search

staromeste / homebridge-http-advanced-accessory

Supports all devices on HomeBridge Platform / Bridges devices to http
Apache License 2.0
67 stars 23 forks source link

Strange 'unauthorized' behaviour when accessing URL #33

Open revog opened 3 years ago

revog commented 3 years ago

Why do I get "Unauthorized" message when accessing simple URL which returns a JSON?

[8/10/2021, 3:58:21 PM] [Hagelwarnung] requested update for action getContactSensorState
[8/10/2021, 3:58:21 PM] [Hagelwarnung] getDispatch function called for url: https://sub.domain.com/api/v0/devices/123abc456def/poll?hwtypeId=166
[8/10/2021, 3:58:21 PM] [Hagelwarnung] httpRequest called, current uriCalls is 1
[8/10/2021, 3:58:21 PM] [Hagelwarnung] httpRequest ended, current uriCalls is 0
[8/10/2021, 3:58:21 PM] [Hagelwarnung] received response from action: https://sub.domain.com/api/v0/devices/123abc456def/poll?hwtypeId=166
[8/10/2021, 3:58:21 PM] [Hagelwarnung] Applying mappers on {"timestamp":1628603902957,"status":401,"error":"Unauthorized","message":"Unauthorized","path":"/api/v0/devices/123abc456def/poll"}
[8/10/2021, 3:58:21 PM] [Hagelwarnung] Mapper 0 mapped {"timestamp":1628603902957,"status":401,"error":"Unauthorized","message":"Unauthorized","path":"/api/v0/devices/123abc456def/poll"} to []
[8/10/2021, 3:58:21 PM] [Hagelwarnung] Mapper 1 mapped [] to []
[8/10/2021, 3:58:21 PM] [Hagelwarnung] Mapping result is []
[8/10/2021, 3:58:21 PM] [Hagelwarnung] We have a value: [], int: NaN

When I do a curl on Homebridge server it works without any authentication information:

root@NAS:/homebridge# curl https://sub.domain.com/api/v0/devices/123abc456def/poll?hwtypeId=166
{"currentState":2,"newProgVer":0}

Un-obfuscated URL is definitely unprotected and does also work when accessing in browser. What does this plugin do different?

Regards

revog commented 3 years ago

I did some further tests and found out that this "unauthorized" error occurs when I set the basic authentication wihtin the HTTP GET request. And it seems that it does not matter whether its value is empty or not.

It seems a code change is needed, which does not add any authentication parameters to a request if username & password is not set.

I temporarly removed the following lines from index.js and now the GET method work as expected: https://github.com/staromeste/homebridge-http-advanced-accessory/blob/master/index.js#L135

                                auth: {
                                        user: this.auth.username,
                                        pass: this.auth.password,
                                        sendImmediately: this.auth.immediately
                                },
                                headers: {
                                        Authorization: "Basic " + new Buffer(this.auth.username + ":" + this.auth.password).toString("base64")
                                }

Anybody here who's able to fix this in an elegant way?