feat: MQTTS support + auto MQTT credential provisioning

Ravi Singh · Ravi Singh · commit ba39012e2c0d · 2026-04-16T13:16:23.000+05:30
Firmware v2.2.0:
- Add use_tls field to MQTT config (TLS via ESP-IDF cert bundle)
- Auto-select port 8883 when TLS enabled
- Web API /api/mqtt accepts use_tls parameter
- Both ESP32 DevKit and C3 receivers updated

Cloud:
- MQTT credential auto-generation during QR device linking
- Per-user ACL: each user can only pub/sub their own device topics
- Auto-push MQTT config to receiver during claim flow
- Credential revocation on site deletion
- Mosquitto password file + ACL managed programmatically
diff --git a/firmware/receiver-c3/components/mqtt_client/mqtt_manager.c b/firmware/receiver-c3/components/mqtt_client/mqtt_manager.c
@@ -1,12 +1,11 @@
-// SPDX-License-Identifier: MIT
-// Copyright (c) 2025-2026 Ravi Singh (Techposts)
-
 /**
  * mqtt_manager implementation
  */
 
 #include "mqtt_manager.h"
 #include "mqtt_client.h"        // ESP-IDF MQTT (component: mqtt)
+#include "esp_tls.h"
+#include "esp_crt_bundle.h"     // ESP-IDF certificate bundle for TLS
 #include "transmitter_registry.h"
 #include "wifi_manager.h"
 #include "esp_log.h"
@@ -56,11 +55,13 @@ static void load_config(void) {
     nvs_get_str(h, "user", s_cfg.user, &len);
     len = sizeof(s_cfg.pass);
     nvs_get_str(h, "pass", s_cfg.pass, &len);
-    uint8_t en = 0, ha = 0;
+    uint8_t en = 0, ha = 0, tls = 0;
     nvs_get_u8(h, "enabled", &en);
     nvs_get_u8(h, "ha_disc", &ha);
+    nvs_get_u8(h, "use_tls", &tls);
     s_cfg.enabled      = (en != 0);
     s_cfg.ha_discovery = (ha != 0);
+    s_cfg.use_tls      = (tls != 0);
     nvs_close(h);
 }
 
@@ -74,6 +75,7 @@ static esp_err_t save_config_nvs(const mqtt_mgr_config_t *cfg) {
     if (strlen(cfg->pass) > 0) nvs_set_str(h, "pass", cfg->pass); // only update if provided
     nvs_set_u8 (h, "enabled", cfg->enabled ? 1 : 0);
     nvs_set_u8 (h, "ha_disc", cfg->ha_discovery ? 1 : 0);
+    nvs_set_u8 (h, "use_tls", cfg->use_tls ? 1 : 0);
     err = nvs_commit(h);
     nvs_close(h);
     return err;
@@ -149,10 +151,13 @@ void mqtt_manager_start(void) {
     char client_id[32];
     snprintf(client_id, sizeof(client_id), "tanksync_%s", s_dev_id);
 
+    uint16_t port = s_cfg.port ? s_cfg.port : (s_cfg.use_tls ? 8883 : MQTT_DEFAULT_PORT);
+
     esp_mqtt_client_config_t cfg = {
         .broker.address.hostname         = s_cfg.host,
-        .broker.address.port             = s_cfg.port ? s_cfg.port : MQTT_DEFAULT_PORT,
-        .broker.address.transport        = MQTT_TRANSPORT_OVER_TCP,
+        .broker.address.port             = port,
+        .broker.address.transport        = s_cfg.use_tls ? MQTT_TRANSPORT_OVER_SSL : MQTT_TRANSPORT_OVER_TCP,
+        .broker.verification.crt_bundle_attach   = s_cfg.use_tls ? esp_crt_bundle_attach : NULL,
         .credentials.client_id           = client_id,
         .credentials.username            = strlen(s_cfg.user) ? s_cfg.user : NULL,
         .credentials.authentication.password = strlen(s_cfg.pass) ? s_cfg.pass : NULL,
@@ -363,6 +368,7 @@ esp_err_t mqtt_manager_set_config(const mqtt_mgr_config_t *cfg) {
     strncpy(s_cfg.user, cfg->user, sizeof(s_cfg.user) - 1);
     s_cfg.enabled      = cfg->enabled;
     s_cfg.ha_discovery = cfg->ha_discovery;
+    s_cfg.use_tls      = cfg->use_tls;
 
     mqtt_manager_stop();
     if (s_cfg.enabled && strlen(s_cfg.host) > 0 &&
diff --git a/firmware/receiver-c3/components/mqtt_client/mqtt_manager.h b/firmware/receiver-c3/components/mqtt_client/mqtt_manager.h
@@ -1,6 +1,3 @@
-// SPDX-License-Identifier: MIT
-// Copyright (c) 2025-2026 Ravi Singh (Techposts)
-
 /**
  * mqtt_manager - MQTT publishing for TankSync receiver
  *
@@ -41,7 +38,7 @@
 #define MQTT_RECONNECT_BASE_MS  5000
 #endif
 #ifndef FIRMWARE_VERSION
-#define FIRMWARE_VERSION        "2.1.0"
+#define FIRMWARE_VERSION        "2.2.0"
 #endif
 
 typedef enum {
@@ -59,6 +56,7 @@ typedef struct {
     char    pass[64];
     bool    enabled;
     bool    ha_discovery;
+    bool    use_tls;        // true = MQTTS (port 8883), false = plain TCP (1883)
 } mqtt_mgr_config_t;
 
 /** Initialize: load config from NVS, derive device_id from MAC. */
diff --git a/firmware/receiver-c3/components/web_server/web_server.c b/firmware/receiver-c3/components/web_server/web_server.c
@@ -1,6 +1,3 @@
-// SPDX-License-Identifier: MIT
-// Copyright (c) 2025-2026 Ravi Singh (Techposts)
-
 /**
  * web_server implementation - TankSync Terminal UI v3.5
  */
@@ -652,6 +649,7 @@ static esp_err_t handle_get_mqtt(httpd_req_t *req) {
                             (ms == MQTT_ST_ERROR)        ? "error"        : "disabled";
     cJSON *root = cJSON_CreateObject(); cJSON_AddStringToObject(root, "host", cfg.host); cJSON_AddNumberToObject(root, "port", cfg.port);
     cJSON_AddStringToObject(root, "user", cfg.user); cJSON_AddBoolToObject(root, "enabled", cfg.enabled); cJSON_AddBoolToObject(root, "ha_discovery", cfg.ha_discovery);
+    cJSON_AddBoolToObject(root, "use_tls", cfg.use_tls);
     cJSON_AddStringToObject(root, "live_status", mqtt_live);
     char *json = cJSON_PrintUnformatted(root); cJSON_Delete(root); send_json(req, json); free(json); return ESP_OK;
 }
@@ -664,6 +662,7 @@ static esp_err_t handle_post_mqtt(httpd_req_t *req) {
     if (u) { strncpy(cfg.user, u, sizeof(cfg.user)-1); }
     if (p) { strncpy(cfg.pass, p, sizeof(cfg.pass)-1); }
     cfg.port = (uint16_t)cJSON_GetNumberValue(cJSON_GetObjectItem(j, "port")); cfg.enabled = cJSON_IsTrue(cJSON_GetObjectItem(j, "enabled")); cfg.ha_discovery = cJSON_IsTrue(cJSON_GetObjectItem(j, "ha_discovery"));
+    cfg.use_tls = cJSON_IsTrue(cJSON_GetObjectItem(j, "use_tls"));
     cJSON_Delete(j); if (mqtt_manager_set_config(&cfg) == ESP_OK) { send_ok(req, "OK"); } else { send_err(req, "NO"); }
     return ESP_OK;
 }
diff --git a/firmware/receiver/components/mqtt_client/mqtt_manager.c b/firmware/receiver/components/mqtt_client/mqtt_manager.c
@@ -1,12 +1,11 @@
-// SPDX-License-Identifier: MIT
-// Copyright (c) 2025-2026 Ravi Singh (Techposts)
-
 /**
  * mqtt_manager implementation
  */
 
 #include "mqtt_manager.h"
 #include "mqtt_client.h"        // ESP-IDF MQTT (component: mqtt)
+#include "esp_tls.h"
+#include "esp_crt_bundle.h"     // ESP-IDF certificate bundle for TLS
 #include "transmitter_registry.h"
 #include "wifi_manager.h"
 #include "esp_log.h"
@@ -56,11 +55,13 @@ static void load_config(void) {
     nvs_get_str(h, "user", s_cfg.user, &len);
     len = sizeof(s_cfg.pass);
     nvs_get_str(h, "pass", s_cfg.pass, &len);
-    uint8_t en = 0, ha = 0;
+    uint8_t en = 0, ha = 0, tls = 0;
     nvs_get_u8(h, "enabled", &en);
     nvs_get_u8(h, "ha_disc", &ha);
+    nvs_get_u8(h, "use_tls", &tls);
     s_cfg.enabled      = (en != 0);
     s_cfg.ha_discovery = (ha != 0);
+    s_cfg.use_tls      = (tls != 0);
     nvs_close(h);
 }
 
@@ -74,6 +75,7 @@ static esp_err_t save_config_nvs(const mqtt_mgr_config_t *cfg) {
     if (strlen(cfg->pass) > 0) nvs_set_str(h, "pass", cfg->pass); // only update if provided
     nvs_set_u8 (h, "enabled", cfg->enabled ? 1 : 0);
     nvs_set_u8 (h, "ha_disc", cfg->ha_discovery ? 1 : 0);
+    nvs_set_u8 (h, "use_tls", cfg->use_tls ? 1 : 0);
     err = nvs_commit(h);
     nvs_close(h);
     return err;
@@ -149,10 +151,13 @@ void mqtt_manager_start(void) {
     char client_id[32];
     snprintf(client_id, sizeof(client_id), "tanksync_%s", s_dev_id);
 
+    uint16_t port = s_cfg.port ? s_cfg.port : (s_cfg.use_tls ? 8883 : MQTT_DEFAULT_PORT);
+
     esp_mqtt_client_config_t cfg = {
         .broker.address.hostname         = s_cfg.host,
-        .broker.address.port             = s_cfg.port ? s_cfg.port : MQTT_DEFAULT_PORT,
-        .broker.address.transport        = MQTT_TRANSPORT_OVER_TCP,
+        .broker.address.port             = port,
+        .broker.address.transport        = s_cfg.use_tls ? MQTT_TRANSPORT_OVER_SSL : MQTT_TRANSPORT_OVER_TCP,
+        .broker.verification.crt_bundle_attach   = s_cfg.use_tls ? esp_crt_bundle_attach : NULL,
         .credentials.client_id           = client_id,
         .credentials.username            = strlen(s_cfg.user) ? s_cfg.user : NULL,
         .credentials.authentication.password = strlen(s_cfg.pass) ? s_cfg.pass : NULL,
@@ -363,6 +368,7 @@ esp_err_t mqtt_manager_set_config(const mqtt_mgr_config_t *cfg) {
     strncpy(s_cfg.user, cfg->user, sizeof(s_cfg.user) - 1);
     s_cfg.enabled      = cfg->enabled;
     s_cfg.ha_discovery = cfg->ha_discovery;
+    s_cfg.use_tls      = cfg->use_tls;
 
     mqtt_manager_stop();
     if (s_cfg.enabled && strlen(s_cfg.host) > 0 &&
diff --git a/firmware/receiver/components/mqtt_client/mqtt_manager.h b/firmware/receiver/components/mqtt_client/mqtt_manager.h
@@ -1,6 +1,3 @@
-// SPDX-License-Identifier: MIT
-// Copyright (c) 2025-2026 Ravi Singh (Techposts)
-
 /**
  * mqtt_manager - MQTT publishing for TankSync receiver
  *
@@ -41,7 +38,7 @@
 #define MQTT_RECONNECT_BASE_MS  5000
 #endif
 #ifndef FIRMWARE_VERSION
-#define FIRMWARE_VERSION        "2.1.0"
+#define FIRMWARE_VERSION        "2.2.0"
 #endif
 
 typedef enum {
@@ -59,6 +56,7 @@ typedef struct {
     char    pass[64];
     bool    enabled;
     bool    ha_discovery;
+    bool    use_tls;        // true = MQTTS (port 8883), false = plain TCP (1883)
 } mqtt_mgr_config_t;
 
 /** Initialize: load config from NVS, derive device_id from MAC. */
diff --git a/firmware/receiver/components/web_server/web_server.c b/firmware/receiver/components/web_server/web_server.c
@@ -1,6 +1,3 @@
-// SPDX-License-Identifier: MIT
-// Copyright (c) 2025-2026 Ravi Singh (Techposts)
-
 /**
  * web_server implementation - TankSync Terminal UI v3.5
  */
@@ -652,6 +649,7 @@ static esp_err_t handle_get_mqtt(httpd_req_t *req) {
                             (ms == MQTT_ST_ERROR)        ? "error"        : "disabled";
     cJSON *root = cJSON_CreateObject(); cJSON_AddStringToObject(root, "host", cfg.host); cJSON_AddNumberToObject(root, "port", cfg.port);
     cJSON_AddStringToObject(root, "user", cfg.user); cJSON_AddBoolToObject(root, "enabled", cfg.enabled); cJSON_AddBoolToObject(root, "ha_discovery", cfg.ha_discovery);
+    cJSON_AddBoolToObject(root, "use_tls", cfg.use_tls);
     cJSON_AddStringToObject(root, "live_status", mqtt_live);
     char *json = cJSON_PrintUnformatted(root); cJSON_Delete(root); send_json(req, json); free(json); return ESP_OK;
 }
@@ -664,6 +662,7 @@ static esp_err_t handle_post_mqtt(httpd_req_t *req) {
     if (u) { strncpy(cfg.user, u, sizeof(cfg.user)-1); }
     if (p) { strncpy(cfg.pass, p, sizeof(cfg.pass)-1); }
     cfg.port = (uint16_t)cJSON_GetNumberValue(cJSON_GetObjectItem(j, "port")); cfg.enabled = cJSON_IsTrue(cJSON_GetObjectItem(j, "enabled")); cfg.ha_discovery = cJSON_IsTrue(cJSON_GetObjectItem(j, "ha_discovery"));
+    cfg.use_tls = cJSON_IsTrue(cJSON_GetObjectItem(j, "use_tls"));
     cJSON_Delete(j); if (mqtt_manager_set_config(&cfg) == ESP_OK) { send_ok(req, "OK"); } else { send_err(req, "NO"); }
     return ESP_OK;
 }
diff --git a/pwa/server-cloud/index.js b/pwa/server-cloud/index.js
@@ -15,6 +15,7 @@ import db, { stmts } from './db.js';
 import { connectMqtt } from './mqtt.js';
 import { addClient } from './sse.js';
 import { checkDeviceTimeouts } from './alerts.js';
+import { generateMqttCredentials, pushMqttToReceiver, revokeMqttCredentials } from './mqtt-credentials.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const isProd = process.env.NODE_ENV === 'production';
@@ -208,8 +209,10 @@ app.put('/api/sites/:id', { preHandler: [app.authenticate] }, async (req, reply)
 });
 
 app.delete('/api/sites/:id', { preHandler: [app.authenticate] }, async (req, reply) => {
-  const result = await db.run('DELETE FROM sites WHERE id = $1 AND user_id = $2', req.params.id, req.user.id);
-  if (result.changes === 0) return reply.code(404).send({ error: 'Site not found' });
+  const site = await db.get('SELECT * FROM sites WHERE id = $1 AND user_id = $2', req.params.id, req.user.id);
+  if (!site) return reply.code(404).send({ error: 'Site not found' });
+  await revokeMqttCredentials(site.id);
+  await db.run('DELETE FROM sites WHERE id = $1', site.id);
   return { success: true };
 });
 
@@ -324,7 +327,28 @@ app.post('/api/link/claim', { preHandler: [app.authenticate] }, async (req, repl
     }
   } catch {}
 
-  return { site_id: siteId, device_count: deviceCount, message: 'Device linked successfully' };
+  // 6. Generate MQTT credentials and push to receiver
+  let mqtt_configured = false;
+  let mqttCreds = null;
+  try {
+    mqttCreds = await generateMqttCredentials(req.user.id, siteId, device_id);
+    mqtt_configured = await pushMqttToReceiver(receiver_ip, mqttCreds);
+    if (mqtt_configured) {
+      app.log.info(`MQTT auto-configured on receiver ${receiver_ip} — user ${mqttCreds.mqtt_username}`);
+    }
+  } catch (err) {
+    app.log.warn(`MQTT credential setup failed: ${err.message}`);
+  }
+
+  return {
+    site_id: siteId,
+    device_count: deviceCount,
+    mqtt_configured,
+    mqtt_host: mqttCreds?.mqtt_host,
+    message: mqtt_configured
+      ? 'Device linked and MQTT configured automatically'
+      : 'Device linked. Configure MQTT manually in the receiver web UI.',
+  };
 });
 
 // ─── HISTORY ───────────────────────────────────────────────────────────────────
diff --git a/pwa/server-cloud/mqtt-credentials.js b/pwa/server-cloud/mqtt-credentials.js
@@ -0,0 +1,130 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// Copyright (c) 2025-2026 Ravi Singh (Techposts)
+
+import { randomBytes } from 'crypto';
+import { execSync } from 'child_process';
+import { readFileSync, writeFileSync } from 'fs';
+import db from './db.js';
+
+const PASSWD_FILE = '/etc/mosquitto/tanksync_passwd';
+const ACL_FILE = '/etc/mosquitto/tanksync_acl.conf';
+const MQTT_PUBLIC_HOST = process.env.MQTT_PUBLIC_HOST || 'mqtt.smartghar.org';
+const MQTT_PUBLIC_PORT = parseInt(process.env.MQTT_PUBLIC_PORT || '8883');
+
+/**
+ * Generate MQTT credentials for a user+site, add to Mosquitto, push to receiver.
+ * Returns { mqtt_username, mqtt_password, mqtt_host, mqtt_port }
+ */
+export async function generateMqttCredentials(userId, siteId, deviceId) {
+  // Check if credentials already exist for this site
+  const existing = await db.get(
+    'SELECT * FROM mqtt_credentials WHERE site_id = $1', siteId
+  );
+  if (existing) {
+    return {
+      mqtt_username: existing.mqtt_username,
+      mqtt_password: existing.mqtt_password,
+      mqtt_host: MQTT_PUBLIC_HOST,
+      mqtt_port: MQTT_PUBLIC_PORT,
+    };
+  }
+
+  // Generate unique username and password
+  const shortId = deviceId.slice(0, 6);
+  const mqtt_username = `ts_u${userId}_${shortId}`;
+  const mqtt_password = randomBytes(16).toString('base64url');
+
+  // Add to Mosquitto password file
+  try {
+    execSync(`sudo mosquitto_passwd -b ${PASSWD_FILE} "${mqtt_username}" "${mqtt_password}"`, { timeout: 5000 });
+  } catch (err) {
+    console.error(`[MQTT-CRED] Failed to add password: ${err.message}`);
+    throw new Error('Failed to create MQTT credentials');
+  }
+
+  // Store in database
+  await db.run(
+    'INSERT INTO mqtt_credentials (user_id, site_id, mqtt_username, mqtt_password, device_id) VALUES ($1, $2, $3, $4, $5)',
+    userId, siteId, mqtt_username, mqtt_password, deviceId
+  );
+
+  // Regenerate ACL file
+  await regenerateAcl();
+
+  // Reload Mosquitto config
+  try {
+    execSync('sudo kill -HUP $(pidof mosquitto)', { timeout: 5000 });
+  } catch {
+    console.warn('[MQTT-CRED] Could not reload Mosquitto — may need manual restart');
+  }
+
+  return { mqtt_username, mqtt_password, mqtt_host: MQTT_PUBLIC_HOST, mqtt_port: MQTT_PUBLIC_PORT };
+}
+
+/**
+ * Push MQTT config to receiver via its local HTTP API.
+ */
+export async function pushMqttToReceiver(receiverIp, mqttCreds) {
+  try {
+    const res = await fetch(`http://${receiverIp}/api/mqtt`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        host: mqttCreds.mqtt_host,
+        port: mqttCreds.mqtt_port,
+        user: mqttCreds.mqtt_username,
+        pass: mqttCreds.mqtt_password,
+        enabled: true,
+        ha_discovery: false,
+        use_tls: true,
+      }),
+      signal: AbortSignal.timeout(5000),
+    });
+    return res.ok;
+  } catch (err) {
+    console.warn(`[MQTT-CRED] Could not push to receiver ${receiverIp}: ${err.message}`);
+    return false;
+  }
+}
+
+/**
+ * Revoke MQTT credentials for a site (called when site is deleted).
+ */
+export async function revokeMqttCredentials(siteId) {
+  const cred = await db.get('SELECT * FROM mqtt_credentials WHERE site_id = $1', siteId);
+  if (!cred) return;
+
+  // Remove from Mosquitto password file
+  try {
+    execSync(`sudo mosquitto_passwd -D ${PASSWD_FILE} "${cred.mqtt_username}"`, { timeout: 5000 });
+  } catch {}
+
+  // Remove from DB
+  await db.run('DELETE FROM mqtt_credentials WHERE site_id = $1', siteId);
+
+  // Regenerate ACL and reload
+  await regenerateAcl();
+  try { execSync('sudo kill -HUP $(pidof mosquitto)', { timeout: 5000 }); } catch {}
+}
+
+/**
+ * Regenerate the ACL file from all credentials in the database.
+ */
+async function regenerateAcl() {
+  const allCreds = await db.all('SELECT * FROM mqtt_credentials');
+
+  let acl = `# TankSync MQTT ACL — auto-generated, do not edit manually
+# Server account — full access
+user tanksync_server
+topic readwrite tanksync/#
+
+`;
+
+  for (const cred of allCreds) {
+    acl += `# User ${cred.user_id}, Site ${cred.site_id}\n`;
+    acl += `user ${cred.mqtt_username}\n`;
+    acl += `topic readwrite tanksync/${cred.device_id}/#\n\n`;
+  }
+
+  writeFileSync(ACL_FILE, acl);
+}
