setup

- Add get_web_token to RPCD ACL permissions (was missing, causing 403)
- Add fallback token retrieval from container via lxc-attach
- Improve token capture regex to support alphanumeric tokens
- Fix startup script with background process + tee for reliable capture
- Add IP forwarding enablement for transparent proxy mode
- Fix bypass rule for traffic destined to router itself

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

package/secubox/luci-app-mitmproxy/Makefile

@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-mitmproxy
 PKG_VERSION:=0.4.0
-PKG_RELEASE:=3
+PKG_RELEASE:=5
 PKG_ARCH:=all
 
 PKG_LICENSE:=Apache-2.0

package/secubox/luci-app-mitmproxy/root/usr/libexec/rpcd/luci.mitmproxy

@@ -408,15 +408,37 @@ get_web_token() {
 	local web_port=$(uci -q get mitmproxy.main.web_port || echo "8081")
 	local token=""
 
+	# Try reading token from host-mounted path
 	if [ -f "$token_file" ]; then
 		token=$(cat "$token_file" 2>/dev/null | tr -d '\n\r')
 	fi
 
+	# Fallback: read token directly from container if host file is missing/empty
+	if [ -z "$token" ] && command -v lxc-attach >/dev/null 2>&1; then
+		if lxc-info -n "$LXC_NAME" -s 2>/dev/null | grep -q "RUNNING"; then
+			token=$(lxc-attach -n "$LXC_NAME" -- cat /data/.mitmproxy_token 2>/dev/null | tr -d '\n\r')
+		fi
+	fi
+
+	# Second fallback: parse token from mitmweb log inside container
+	if [ -z "$token" ] && command -v lxc-attach >/dev/null 2>&1; then
+		if lxc-info -n "$LXC_NAME" -s 2>/dev/null | grep -q "RUNNING"; then
+			token=$(lxc-attach -n "$LXC_NAME" -- grep -o 'token=[a-zA-Z0-9_-]*' /tmp/mitmweb.log 2>/dev/null | head -1 | cut -d= -f2)
+		fi
+	fi
+
+	# Construct URL - only add token parameter if token exists
+	local web_url="http://$router_ip:$web_port"
+	local web_url_with_token="$web_url"
+	if [ -n "$token" ]; then
+		web_url_with_token="$web_url/?token=$token"
+	fi
+
 	cat <<EOF
 {
 	"token": "$token",
-	"web_url": "http://$router_ip:$web_port",
-	"web_url_with_token": "http://$router_ip:$web_port/?token=$token"
+	"web_url": "$web_url",
+	"web_url_with_token": "$web_url_with_token"
 }
 EOF
 }

package/secubox/luci-app-mitmproxy/root/usr/share/rpcd/acl.d/luci-app-mitmproxy.json

@@ -6,10 +6,15 @@
 				"luci.mitmproxy": [
 					"get_status",
 					"get_config",
+					"get_transparent_config",
+					"get_whitelist_config",
+					"get_filtering_config",
+					"get_all_config",
 					"get_stats",
 					"get_requests",
 					"get_top_hosts",
-					"get_ca_info"
+					"get_ca_info",
+					"get_web_token"
 				]
 			},
 			"uci": [
@@ -22,7 +27,11 @@
 					"service_start",
 					"service_stop",
 					"service_restart",
+					"firewall_setup",
+					"firewall_clear",
 					"set_config",
+					"add_to_list",
+					"remove_from_list",
 					"clear_data"
 				]
 			},

package/secubox/secubox-app-mitmproxy/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=secubox-app-mitmproxy
-PKG_RELEASE:=14
+PKG_RELEASE:=16
 PKG_VERSION:=0.4.0
 PKG_ARCH:=all
 PKG_MAINTAINER:=CyberMind Studio <contact@cybermind.fr>

package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl

@@ -132,6 +132,11 @@ nft_setup() {
 
 	log_info "Setting up nftables for transparent proxy..."
 
+	# Enable IP forwarding (required for transparent proxying)
+	log_info "Enabling IP forwarding..."
+	sysctl -w net.ipv4.ip_forward=1 >/dev/null 2>&1
+	sysctl -w net.ipv6.conf.all.forwarding=1 >/dev/null 2>&1
+
 	# Create mitmproxy table
 	nft add table inet $NFT_TABLE 2>/dev/null || true
 
@@ -169,8 +174,9 @@ nft_setup() {
 	nft add rule inet $NFT_TABLE prerouting ip daddr @bypass_ipv4 return 2>/dev/null || true
 	nft add rule inet $NFT_TABLE prerouting ip6 daddr @bypass_ipv6 return 2>/dev/null || true
 
-	# Don't intercept traffic from the proxy itself
-	nft add rule inet $NFT_TABLE prerouting meta skuid mitmproxy return 2>/dev/null || true
+	# Don't intercept traffic destined for the router itself (local services)
+	local router_ip=$(uci -q get network.lan.ipaddr || echo "192.168.1.1")
+	nft add rule inet $NFT_TABLE prerouting ip daddr "$router_ip" return 2>/dev/null || true
 
 	# Redirect HTTP traffic
 	if [ "$redirect_http" = "1" ]; then
@@ -385,17 +391,37 @@ rm -f /data/.mitmproxy_token /tmp/mitmweb.log
 
 echo "Starting mitmweb..."
 
-# Run mitmweb with unbuffered output and inline token capture
-/usr/local/bin/mitmweb $ARGS 2>&1 | while IFS= read -r line; do
-    echo "$line"
-    echo "$line" >> /tmp/mitmweb.log
-    case "$line" in
-        *token=*)
-            token=$(echo "$line" | grep -o 'token=[a-f0-9]*' | cut -d= -f2)
-            [ -n "$token" ] && echo "$token" > /data/.mitmproxy_token
-            ;;
-    esac
+# Start mitmweb in background, output to log file
+/usr/local/bin/mitmweb $ARGS 2>&1 | tee /tmp/mitmweb.log &
+MITMWEB_PID=$!
+
+# Wait for token to appear in log (with timeout)
+echo "Waiting for authentication token..."
+ATTEMPTS=0
+MAX_ATTEMPTS=30
+while [ $ATTEMPTS -lt $MAX_ATTEMPTS ]; do
+    sleep 1
+    ATTEMPTS=$((ATTEMPTS + 1))
+
+    if [ -f /tmp/mitmweb.log ]; then
+        # Extract token from log - mitmweb outputs: "Web server listening at http://x.x.x.x:8081/?token=XXXXX"
+        # Token can be alphanumeric, not just hex
+        TOKEN=$(grep -o 'token=[a-zA-Z0-9_-]*' /tmp/mitmweb.log 2>/dev/null | head -1 | cut -d= -f2)
+        if [ -n "$TOKEN" ]; then
+            echo "$TOKEN" > /data/.mitmproxy_token
+            echo "Token captured: $(echo "$TOKEN" | cut -c1-8)..."
+            break
+        fi
+    fi
 done
+
+if [ ! -f /data/.mitmproxy_token ]; then
+    echo "Warning: Could not capture authentication token after ${MAX_ATTEMPTS}s"
+    echo "Check /tmp/mitmweb.log for details"
+fi
+
+# Wait for mitmweb process to keep container running
+wait $MITMWEB_PID
 START
 	chmod +x "$rootfs/opt/start-mitmproxy.sh"