Jump to content

Password free REST API access for my remote.htm?

bTwix

By bTwix
in ISY994

Recommended Posts

  • 1 month later...
  • 4 months later...
bTwix Newbie

bTwix

Posted
  • Author
Posted

Thanks, Michel.

 

For authentication/authorization, an anonymous access feature by resource would be ideal:

- /programs

- /user/web

- /vars

- /elk

- ...

 

Since we have a secure network, if they have physical access to an Ethernet jack they also have physical access to the light switches, TV remote, etc.

 

I appreciate that not all users may want anonymous access, but it definitely simplifies ease of use and wife approval factor.

Link to comment
Michel Kohanim Wise Elder

Michel Kohanim

Posted
Posted

Hi bTwix,

 

Thanks so very much for the suggestion and feedback. This has been on our requirement list for a VERY long time. The reason is that every time we try to implement it, we face much deeper security challenges.

 

As far as the wife factor, most http clients support Basic Authentication. Is it difficult to hardcode ISY's userid/password in your client? i.e. I am just delegating the security hole back to your client :)

 

With kind regards,

Michel

Link to comment
bTwix Newbie

bTwix

Posted
  • Author
Posted
Hi bTwix,

 

Thanks so very much for the suggestion and feedback. This has been on our requirement list for a VERY long time. The reason is that every time we try to implement it, we face much deeper security challenges.

 

As far as the wife factor, most http clients support Basic Authentication. Is it difficult to hardcode ISY's userid/password in your client? i.e. I am just delegating the security hole back to your client :)

 

With kind regards,

Michel

 

>> Is it difficult to hardcode ISY's userid/password in your client?

No, that's fine. The issue is that I want the ISY web module to *host* the client web page (remote.htm), so if ISY is up I can control the house via remote.htm, even if my home server is offline or gone (future). However since /user/web doesn't support anonymous access, I have to type in the ISY user/pass every time to access remote.htm if hosted with the ISY web module in /user/web.

 

Can you add a checkbox to enable anonymous access to /user/web, so I can host my remote.htm using the ISY web module? I'll hardcode the user/pass in remote.htm for the other REST calls.

Link to comment
MWareman Advanced

MWareman

Posted
Posted

Maybe a per-folder 'Allow Anonymous Access' attribute that can be set - in case we don't want to allow the full /user/web to be accessible? Default it to 'Off' on each folder (so there are no nasty security surprises for anyone).

 

So, for example, I could write log files to /user/web/logs, and authentication would be needed, but an 'index.html' could be served without authentication from /user/web

 

Just my $0.02. I'd make much better use of the user web space on the ISY with this feature.

Link to comment
Michel Kohanim Wise Elder

Michel Kohanim

Posted
Posted

Hi Michael,

 

This is precisely why every time we try to add anonymous, it immediately becomes a huge requirement to revamp authorization in ISY. Adding a simply boolean at /USER/WEB is easy. Adding a password file for each directory requires investigation of what we ultimately want to do.

 

With kind regards,

Michel

Link to comment
bTwix Newbie

bTwix

Posted
  • Author
Posted

>> Adding a simply boolean at /USER/WEB is easy. Adding a password file for each directory requires investigation of what we ultimately want to do.

Agree. I'd prefer to keep it simple to start (vs. getting nothing). Per directory security would be nice to have, but not required for 80% of the value.

 

>> Default it to 'Off'

Agree.

Link to comment
MWareman Advanced

MWareman

Posted
Posted

How about a simple variation on .htaccess..... If there is a .anon file in the directory that the file being requested is in, allow anonymous access. Otherwise, require authentication. It's then up to us to create the .anon file if we choose to allow anonymous to that folder and all files within.

 

Should be easy to implement, and shouldn't break anything (since default would be to require auth).

 

Gives more than 80% I think. And does not need a full revamp.

 

Now, password-less access to the REST interface I agree is a bit more challenging.

I would think the ISY could store one or more 'authorization' strings - and if one of the strings is supplied as a REST parameter, authentication is bypassed. Simple enough..

A bit like API tokens are generated and used by NotifyMyAndroid, Prowl and Pushover (all do this exact thing). ISY is easier because its a single user system.

Link to comment
Michel Kohanim Wise Elder

Michel Kohanim

Posted
Posted

Hi Michael,

 

ISY is not Linux based so whatever we do is going to be from scratch. .password and .anon are basically the same (or reverse of each other) and something we are definitely considering.

 

Again the simplest path forward is to make /USER/WEB directory either protected or not protected.

 

With kind regards,

Michel

Link to comment
  • 1 month later...
ticklemeozmo Newbie

ticklemeozmo

Posted
Posted

An API Key in the URL over SSL is hardly "unrestricted".

 

I'm pretty sure that: 

//192.168.1.100/rest/nodes/12345/key/772ac1a55fab1122f3b369ee9cd31549/cmd/dof

is much more secure than: 

//admin:admin@192.168.1.100/rest/nodes/12345/cmd/dof

My first guess on any basic authentication mechanism is going to be "admin:admin". It's going to take a while before you guess my api key. Even unencrypted, the api key still gives me a fighting chance over basic authentication.

 

With multiple API Keys, I can revoke certain devices. Rather than having to change my password on my other n-1 devices because a password leaked.

 

Respectfully.

Link to comment
Michel Kohanim Wise Elder

Michel Kohanim

Posted
Posted

Hi ticklemeozmo,

 

You are 100% correct and I am not disputing that API keys are more secure. This said, currently we do not have that framework and it'll require much development and major regression testing.

 

At the moment, we do recommend:

a) Changing the certificate

B) Accessing ISY using HTTPS when outside (even inside)

c) Change your password

 

With kind regards,

Michel

Link to comment
giesen Experienced

giesen

Posted
Posted

Michel,

 

While we're discussing authentication, would it be possible to implement HTTP Digest authentication (RFC 2617 - http://tools.ietf.org/html/rfc2617) instead of HTTP Basic Authentication? SSL is just too unacceptably slow (takes about 5-10 seconds to turn off a light switch from eKeypad vs almost instantaneous using plain HTTP) but I'd like to have more protection of my password than plain HTTP Basic Authentication provides (that is, none). Is this a possibility?

Link to comment
Michel Kohanim Wise Elder

Michel Kohanim

Posted
Posted

Hi giesen,

 

Yes we can but even that requires development.

 

I am concerned that SSL is taking too long. It should NOT if the client (i.e. eKeypad) uses session resume. It should only take 10 second on the initial connection. The rest should be just a little longer than http (still less than a second).

 

With kind regards,

Michel

Link to comment

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing

    • No registered users viewing this page.

  • Who's Online (See full list)

    • There are no registered users currently online

  • Forum Statistics

    • Total Topics
      36.9k
    • Total Posts
      370.3k
×
×
  • Create New...