hyperion.ng icon indicating copy to clipboard operation
hyperion.ng copied to clipboard
verified publisher icon hyperion-project

Local Admin API Authentication rejects valid tokens

Open dinvlad opened this issue 4 years ago • 1 comments

  • [x] I confirm that this is an issue rather than a question.

Bug report

Currently, it appears we can use Admin API calls over JSON RPC/HTTP requests only if we disable "Local Admin API Authentication". Enabling it results in rejected calls with "No Authorization", even if we supply a valid token.

Steps to reproduce

  1. Enable "Local Admin API Authentication" in the UI (http://<hyperion-ip>:8090/#conf_network)
  2. Submit an Admin API request, e.g.
curl -X POST 'http://<hyperion-ip>:8090/json-rpc' \
-H 'Authorization: token <valid-token>' \
-H 'Content-Type: application/json' \
-d '{
    "command": "config",
    "subcommand": "getconfig"
}'

which results in

{
    "command": "config",
    "error": "No Authorization",
    "success": false,
    "tan": 0
}
  1. Disable "Local Admin API Authentication"
  2. Restart the service, e.g.:
sudo systemctl restart [email protected]
  1. Submit the same request (with or without the token) and it succeeds.

What is expected?

When "Local Admin API Authentication" is enabled, Admin API calls should:

  1. Reject calls without a token
  2. Succeed if the token is valid.

What is actually happening?

When "Local Admin API Authentication" is enabled, Admin API rejects all requests, regardless of if the token is present or not, and if it's done over local network (or even localhost).

The current behavior seems to be hard-coded to set Admin auth state at the start of the service: https://github.com/hyperion-project/hyperion.ng/blob/a4d98fd916e17f1a3834c43ba220d7838313d711/libsrc/api/API.cpp#L86

System

Hyperion Server: 
- Build:           (HEAD detached at 83338dc3) (Paulchen Panther-ca50487e/83338dc3-1605733041)
- Build time:      Nov 18 2020 21:34:12
- Git Remote:      https://github.com/hyperion-project/hyperion.ng
- Version:         2.0.0-alpha.9
- UI Lang:         auto (BrowserLang: en-US)
- UI Access:       expert
- Avail Capt:      dispmanx,v4l2,framebuffer,qt
- Database:        read/write

Hyperion Server OS: 
- Distribution:   Raspbian GNU/Linux 10 (buster)
- Architecture:   arm
- CPU Model:      ARMv7 Processor rev 4 (v7l)
- CPU Type:       Raspberry Pi 3 Model B Plus Rev 1.3
- CPU Revision:   a020d3
- CPU Hardware:   BCM2835
- Kernel:         linux (5.10.17-v7+ (WS: 32))
- Qt Version:     5.7.1
- Python Version: 3.5.3
- Browser:        Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

dinvlad avatar May 23 '21 20:05 dinvlad

Hi,

same problem here.

JsonAPI::handleConfigCommand checks for _adminAuthorized but _adminAuthorized isn't set in API::isTokenAuthorized() So maybe simple fix is set _adminAuthorized = _authorized; at the end of API::isTokenAuthorized()

wbr

Thinner77 avatar Mar 20 '23 14:03 Thinner77