sebbu / iControl-Web

iControl Web App (iOS) for all home automation systems (or trigger IFTTT) which support HTTP (i.e. HomeWizard, PEHA-House-Control-System, PHC, KNX or control4). It can also be used to control your IP camera (i.e. Mobotix) or even as a remote control for some HDMI DLNA adapter.
116 stars 33 forks source link

Add support for Basic authentication #4

Open aivs opened 8 years ago

aivs commented 8 years ago

Many SmartHome controllers are uses Basic authentication to access to HTTP API. I use Raspberry Pi with app Z-Way to control my Z-Wave Devices. Z-Way requires login and password for HTTP commands. I know many other controllers that supported basic authentication, so the list of compatible SmartHome controllers will increase, if you add the support of sending HTTP commands with basic authorization.

sebbu commented 8 years ago

Hi, thanks for this feature request. It makes sense and I will add it in a future version.

dhermanns commented 6 years ago

Your App looks great - is this possible now? I would like to use it with Openhab, so authentication is crucial...

sebbu commented 6 years ago

Sorry, I did not find any time yet (though it sure makes sense). The time for the feature is not the problem, but in the meantime a lot has changed for Swift and iOS.

You can use iControl Web (including Apple Watch) with openHAB

The documentation of openHAB says that it does not (yet) support restricting access.... and it proposes to use basic authentication with nginx....it is just a proposal.

Alternative Proposal to authenticate access to openHAB and still use iControl Web

Basic Auth Workaround

If you already run an nginx I would propose that you could use a workaround for the problem, i.e. use rewriting and map all commands. Use a password-like string as a prefix to the real path.

Instead of simply proxying everything proxy_pass http://localhost:8080/; extend the proxy rules and add a rewrite for the secured command, i.e. rewrite /hereGoesAComplicatedUrlEscapedString/(.*) /$1 break;

Then you use the http://exthost:port/hereGoesAComplicatedUrlEscapedString/original/command/path in iControl Web configuration.

I am not an nginx expert. Test if the real commands are still passed. If yes, catch everything in a last rule and send it to the nirvana rewrite /(.*) /non/existent/path break;

Keep in mind to always use https, because in both cases (complicatedPath or basic auth), the clear password would be visible to a MITM attack. (Not using https with the complicatedPathMethod is worse because URLs could be captured by proxies, browser history, etc). If you still want to use basic auth elsewhere, I propose that you create a dedicated virtual host and use name based virtual hosts.

You can also use this method to expose only a subset of commands, i.e. rewrite /hereGoesAnotherComplicatedUrlEscapedString/ /url/to/real/command/one break; rewrite /hereGoesAThirdComplicatedUrlEscapedString/ /url/to/real/command/two break;

luckydonald commented 6 years ago

So entering a url like https://user:password@example.com isn't possible?

sebbu commented 6 years ago

URLs like https://user:password@example.com are interpreted by the browser. So it is not possible. You have to go through the workaround or a VPN or anything else which can be used in infrastructure

luckydonald commented 6 years ago

Therefore there would need to be code to interpret it.

MarvAmBass commented 6 years ago

any updates on this? I'd pay 5 € for this