Fix: Narrow echo bypass for loop prevention (#25) (#26)

LN4CY · web-flow · commit ac9f16648a81 · 2026-03-04T19:07:04.000-05:00
* Fix: Narrow echo bypass for loop prevention (#25) * docs: Update RELEASE_NOTES for v1.4.2 (#25)
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,5 +1,20 @@
-# Release v1.4.1
+# Release v1.4.2
+
+## 🐛 Bug Fixes
+
+### Echo Bypass is Too Broad (Issue #25)
+- **Narrowed Implicit ACK Echo Bypass**: Fixed an issue where the loop prevention bypass was too broad, causing unencrypted routing, position, and telemetry packets to echo back to the node unnecessarily.
+  - Instead of bypassing loop protection for all packets from the local gateway, the proxy now explicitly checks if the packet is `encrypted` or has a valid `request_id`.
+  - Administrative/plain packets are properly dropped by the loop tracker to minimize unnecessary RF traffic.
+
+## 🧪 Test Coverage
+- Added new test cases in `tests/test_echo_bypass.py` to ensure only correct packet types (encrypted, request_id) explicitly bypass loop prevention.
+
+---
 
+**Full Changelog**: https://github.com/LN4CY/mqtt-proxy/compare/v1.4.1...v1.4.2
+
+# Release v1.4.1
 ## 🐛 Bug Fixes
 
 ### "Proxy to Client" Ack Restoration (The "Red X" Fix)
diff --git a/handlers/mqtt.py b/handlers/mqtt.py
@@ -169,7 +169,17 @@ def _on_message(self, client, userdata, message):
                 envelope.ParseFromString(message.payload)
                 if envelope.gateway_id:
                     if self.node_id and (envelope.gateway_id == self.node_id or envelope.gateway_id == f"!{self.node_id}"):
-                        is_echo = True
+                        packet = envelope.packet
+                        # Only allow echo bypass for packets that are eligible for Implicit ACKs
+                        is_eligible_for_ack = False
+                        
+                        if packet.HasField("encrypted") and packet.encrypted:
+                            is_eligible_for_ack = True
+                        elif packet.HasField("decoded") and getattr(packet.decoded, "request_id", 0):
+                            is_eligible_for_ack = True
+                            
+                        if is_eligible_for_ack:
+                            is_echo = True
             except Exception:
                 pass
 
diff --git a/tests/test_echo_bypass.py b/tests/test_echo_bypass.py
@@ -0,0 +1,78 @@
+import os
+import sys
+from unittest.mock import MagicMock
+import pytest
+
+# Add parent directory to path
+sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from handlers.mqtt import MQTTHandler
+from meshtastic import mesh_pb2
+from meshtastic.protobuf import mqtt_pb2
+
+def test_mqtt_loop_prevention_echo_bypass_encrypted():
+    config_mock = MagicMock()
+    handler = MQTTHandler(config_mock, "mynode")
+    
+    # Simulate a packet that we encrypted
+    envelope = mqtt_pb2.ServiceEnvelope()
+    envelope.gateway_id = "!mynode"
+    envelope.packet.encrypted = b'secret'
+    
+    msg = MagicMock()
+    msg.topic = "msh/US/2/e/LongFast/!mynode" # From us
+    msg.payload = envelope.SerializeToString()
+    msg.retain = False
+    
+    callback = MagicMock()
+    handler.on_message_callback = callback
+    
+    # Process message - should bypass loop prevention because it's encrypted
+    handler._on_message(None, None, msg)
+    
+    callback.assert_called_once()
+
+
+def test_mqtt_loop_prevention_echo_bypass_request_id():
+    config_mock = MagicMock()
+    handler = MQTTHandler(config_mock, "mynode")
+    
+    # Simulate a packet that has a request_id
+    envelope = mqtt_pb2.ServiceEnvelope()
+    envelope.gateway_id = "!mynode"
+    envelope.packet.decoded.request_id = 1234
+    
+    msg = MagicMock()
+    msg.topic = "msh/US/2/e/LongFast/!mynode" # From us
+    msg.payload = envelope.SerializeToString()
+    msg.retain = False
+    
+    callback = MagicMock()
+    handler.on_message_callback = callback
+    
+    # Process message - should bypass loop prevention because it has request_id
+    handler._on_message(None, None, msg)
+    
+    callback.assert_called_once()
+    
+def test_mqtt_loop_prevention_blocks_unencrypted_no_request():
+    config_mock = MagicMock()
+    handler = MQTTHandler(config_mock, "mynode")
+    
+    # Simulate a packet like NodeInfo without encryption or request_id
+    envelope = mqtt_pb2.ServiceEnvelope()
+    envelope.gateway_id = "!mynode"
+    envelope.packet.decoded.portnum = 1 # NODEINFO_APP
+    
+    msg = MagicMock()
+    msg.topic = "msh/US/2/e/LongFast/!mynode" # From us
+    msg.payload = envelope.SerializeToString()
+    msg.retain = False
+    
+    callback = MagicMock()
+    handler.on_message_callback = callback
+    
+    # Process message - should be blocked by loop prevention
+    handler._on_message(None, None, msg)
+    
+    callback.assert_not_called()
