search

i8beef / HomeAutio.Mqtt.GoogleHome

MIT License
215 stars 29 forks source link

Localhost on error #71

Closed CoderFX closed 4 years ago

CoderFX commented 4 years ago

I'm facing the same problem as issue #32. My ASPNETCORE_PATHBASE is set to /google/home Tried this as you instructed

"authority": "https://blah.com/google/home/connect/authorize",
"publicOrigin": "https://blah.com/",
"requireSSL": true,

but it is not working. I get google error that connection is not private.

i8beef commented 4 years ago

Authority shouldn't have connect/authorize in it. It should just be set to the root of the project, i.e above, https://blah.com/google/home

CoderFX commented 4 years ago

Changed it to root, but docker log shows this error: Showing login: User is not authenticated

i8beef commented 4 years ago

That OAuth section should look like this.

"oauth": {
    "tokenStoreFile": "config/tokens.json",
    "authority": "https://blah.com/google/home",
    "publicOrigin": "https://blah.com",
CoderFX commented 4 years ago

Here is my full oauth section:

"oauth": {
    "tokenStoreFile": "config/tokens.json",
    "authority": "https://blah.com/google/home/",
    "publicOrigin": "https://blah.com/google/home/",
    "requireSSL": true,
    "signingCerts": [
          {
            "file": "config/signingKey.pfx",
            "passPhrase": "supersecret"
          }
    ],
    "clients": [
      {
        "clientId": "*.apps.googleusercontent.com",
        "clientSecret": "supersecret",
        "clientName": "Google Actions Client",
        "allowedRedirectUris": [ "https://oauth-redirect.googleusercontent.com/r/secret" ],
        "refreshTokenLifetime": 365
      }
    ],
    "resources": [
      {
        "resourceName": "HomeAutio.Mqtt.GoogleHome"
      }
    ],
    "users": [
      {
        "subjectId": "00000000-0000-0000-0000-000000000000",
        "username": "someone",
        "password": "supersecret"
      }
    ]
  },
i8beef commented 4 years ago

If you are proxying this at a different URL than the root, your authority and publicOrigin should not match. See my example. Also, Im unsure if this will make a difference, but notice mine (which works) doesn't have trailing slashes on those URLs either.

Also for your client ID I wouldn't use anything with special characters in it. I tend to use a GUID for that.

CoderFX commented 4 years ago

Ok, changed them to

    "authority": "https://blah.com/google/home",
    "publicOrigin": "https://blah.com/google/home",

but got the same problem.

Maybe something is wrong with nginx configuration?

# GoogleHome Upstream
upstream googlehome {
    server 192.168.1.2:5000;
    keepalive 32;
}
server {
        listen 443 ssl http2;

        root /config/www;
        index index.html index.htm index.php;

        server_name blah.com;

        client_max_body_size 0;

        ssl_certificate /etc/letsencrypt/live/blah.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/blah.com/privkey.pem;
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        ssl_prefer_server_ciphers on;

        location /google/home {
            allow all;

            proxy_pass http://googlehome;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
        }
}
i8beef commented 4 years ago

your authority and publicOrigin should not match ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    "authority": "https://blah.com/google/home",
    "publicOrigin": "https://blah.com",
i8beef commented 4 years ago

Here is my NGinX config for this:

Note the proxy_buffers need to be jacked a bit for some of the edit screens surprisingly... but this is just something you might run into later, but I recommend putting in.

  location /google/home {
    allow all;

    proxy_pass http://x.x.x.x:5000;
    proxy_set_header X-Real-IP $remote_addr;

    proxy_buffers         8 16k;
    proxy_buffer_size     16k;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header Host $host;
  }

I am unfamiliar with the upstream usage there, but Im assuming this is equivalent.

CoderFX commented 4 years ago

I think something is wrong with my credential setup. Should I setup anything in OAuth consent screen(Google)? When trying to add device via google home app I get this message:

blah.com normally uses encryption to protect your information. When Google Chrome tried to connect to blah.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be blah.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
You cannot visit blah.com right now because the website uses HSTS.
CoderFX commented 4 years ago

It was incorrect nginx setup leading to wrong subdomain. You can close this