TileBoard icon indicating copy to clipboard operation
TileBoard copied to clipboard
verified publisher icon resoai

"Unauthorized" message with non-administrator user.

Open nnielzz opened this issue 5 years ago • 8 comments

Everytime I load Tileboard with my "normal" user (doesn't have administrator privileges), I get the "Unauthorized" error.

Now, I can still normally use everything I have on my Tileboard without issues. Also, I get the "Failed login attempt"-notification inside Home Assistant from time to time (might be due to a token expiration?).

Judging by the console, it looks like an API-related error. Unauthorized

nnielzz avatar May 09 '20 09:05 nnielzz

It looks like it's this API message that triggers it:

event_type: "tileboard"
id: 2
type: "subscribe_events"

So user doesn't have access to subscribe to "tileboard" events. It might be solvable on the HA side or maybe they are still fleshing out permission stuff. Maybe worth asking in their tracker.

rchl avatar May 10 '20 15:05 rchl

It looks like it's this API message that triggers it:

event_type: "tileboard"
id: 2
type: "subscribe_events"

So user doesn't have access to subscribe to "tileboard" events. It might be solvable on the HA side or maybe they are still fleshing out permission stuff. Maybe worth asking in their tracker.

Yup, you seem to be on point. I have forwarded this issue to the Home Assistant Dev Team.

A temporary solution for now is to either login with your "admin"-account or to add a long lasting token from your admin account.

Thanks for the help.

nnielzz avatar May 10 '20 19:05 nnielzz

Update:

I filed the issue on the Home Assistant GitHub, but they aren't helping me out (saying "TileBoard isn't supported with Home Assistant").

Seems like I'm back the square one. Can this issue please be fixed?

nnielzz avatar May 11 '20 08:05 nnielzz

I don't know internals of HA enough to see how this could be fixed.

It's not necessarily Tileboard specific issue though. The issue is that normal users have no permission to subscribe to custom events using subscribe_events message.

rchl avatar May 11 '20 09:05 rchl

Interesting, I've been wondering about this error.

If it is as @rchl describes, non-admin users can't subscribe to (custom?) events, then one of two things need two happen:

  1. HA needs to add a permission or ability for normal users to use subscriptions, and it needs to be documented on TB
  2. TB needs to work around HA's limitation by A. checking for permission or B. catching and handling the error.

While I think the response that TileBoard isn't supported is a bit weak, it may simply be the case that HA does not see the need for this subscription type, or even considers it a security feature.

grahamPegNetwork avatar Jul 01 '20 07:07 grahamPegNetwork

@nnielzz Can you link to the issue you've created?

(I might have replied there but don't remember anymore).

rchl avatar Jul 01 '20 08:07 rchl

@nnielzz Can you link to the issue you've created?

(I might have replied there but don't remember anymore).

Yup, as @grahamPegNetwork mentions, they consider it a vulnerability. Here's the link to the issue, though it's closed: https://github.com/home-assistant/core/issues/36122

nnielzz avatar Jul 01 '20 10:07 nnielzz

I've replied on that issue asking for clarification but then I agree with what was said there that this would be a security issue as custom events could carry some secret/personal information.

All TileBoard could do here is probably just stop complaining about that and document that using tileboard events is not supported for non-admin users.

Ideally, there would be something exposed in the HA API that would allow that. The way TileBoard uses those events is perfectly safe as those are its own events. It's not trying to snoop on something else.

rchl avatar Jul 01 '20 10:07 rchl