harmony
harmony copied to clipboard
hdurdle
Question: Have there been any issues with the web authorization call
Within the app that I have built the call: POST https://svcs.myharmony.com/CompositeSecurityServices/Security.svc/json/GetUserAuthToken with a body of email and password json returns null now. Anyone else experiencing this?
Hi,
I'm not using this library, but I am now getting this on my android wear app and tasker plugin.
There are a few people talking about this on other forums, but no resolution yet.
The only hope I have is if you read the code for the swissmanu javascript plugin:
https://github.com/swissmanu/harmonyhubjs-client
He removed the need for using the web authentication service and uses method=pair when obtaining a session token.
I will try this out tonight to see if it works, if it does I'll comment back on here any maybe the developer here can make the changes.
Thanks.
Thanks, I'm looking at that code right now. I am using the harmony-java-client that was derived from this c# code. https://github.com/bwssytems/ha-bridge
Updated and tested on the java client using the "pair" method described in the hubjs-client. Works great again...phew
So, now this code will need to be updated....
Is there any known communication on this issue from Logitech itself? This client gets the following Json returned : HTTP Status: 200 (ok) {"GetUserAuthTokenResult":null}
They could at least have returned an error :(
Maybe developers that got into the api program got that info. I did not get a response from them when I signed up, so I did not get any update.
Here is the link to the code: https://github.com/bwssytems/harmony-java-client/blob/master/src/main/java/net/whistlingfish/harmony/protocol/MessageAuth.java
Also, this is the code I started from to get the workings: https://github.com/swissmanu/harmonyhubjs-client/blob/develop/lib/login/hub.js
Just chiming in as I'm tackling this as well in my own library right now: Change seems to be around two things in the regular auth flow to use the pairing method:
- Bypass the call to get the Logitech token all together
- When swapping the logitech token for a session token with the Harmony, instead of "token=XXX" in the message you use "method=pair".
This does work, but I worry that without further understanding of this, it could have other issues: for instance, has anyone tried having multiple devices talk to the same Harmony at once (your phone, etc.)? I haven't, but just wondering if there are any weird issues around "pairing" here without a logitech auth token.
Also, the Domoticz team seems to have found some other OAuth based API endpoint to hit to get the original ticket again... that MAY be a better approach, but I haven't been able to see their code yet so I don't know what API they are hitting.
The pair, I believe just gets you the token for the hub. I believe it is a single token that any device can use. In the code I have, it gets the token and disconnects the xmpp connection and creates a new connection with the token.
Seems to be working, was an easy change. Still I don't really get it, it used to be very secure and now every system on my network can connect to my harmony hubs. On the other side, anyone can take the remote and use it...
Im just surprised this method exists at all beyond initial setup, so I'm just being cautious in my thinking: it bypasses security, which seems like a bug that might be patched later.
I do the same thing with using one connection to get the ticket and then opening a different one for the rest. It just drops out getting the first auth ticket from Logitech in favor of this.
So yes, I can say it seems to work, I'm just a little concerned about long term viability... not that we have many other choices right now. That's also why I mentioned the Domoticz discussion, because it sounded like he might have stumbled on something that could be more long lived. And also to point out that I didn't know how thoroughly this method of auth has been explored, so there could be caveats none of us are seeing yet.
I would expect the client not to be able to change the settings anymore without having a real login to logitech? Controlling devices is not a huge security issue from my standpoint, they need to be in the same network.
My security OCD is twitching right now... you are correct that unless I did something incredibly stupid like opening my XMPP port through my router, they'd need to be on the same network. Depending on what I have my Harmony connected to control though, it could give people access to control anything it does remotely, which obviously isn't good... But that's what I'm saying, we're exploiting what I fear might be a bug to be patched if they get tougher on security. Just something to be aware of really until someone finds a better way to get a real ticket again (which is why I'm poking to see if this guy will share: https://www.domoticz.com/forum/viewtopic.php?f=6&t=14315&p=104984#p104984)
I have an HTTP client which can also do Oauth 2, if there would be an oauth2 authentication available I guess it should not be hard to implement it.
Example test case for a Google API implemented with my client: https://github.com/dapplo/Dapplo.HttpExtensions/blob/master/Dapplo.HttpExtensions.Tests/OAuth/OAuth2Tests.cs
Looks like the Domoticz guy was using his personal Harmony API access (the one Logitech has said they have no plans to make public). I don't think that's going to be viable.
Anyone cracked open a wireshark or other proxy tool to sniff the packets and see what the harmony device itself does now?
Hmmm, just let me come back to the "security" issue, it should be possible to detect all logitec hubs in the network. Than connect to all of them, and scan for anything to do with home automation.. Fun!! :)
about wireshark, I don't feel like using spending much time on it... I develop Greenshot and have much to do, this project just bothered me the way it was implemented and I wanted to have a go at writing a simple windows client for quickly doing stuff... This might still happen, something with hotkeys, a simple (but efficient) UI controlling whatever you want from Windows...
Win + H (as in H-armony), or Win + R (R-emote) already is hooked by Windows 10 :(
Hmmm, Win + C (C-ontrol) might work... this will open a small controller UI and also respond to media keys like pause, stop, next prev etc. controlling the Harmony hub.
I was going to do a wireshark, but now it's working so I feel like being a slug...
Haha, that was pretty much my response word for word. Besides, maybe Logitech just messed up and this is going to come back. I'll wait it out a week or two. Cheers guys.
@bwssytems What do you mean with "but now it's working"? The authentication works again like it did?
Yes, the work around.... I'm being a slug in clarity in writing as well....
Nice move from Logitech, they probably realized they don't want people the world over querying their servers for no purpose. Security is provided by your network, that's just fine by me.
From what I'm seeing I don't even need to do the pairing step. I can just talk to the hub. Could anyone confirm? That makes me wonder if auth was ever needed. I did not run any firmware update for the hub lately, did Logitech push an update? Can they do that?