jbferg Posted February 16, 2014 Posted February 16, 2014 EDITED: FEB 17, 2014: Confirmed that you can also use the Authorization header in place of clear text username and password in the path as indicated below. This provides for much better security. I spent considerable time trying to locate the API for INSTEON-branded wireless cameras (Part # 75790 from SmartHome) so that I could build event triggers with the ISY. A number of other posters describe similar tasks with other cameras such as Panasonic. After some trial and error using developer views of browser sessions with one of my cameras I discovered that the camera is actually manufactured by ReeCam in China. Sure enough, these guys have a wiki site (http://wiki.reecam.cn/CGI/Overview?setlang=en) that provides a great deal of information on the CGI API. If, like me, you have any interest in creating a program to activate motion detection, email alerts, etc... this is valuable information. Full disclosure, I'm not a developer, but know just enough to navigate the basics of a GET/POST string on a web browser. That was essentially all I needed to create a working networking resource in the ISY that could respond to program conditions. The only way I was able to get this to work successfully was to use a POST command but include the full string in the path vs. in the Body of the resource editor. This included the username and password to my camera in the string which is certainly not ideal from a security standpoint. The screenshot below gives you some idea of what I mean. Hope this is of help to someone else....
Michel Kohanim Posted February 17, 2014 Posted February 17, 2014 jfberg, Just wanted to thank you for sharing this. With kind regards, Michel
WyoKirkT Posted May 10, 2014 Posted May 10, 2014 I am new to the Network Module and this type of programming. I found the screen capture to be very helpful to program my Insteon IP Cameras to set the alarm on and alarm off functions. It works perfectly with the clear text username and password in the path statement. As stated in the previous post, I would like to do this more securely using the Authorization Header. Is there anything special you need to do the clear text username and password in the path statement to use the Authorization Header? I have tried both replacing the username and password with x's and taking out the user and pwd fields from the path statement entirely. In both cases I got a 401 error codes. Keeping the clear text username and password in the path statement with the authorization header seems counter intuitive. Hope someone can help me. Thanks.
Michel Kohanim Posted May 11, 2014 Posted May 11, 2014 Hi WyoKirkT, I do not think so since userid/password is embedded in the query_string part of the URL (i.e. x=y&z=w&...). With kind regards, Michel
MolsonB Posted June 30, 2014 Posted June 30, 2014 I can't seem to get the Authorization header to work? The user=xxx&pwd=xxx works. Still use http POST? Any other changes from the older screenshot? I can't see why it doesn't work when adding the Authorization header.
PurdueGuy Posted June 30, 2014 Posted June 30, 2014 I can't seem to get the Authorization header to work? The user=xxx&pwd=xxx works. Still use http POST? Any other changes from the older screenshot? I can't see why it doesn't work when adding the Authorization header. Are you using new firmware? It might require encrypted passwords, that ISY doesn't have.
MolsonB Posted June 30, 2014 Posted June 30, 2014 I was on 4.0.5 and upgraded to 4.2.5. I have the same Insteon camera (firmware 11.37.2.56) which is the latest I believe. It does report fixing up a security hole from previous versions. Attached is my screen shot, I've tried both the 'get' and 'post' just to confirm.
PurdueGuy Posted June 30, 2014 Posted June 30, 2014 Sorry, I meant newer camera firmware. The newer camera firmware requires encrypted passwords.
MolsonB Posted July 1, 2014 Posted July 1, 2014 Ah ok, gotcha. I'll stick to the user & pwd then. Thanks.
Recommended Posts