jeremywillans / hass-addons

Hass.io Addon Repository
MIT License
28 stars 8 forks source link

Request bearer token from supervisor #11

Closed aph3rson closed 1 year ago

aph3rson commented 2 years ago

Communication with the core API for both the php-nginx addons requires that the user generate their own long-lived access key.

However, HA will vend a token to the container if the addon is configured to receive access tokens directly. These tokens are exposed in the SUPERVISOR_TOKEN envvar, and allows using the http://supervisor/core/api/ API endpoint. More information here.

This should be as simple as setting homeassistant_api: true in the config.json for both files. From there, both image.php files need:

$ha_token = getenv("SUPERVISOR_TOKEN");
jeremywillans commented 2 years ago

I have added this as an option for the php_nginx containers.. can you update/test and let me know if its working as expected?

jeremywillans commented 2 years ago

bump

aph3rson commented 2 years ago

I just fixed an (unrelated) issue with my HA deployment. I'll give this a shot this evening.

aph3rson commented 2 years ago

Alright, just tried this out. I used Portainer to connect to the container for the php-nginx API, and tried to call routes like I'd see in image.php:

root@48159ca7-php-nginx: /srv/www # curl -X GET -H "Authorization: Bearer ${SUPERVISOR_TOKEN}" -H "Content-Type: application/json" http://supervisor/api/states/sensor.rest980
403: Forbidden
root@48159ca7-php-nginx: /srv/www # curl -X GET -H "Authorization: Bearer ${SUPERVISOR_TOKEN}" -H "Content-Type: application/json" http://supervisor/core/api/states/sensor.rest980
401: Unauthorized

I see this in the supervisor logs:

22-02-10 18:32:36 WARNING (MainThread) [supervisor.api.middleware.security] 48159ca7_php-nginx missing API permission for /api/states/sensor.rest980
22-02-10 18:32:36 ERROR (MainThread) [supervisor.api.middleware.security] Invalid token for access /api/states/sensor.rest980
22-02-10 18:32:40 WARNING (MainThread) [supervisor.api.proxy] Not permitted API access: 48159ca7_php-nginx

Therefore, it's not clear if:

Taking a peek at another addon that appears to use this, here's their config.json, and [here]'s where they call the API from within their addon code.

Any ideas?

jeremywillans commented 1 year ago

Sorry for the delay.... given mapping is broken.. and not coming back anytime soon it seems, im going to close this