jeff-winn / homebridge-automower-platform

A platform plugin for Homebridge to connect your Husqvarna Automower and Gardena Smart robotic lawn mowers to Apple HomeKit.
MIT License
10 stars 0 forks source link

Homebridge restart causes 403 errors #175

Closed jeff-winn closed 1 year ago

jeff-winn commented 1 year ago

Describe The Bug: While shutting down my Homebridge server it has been observed that the plug-in throws 403 errors about the token being invalid. It seems fairly consistent as well.

To Reproduce:

Expected behavior: The plug-in shouldn't throw an error when attempting to logout of the Husqvarna platform.

Logs:

[11/5/2022, 4:01:06 PM] [Homebridge Automower Platform] Logging into the Husqvarna platform...
[11/5/2022, 4:01:06 PM] [Homebridge Automower Platform] Sending request [1/5]: 91a7f588-86af-4e20-9507-f90c90f904fc
 {"url":"https://api.authentication.husqvarnagroup.dev/v1/oauth2/token","method":"POST","headers":{"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"},"body":"grant_type=client_credentials&client_id=REDACTED&client_secret=REDACTED&scope=iam%3Aread%20amc%3Aapi"}
[11/5/2022, 4:01:08 PM] [Homebridge Automower Platform] Received response: 91a7f588-86af-4e20-9507-f90c90f904fc
 {"status":200,"statusText":"OK","body":{"access_token":"REDACTED","scope":"iam:read amc:api","expires_in":86398,"provider":"husqvarna","user_id":"REDACTED","token_type":"Bearer"}}
[11/5/2022, 4:01:08 PM] [Homebridge Automower Platform] Logged in!
[11/5/2022, 4:01:09 PM] [Homebridge Automower Platform] Received event:
 {"ready":true,"connectionId":"REDACTED"}
[11/7/2022, 10:57:31 AM] [Homebridge UI] Homebridge restart request received
[11/7/2022, 10:57:31 AM] [Homebridge UI] UI / Bridge settings have not changed; only restarting Homebridge process
[11/7/2022, 10:57:31 AM] [Homebridge UI] Sending SIGTERM to Homebridge
[11/7/2022, 10:57:31 AM] Got SIGTERM, shutting down Homebridge...
[11/7/2022, 10:57:31 AM] [Homebridge Automower Platform] Closing the stream...
[11/7/2022, 10:57:31 AM] [Homebridge Automower Platform] Stream closed.
[11/7/2022, 10:57:31 AM] [Homebridge Automower Platform] Logging out of the Husqvarna platform...
[11/7/2022, 10:57:31 AM] [Homebridge Automower Platform] Sending request [1/5]: 349ce722-2d0c-4781-963c-602f943cbe83
 {"url":"https://api.authentication.husqvarnagroup.dev/v1/token/REDACTED","method":"DELETE","headers":{"X-Api-Key":"REDACTED","Authorization-Provider":"husqvarna"}}
[11/7/2022, 10:57:31 AM] [Homebridge Automower Platform] Disconnected!
[11/7/2022, 10:57:31 AM] [Homebridge Automower Platform] Received response: 349ce722-2d0c-4781-963c-602f943cbe83
 {"status":403,"statusText":"Forbidden","body":{"errors":[{"title":"Error in API Gateway","code":"INVALID_API_KEY"}]}}
[11/7/2022, 10:57:31 AM] [Homebridge Automower Platform] An unexpected error occurred while shutting down the plugin. Error: ERR: 403 -> {"errors": [{"title": "Error in API Gateway","code": "INVALID_API_KEY"}]} 
    at AuthenticationClientImpl.<anonymous> (/homebridge/node_modules/homebridge-automower-platform/dist/clients/authenticationClient.js:121:23)
    at Generator.next (<anonymous>)
    at fulfilled (/homebridge/node_modules/homebridge-automower-platform/dist/clients/authenticationClient.js:5:58)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
[11/7/2022, 10:57:36 AM] [HB Supervisor] Homebridge Process Ended. Code: 143, Signal: null
[11/7/2022, 10:57:41 AM] [HB Supervisor] Restarting Homebridge...

Plugin Config:

{
    "name": "Homebridge Automower Platform",
    "lang": "en",
    "appKey": "REDACTED",
    "authentication_mode": "client_credentials",
    "application_secret": "REDACTED",
    "platform": "Homebridge Automower Platform"
}

Environment:

jeff-winn commented 1 year ago

Associated with #171

jeff-winn commented 1 year ago

Initial investigation resulted in the Husqvarna API refusing to remove the Client Credentials flow based access tokens via DELETE action when invoked manually outside of the plugin. Password tokens however were being removed as expected.

{
    "errors": [
        {
            "title": "Error in API Gateway",
            "code": "INVALID_API_KEY"
        }
    ]
}

After the deletion, the access tokens were not being removed and still active so session hijacking could be a potential issue.

jeff-winn commented 1 year ago

Sent their OpenAPI service desk a bug report regarding the removal of OAuth tokens generated using Client Credentials flow and being unable to remove the actual token.

Not a big fan of this, but there's no telling when (or if) Husqvarna will deal with this issue on their end. I'm adhering to the API according to their specification and password grant token deletion works as intended.

Going to ignore 403 errors from the API response on logout.

jeff-winn commented 1 year ago

Their service desk team responded, this item was transferred to the appropriate internal team for investigation.