Webhook

[3web]

I have used this URL before the version 0.42: http://XXX.XXX.XXX.XXX:1880/smartthings/webhook

On this URL can not longer receive a webhook. Than i use this URL: http://XXX.XXX.XXX.XXX:1880/smartthings/smartapp

But the webhook dos also not working. As you can see in the TCP Dump:

Request: `20:53:48.828333 IP SCR-HOST.60688 > DEST-HOST.1880: Flags [P.], seq 1715952987:1715953518, ack 1427407629, win 913, options [nop,nop,TS val 224966201 ecr 1537292140], length 531 E..G..@.@......T...(...XfG][U.............. .h.9[.7lPOST /smartthings/smartapp HTTP/1.1 Accept: / User-Agent: Linux UPnP/1.0 SmartThings HOST: C0A80128:0758 Content-Type: application/json Content-Length: 365

{"id":"67314582-490c-4541-a738-d13fc85d6f60","date":"2022-07-03T18:53:48.617Z","value":"open","name":"contact","display_name":"Fenster B\u00fcro","description":"Fenster B\u00fcro was open","source":"DEVICE","state_changed":true,"physical":false,"location_id":"d281d309-8e36-4cf3-a608-4e5b7d12a09e","hub_id":"e529e143-9335-4974-8cb6-e619c7103c31","smartapp_id":null}`

Response: `20:53:48.924546 IP DEST-HOST.1880 > SCR-HOST.60688: Flags [P.], seq 1:278, ack 531, win 505, options [nop,nop,TS val 1537292245 ecr 224966201], length 277 E..I.t@.?.!n...(...T.X..U...fG_n........... [.7..h.9HTTP/1.1 401 Unauthorized Access-Control-Allow-Origin: * X-Powered-By: Express Content-Type: text/html; charset=utf-8 Content-Length: 9 ETag: W/"9-PatfYBLj4Um1qTm5zrukoLhNyPU" Date: Sun, 03 Jul 2022 18:53:48 GMT Connection: keep-alive Keep-Alive: timeout=5

Forbidden `

What is the correct webhook URL or what is to do?

[otaviojr]

Hi @3web,

as I can see you are using an IP address. They no longer work. SmartThings server will only call a webhook with a valid SSL certificate, which only will work with a domain.

You need a public IP address, a domain pointing to IP, and a valid SSL certificate to reach your nodered instance.

If you don´t have a valid IP address, you can get a look at noip, which provides you a DDNS with SSL certificate.

regards, Otávio Ribeiro

[3web]

Dear Otávio

Thanks for your message.

The status Code is: 401 Unauthorized (from Node Red/node-red-contrib-smartthings), wenn i call the Endpoint over http and the host ip address, in a internal network?

And now i have to move my infrastructure to a cloud provider, call the endpoint over the fqdn with a ssl certificate?

Have i understand your solution correct?

regards, Markus

[otaviojr]

This is not my solution. Unfortunately, Samsung is changing some things within smartthings.

Now, SmartApps can not run on the hub anymore, so, no local network. The webhook is called from the Samsung network/cloud infrastructure, then, you need a public IP address, and they will call it only over https, and they will validate the SSL certificate.

So, yes, you need a public IP, a domain, and a valid SSL certificate.

But, you don't need to move your nodered instance to the cloud. You can keep it with you.

You can use solutions like noip, which will provide you with a ddns solution with a valid domain and SSL certificate over a dynamic public IP address.

Some people have a proxy on the cloud with a VPN to their house's infrastructure. A tiny machine that just forward those requests.

There are some solutions.

[3web]

Dear Otávio

This dose not solve the problem:

`12:05:08.795081 IP localhost.34716 > localhost.1880: Flags [P.], seq 816386050:816386741, ack 3167600180, win 512, options [nop,nop,TS val 998723506 ecr 998723506], length 691 E.....@.@.+L...........X0......4........... ;.O.;.O.POST /smartthings/smartapp HTTP/1.1 Host: node-red.XYZ.UVW Accept: / Content-Type: application/json User-Agent: Apache-HttpClient/4.5.2 (Java/1.7.0_312) Accept-Encoding: gzip,deflate X-Forwarded-For: 52.213.26.200 X-Forwarded-Host: node-red.XYZ.UVW X-Forwarded-Server: node-red.XYZ.UVW Connection: Keep-Alive Content-Length: 338

{"id":"67314582-490c-4541-a738-d13fc85d6f60","date":"2022-07-04T16:05:08.618Z","value":"open","name":"contact","display_name":"Fenster B..ro","description":"Fenster B..ro was open","source":"DEVICE","state_changed":true,"physical":false,"location_id":"d281d309-8e36-4cf3-a608-4e5b7d12a09e","hub_id":"e529e143-9335-4974-8cb6-e619c7103c31"} 12:05:08.800568 IP localhost.1880 > localhost.34716: Flags [P.], seq 1:278, ack 691, win 512, options [nop,nop,TS val 998723511 ecr 998723506], length 277 E..I..@.@............X.....40........=..... ;.O.;.O.HTTP/1.1 401 Unauthorized Access-Control-Allow-Origin: * X-Powered-By: Express Content-Type: text/html; charset=utf-8 Content-Length: 9 ETag: W/"9-PatfYBLj4Um1qTm5zrukoLhNyPU" Date: Mon, 04 Jul 2022 16:05:08 GMT Connection: keep-alive Keep-Alive: timeout=5

Forbidden`

The status code is the same: 401 Unauthorized

regards, Markus

[otaviojr]

Can you check if this is not your problem?

https://github.com/otaviojr/node-red-contrib-smartthings/issues/78

Are you using a proxy?

regards

[3web]

Yes, i'm using a apache proxy pass.

When i testing the "hook" with the Postman, i can see the same error (old and new installation).

In the log is to find the folloing entry: Smartthings WebApp 2022-07-04T16:44:13.299Z error: MissingHeaderError: no authorization header present in the request at Object.parseRequest (/data/node_modules/@smartthings/smartapp/node_modules/http-signature/lib/parser.js:124:13) at Authorizer.isAuthorized (/data/node_modules/@smartthings/smartapp/lib/util/authorizer.js:176:33) at SmartApp.handleHttpCallback (/data/node_modules/@smartthings/smartapp/lib/smart-app.js:403:47) at /data/node_modules/node-red-contrib-smartthings/smartthings/smartthings-config.js:958:18 at Layer.handle [as handle_request] (/usr/src/node-red/node_modules/express/lib/router/layer.js:95:5) at next (/usr/src/node-red/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/usr/src/node-red/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/usr/src/node-red/node_modules/express/lib/router/layer.js:95:5) at /usr/src/node-red/node_modules/express/lib/router/index.js:281:22 at Function.process_params (/usr/src/node-red/node_modules/express/lib/router/index.js:341:12) 2022-07-04T16:44:13.300Z error: Unauthorized

This entry is correct, i do not use a authentication.

Regards, Markus

[Humancell]

The problem is the same as mine. The proxy is altering a header or not passing through all of them exactly as they were. The "http-signature" is being checked and SOME header has been altered and so the signature is not correct.

I've tried, but SmartThings has been no help is explaining exactly what headers are being used in the creation of the signature, and so we don't what to fix.

You won't get this working with a proxy unless we can determine exactly what headers are being used to create the signature, so that we can ensure they are passed through cleaning to be verified properly.

Scott

[quantum-fc101]

The above would mean opening my NodeRED instance to the internet, without going through a proxy, NO THANKS. The only way I would be willing to do this is by adding the SmartThings Cloud Public IP's to the inbound rule on my firewall. Does anyone know the Public IP subnet that SmartThings uses to communicate?

For now I am going to be downgrading to version 0.0.20 SmartThings npm as this version still supports location WebHook. If there is no solution found I will then look at removing this module completing and proxy the sensors via Home Assistant.

[otaviojr]

The problem is not the version supporting local webhook but Samsung.

They will stop supporting it.

As far as I know, they should not support it anymore...

And the old version is developed using local device handles, which Samsung will also discontinue...

I also like the old solution much more... unfortunately not only Samsung but all big techs are proposing cloud solutions for their platforms...

regards, Otávio Ribeiro

[quantum-fc101]

I understand that the problem is coming from Samsung, the thing is I am running version 0.0.20 and local webhook is still working fine for me. Maybe when they remove the groovy is when I will loss access.

It's a shame as having nodeRED open to the outside world posses a security risk for me. The only way to resolve this would be to add the SmartThings Cloud Public IP's into my firewall rule. I will be migrating everything over to the Home Assistant SmartThings integration and then link Home Assistant into nodeRED.

It's just another thing that SmartThings are killing off when they switch of the groovy at the end of the year.

Regards, Francis

[otaviojr]

I moved myself to hubitat for now, planning Home Assistant as well.

When you move out, you will figure out that to use some things like Alexa, Google Home, and others, you will have to pay for home assistant cloud or open it up to the world equally.

As I said, most of those big tech companies will handle their devices on the cloud, and to handle webhooks, you will need to open up home assistant and have an SSL certificate... or... pay for them to use the home assistant cloud, which will proxy all those requests...

The good thing with home assistant is that they put in some effort to make it all run locally.

regards, Otávio Ribeiro

[otaviojr]

I configured Home Assistant Smartthings integration for a friend these days, and it is the same thing.

I needed to open up home assistant to the world and get a noip account and an SSL certificate from them...

This is the only way Home Assistant can handle webhooks from Smartthings as well... you can choose to pay Home Assistant cloud, as I said before...

Home Assistant Smartthings integration has changed to use the new webhook system as well...

regards, Otávio Ribeiro

[otaviojr]

And you can always install a Nginx on an external host, configure it as a stream, and proxy all requests to your local nodered, home assistant, etc.

This way, you create a bridge and don't need to open up your nodered to the world...

This is basically what hubitat and home assistant clouds are doing...

regards, Otávio Ribeiro

[3web]

I have now a NodRed (with MQTT) as a external installation. This installation receive the the SmartThings web hook an save it in the MQTT store. My local NodeRed is connected to the external MQTT and receive the web hook notification. On this way i not have to move the full NodeRed in a external installation or to open the mein local network form outside for a simple web hook.

I hope matter will fix this in the future...

regards, Markus