Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Basic authentication #4

Open
aivs opened this issue Jan 17, 2016 · 7 comments
Open

Add support for Basic authentication #4

aivs opened this issue Jan 17, 2016 · 7 comments

Comments

@aivs
Copy link

aivs commented Jan 17, 2016

Many SmartHome controllers are uses Basic authentication to access to HTTP API.
I use Raspberry Pi with app Z-Way to control my Z-Wave Devices. Z-Way requires login and password for HTTP commands.
I know many other controllers that supported basic authentication, so the list of compatible SmartHome controllers will increase, if you add the support of sending HTTP commands with basic authorization.
@sebbu
Copy link
Owner

sebbu commented Jan 18, 2016

Hi, thanks for this feature request. It makes sense and I will add it in a future version.

@dhermanns
Copy link

Your App looks great - is this possible now? I would like to use it with Openhab, so authentication is crucial...

@sebbu
Copy link
Owner

sebbu commented Apr 29, 2018
edited
Loading

Sorry, I did not find any time yet (though it sure makes sense). The time for the feature is not the problem, but in the meantime a lot has changed for Swift and iOS.

You can use iControl Web (including Apple Watch) with openHAB

The documentation of openHAB says that it does not (yet) support restricting access.... and it proposes to use basic authentication with nginx....it is just a proposal.

Alternative Proposal to authenticate access to openHAB and still use iControl Web

Basic Auth Workaround

If you already run an nginx I would propose that you could use a workaround for the problem, i.e. use rewriting and map all commands. Use a password-like string as a prefix to the real path.

Instead of simply proxying everything
proxy_pass http://localhost:8080/;
extend the proxy rules and add a rewrite for the secured command, i.e.
rewrite /hereGoesAComplicatedUrlEscapedString/(.*) /$1 break;

Then you use the http://exthost:port/hereGoesAComplicatedUrlEscapedString/original/command/path in iControl Web configuration.

I am not an nginx expert. Test if the real commands are still passed. If yes, catch everything in a last rule and send it to the nirvana
rewrite /(.*) /non/existent/path break;

Keep in mind to always use https, because in both cases (complicatedPath or basic auth), the clear password would be visible to a MITM attack. (Not using https with the complicatedPathMethod is worse because URLs could be captured by proxies, browser history, etc). If you still want to use basic auth elsewhere, I propose that you create a dedicated virtual host and use name based virtual hosts.

You can also use this method to expose only a subset of commands, i.e.
rewrite /hereGoesAnotherComplicatedUrlEscapedString/ /url/to/real/command/one break;
rewrite /hereGoesAThirdComplicatedUrlEscapedString/ /url/to/real/command/two break;

@luckydonald
Copy link

So entering a url like
https://user:[email protected] isn't possible?

@sebbu
Copy link
Owner

sebbu commented May 5, 2018

URLs like
https://user:[email protected] are interpreted by the browser. So it is not possible. You have to go through the workaround or a VPN or anything else which can be used in infrastructure

Repository owner deleted a comment from ToracX Jun 18, 2018
@luckydonald
Copy link

Therefore there would need to be code to interpret it.

@MarvAmBass
Copy link

any updates on this?
I'd pay 5 € for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sebbu @luckydonald @aivs @dhermanns @MarvAmBass