search

rstrouse / ESPSomfy-RTS

A controller for Somfy RTS shades and blinds
The Unlicense
430 stars 32 forks source link

Non-protected HTTP endpoints #300

Open nbarrientos opened 4 months ago

nbarrientos commented 4 months ago

Hardware

LilyGO T-Internet POE

Firmware version

v.2.3.3

Application version

v.2.3.3

What happened? What did you expect to happen?

My instance is username/password protected, however I can dump the credentials with no authentication using the /getSecurity endpoint. This does not sound like expected behaviour.

How to reproduce it (step by step)

  1. Configure username/password based security.
  2. curl http://espsomfyrts.lan/getSecurity -v
< HTTP/1.1 200 OK
< Content-Type: application/json
< Content-Length: 78
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: *
< Access-Control-Allow-Headers: *
< Connection: close
< 
* Closing connection 0
{"type":2,"username":"api","password":"REDACTED","pin":"","permissions":0}

Likewise I can download a full backup with no authentication, see https://github.com/rstrouse/ESPSomfy-RTS/issues/274#issuecomment-1974783640

rstrouse commented 3 months ago

This is something that I need to get back to. Part of the issue is setting headers (which I now can do reliably) in HA and ignoring them when the security modes change. The code itself issues a rolling API key but the validation of the key is bypassed for now as it caused some issues early on.