OpenBK7231T_App icon indicating copy to clipboard operation
OpenBK7231T_App copied to clipboard
verified publisher icon openshwprojects

[Feature request] HTTP basic auth on WEB UI

Open Bacto opened this issue 3 years ago • 10 comments

Hi,

Again, thank you for this project!

One bad point is that I'm really unconfortable having the WEB UI exposed without an authentication system. Anybody on the same network can take control of the device and even worst, update the firmware.

I think adding HTTP basic auth will resolve this and should be "easy" to implement.

Unfortunately I'm not confortable at all with this project (I just flashed 2 devices for now and I'm a total beginner with BK7231x chips) so making a PR is not an option for now :(

Somebody would be able to add this feature?

Best, Adrien

Bacto avatar Oct 30 '22 08:10 Bacto

This would make a lot of sense and make for a good feature addition. Another valuable addition I thought of would be to have the option to disable the HTTP API. In my case, I'd happily switch this off for most devices since it's all running over MQTT..

ReanuKeeves01 avatar Oct 30 '22 11:10 ReanuKeeves01

I will put it to my TODO list. NOT exclusively. Any help is welcome. Still enough TODO with stability and MQTT transfer rates. Cyber security is very important feature.

  • Disable WEB UI by startup command or limit WEB UI to selected IP.
  • HTTP BASIC AUTH is not safe enough, password is still sent as plain text, may be plug-in to do HASH in script would help.
  • May be SSL for MQTT. I have some experience with ESP32 devices in this matter.

EDIT: IP Limit for developer. to bypass AUTH, I do not want be forced to enter password when debugging. May be also MAC filtering.

valeklubomir avatar Oct 30 '22 12:10 valeklubomir

Yea, this is a good idea, but not a super top priority. One thing to note would be that we also have a raw TCP command server running (if enabled), and that also would require some security.

openshwprojects avatar Oct 30 '22 15:10 openshwprojects

When reading these ideas, things that came to mind:

  • setting a flag during boot that needs to be cleared after successful booting first before the HTTP API / Server is stopped or minimized.
  • retaining basic REST API functionality for retrieving status of certain things - handy for a backup solution when HAss or other software loses track due to MQTT issues that can arise
  • Password security can be done using simple classic Pub/priv key auth with comparison to a pub key locally (client). Security concerns about cracking this should be handled at the network level first -- unauthorized users shouldn't have access to your network to begin with.

HumbleDeer avatar Nov 04 '22 06:11 HumbleDeer

@openshwprojects @valeklubomir I have implemented Digest authentication and am testing it more. I will create a push request at some point to optionally enable it for additional testing.

iprak avatar Nov 07 '22 12:11 iprak

@iprak did you make any progress with this? I'm keen for this feature as well, especially since the wifi password is showed in clear-text in the log.

alexfd avatar Jan 13 '23 19:01 alexfd

I did some work but it only provided some limited coverage for the embedded webApp.

The WiFi password is not the only unsecure aspect. MQTT credentials are exposed. APIs can be invoked without any intervention.

The firmware in mostly suitable for controlled networks. One path I have taken is to put them on a secondary network, so that they cannot be accessed freely. You will however need to route the various ports through firewall.

I can try to reinstate my attempt at some point.

Till then, you can move the devices to a guest network with mqtt port

iprak avatar Jan 13 '23 20:01 iprak

+1 for this. would love to have it.

ph0tic avatar Apr 08 '23 14:04 ph0tic

+1

analystcmyk avatar Aug 17 '23 10:08 analystcmyk

PR in progress: #996

castorw avatar Dec 13 '23 08:12 castorw