HTTP API for Scene access / error logging

Discussions about Z-Way software and Z-Wave technology in general
ridewithstyle
Posts: 72
Joined: 02 Jan 2016 01:20

Re: HTTP API for Scene access / error logging

Post by ridewithstyle » 12 Dec 2018 13:01

Hi there,

I finally got some proper developer feedback from 2N, I'll just paste the reply here

Code: Select all

I have some conclusion for you.

As you can see on image below, left side shows communication between 2N IP intercom and 2N IP intercom, so one is server and second is as client. 

When HTTP command is sent, server side tells client side which authentication methods will be used in header showing those methods, and client side choose the more secured one.

When we take a look on right side of image it shows communication with your server, which however does not reply with header offering authentication methods. In such case IP intercom will choose to use more secured again.

So as conclusion, if your server sends in header it wants to use basic method, IP intercom will use it.

It is possible when web browser receives such reply from your server it will just try basic first so it works for you, however our devices are designed to use more secured way of communication if server does not properly responds.

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field of the form Authorization: Basic <credentials>", where credentials is the base64 encoding of id and password joined by a colon.

It is specified in RFC 7617 from 2015, which obsoletes RFC 2617 from 1999.

So we are using Basic according to this RFC and we are expecting to received header with authentication methods available. .
So it seems that Z-Way needs to "simply" ask for basic authentication and we're done here (or implement Digest authentication as well).

Can I request this as a feature update? :-)

Thanks and best regards,
rws
Attachments
Proper_auth.png
Proper_auth.png (151.56 KiB) Viewed 712 times

ridewithstyle
Posts: 72
Joined: 02 Jan 2016 01:20

Re: HTTP API for Scene access / error logging

Post by ridewithstyle » 22 Jan 2019 19:41

Any of the developers care to comment on this? It's a real bugger that I can't integrate my doorbell into z-way :-/

Regards,
rws

ridewithstyle
Posts: 72
Joined: 02 Jan 2016 01:20

Re: HTTP API for Scene access / error logging

Post by ridewithstyle » 19 Mar 2019 16:33

Would someone be willing to add the proper reply to ask for basic authentication? This is currently really a blocking point for me.

Best regards,
rws

ridewithstyle
Posts: 72
Joined: 02 Jan 2016 01:20

Re: HTTP API for Scene access / error logging

Post by ridewithstyle » 16 Apr 2019 23:06

Hi there,

since I haven't heard from any developer I had the impression that I was on my own. Not nice but as developer myself I had to find a workaround, daily business.

Forcing the entrycom to plain-text send a user:password wasn't possible and getting ZWay to reply in a RFC compliant way, proved a tad more difficult that my spare time would allow.
Bildschirmfoto vom 2019-04-16 21-46-16.png
Bildschirmfoto vom 2019-04-16 21-46-16.png (26.03 KiB) Viewed 455 times
ZWay doesn't reply with a www-authenticate header hence we need to work around this.

So I went for the dirty hack. I set up a python webserver on my razberry (meaning, I started the "researched and destilled from the internet"-script below) that receives proper http-get requests from the entrycom and then relays them in a inproper way to ZWay.

Code: Select all

#!/usr/bin/python
import os, SocketServer
from BaseHTTPServer import BaseHTTPRequestHandler

class MyHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        if   self.path == '/motiondetected':
            os.system('curl -u user:passwd -v http://127.0.0.1:8083/ZAutomation/api/v1/devices/LightScene_165/command/on')
        elif self.path == '/noisedetected':
            os.system('curl -u user:passwd -v http://127.0.0.1:8083/ZAutomation/api/v1/devices/LightScene_166/command/on') 
        elif self.path == '/doorbellrung':
            os.system('curl -u user:passwd -v http://127.0.0.1:8083/ZAutomation/api/v1/devices/LightScene_167/command/on') 
        elif self.path == '/carddetected':
            os.system('curl -u user:passwd -v http://127.0.0.1:8083/ZAutomation/api/v1/devices/LightScene_168/command/on') 
        else:
             print self.path
        self.send_response(200)

httpd = SocketServer.TCPServer(("", 8080), MyHandler)
httpd.serve_forever()
The Python script receives the properly authenticated GET Request with a encrypted password and then relays the call in an unsecure fashion via localhost/127.0.0.1 to ZWay. Due to the relay being done via 127.0.0.1 no unencrypted password can be sampled on the physical network and yet I can use the entrycom events in my automation solution.

All this shouldn't be necessary, but not having the events in Zway was no alternative. And I wanted to help out those that ran/run into the same problems.

Now I can start preparing for the next Halloween Event. Triggering MQTT Actors is the final piece that is still missing, then I am good to roll/scare.

Best Regards,
rws

User avatar
PoltoS
Posts: 4722
Joined: 26 Jan 2011 19:36

Re: HTTP API for Scene access / error logging

Post by PoltoS » 19 Apr 2019 22:37

Indeed, there is a missing header.

Please try this fix: https://github.com/Z-Wave-Me/home-autom ... 86a5801f2f

Thank you for this report

ridewithstyle
Posts: 72
Joined: 02 Jan 2016 01:20

Re: HTTP API for Scene access / error logging

Post by ridewithstyle » 19 Apr 2019 22:48

Hi PoltoS,

thanks for the replay and the fix. Will try it as soon as I am back at home, left for vacation today.

Btw, I accidently posted the authentication free python script I set up for my first try. Will add the one with proper authentication once I return.

Best regards,
rws

ridewithstyle
Posts: 72
Joined: 02 Jan 2016 01:20

Re: HTTP API for Scene access / error logging

Post by ridewithstyle » 05 May 2019 19:00

Hi PoltoS,

I added the fix and now the access works as expected. A Little side effect is though that if you navigate to ZWay:8083/smarthome you are presented with a user/Password window by your browser. Looks like the Webhandler doesn't differentiate between accesses for the administration page and api accesses. Works for me, but I presume that will be irritating for other users.

Thanks for putting in effort for my seemingly very little used feature.

Best Regards,
rws

User avatar
PoltoS
Posts: 4722
Joined: 26 Jan 2011 19:36

Re: HTTP API for Scene access / error logging

Post by PoltoS » 09 May 2019 16:20

We have fixed it a bit more.

https://github.com/Z-Wave-Me/home-autom ... 8f2929ae99

May be there are some more API calls were we need to supress the Authorization header

Post Reply