search

hyperion-project / hyperion.ng

The successor to Hyperion aka Hyperion Next Generation
https://hyperion-project.org/
MIT License
2.96k stars 373 forks source link

Local Admin API Authentication rejects valid tokens #1251

Open dinvlad opened 3 years ago

dinvlad commented 3 years ago

Bug report

Currently, it appears we can use Admin API calls over JSON RPC/HTTP requests only if we disable "Local Admin API Authentication". Enabling it results in rejected calls with "No Authorization", even if we supply a valid token.

Steps to reproduce

  1. Enable "Local Admin API Authentication" in the UI (http://<hyperion-ip>:8090/#conf_network)
  2. Submit an Admin API request, e.g. 
    curl -X POST 'http://<hyperion-ip>:8090/json-rpc' \
-H 'Authorization: token <valid-token>' \
-H 'Content-Type: application/json' \
-d '{
"command": "config",
"subcommand": "getconfig"
}'

    which results in

    {
"command": "config",
"error": "No Authorization",
"success": false,
"tan": 0
}
  3. Disable "Local Admin API Authentication"
  4. Restart the service, e.g.: 
    sudo systemctl restart hyperiond@pi.service
  5. Submit the same request (with or without the token) and it succeeds.

What is expected?

When "Local Admin API Authentication" is enabled, Admin API calls should:

  1. Reject calls without a token
  2. Succeed if the token is valid.

What is actually happening?

When "Local Admin API Authentication" is enabled, Admin API rejects all requests, regardless of if the token is present or not, and if it's done over local network (or even localhost).

The current behavior seems to be hard-coded to set Admin auth state at the start of the service: https://github.com/hyperion-project/hyperion.ng/blob/a4d98fd916e17f1a3834c43ba220d7838313d711/libsrc/api/API.cpp#L86

System

Hyperion Server: 
- Build:           (HEAD detached at 83338dc3) (Paulchen Panther-ca50487e/83338dc3-1605733041)
- Build time:      Nov 18 2020 21:34:12
- Git Remote:      https://github.com/hyperion-project/hyperion.ng
- Version:         2.0.0-alpha.9
- UI Lang:         auto (BrowserLang: en-US)
- UI Access:       expert
- Avail Capt:      dispmanx,v4l2,framebuffer,qt
- Database:        read/write

Hyperion Server OS: 
- Distribution:   Raspbian GNU/Linux 10 (buster)
- Architecture:   arm
- CPU Model:      ARMv7 Processor rev 4 (v7l)
- CPU Type:       Raspberry Pi 3 Model B Plus Rev 1.3
- CPU Revision:   a020d3
- CPU Hardware:   BCM2835
- Kernel:         linux (5.10.17-v7+ (WS: 32))
- Qt Version:     5.7.1
- Python Version: 3.5.3
- Browser:        Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Thinner77 commented 1 year ago

Hi,

same problem here.

JsonAPI::handleConfigCommand checks for _adminAuthorized but _adminAuthorized isn't set in API::isTokenAuthorized() So maybe simple fix is set _adminAuthorized = _authorized; at the end of API::isTokenAuthorized()

wbr