Option to toggle oauth for websocket possible?


#1

I use the endpoint of http://localhost:25005/dbquery?table=command&getKeys as a simple way to get all custom commands and make my own web accessible list of commands (loonygeekfun.com/commands/) but now the websocket api needs authorisation, that is not possible.

I’d rather not have to write a script to request and then parse a json response when all I need is the JSON string to create the table html

is it possible to not require an authorisation key due to the only person who has access to localhost being me? is there a toggle?


#2

The REST interface has always required the oauth, that isn’t new to this release.

You can update the endpoint to include &webauth=webauth to authenticate if that is easier than setting headers.

Not sure would make this is a feature either. I could envision someone thinking it is too difficult to send the webauth in a header or as a parameter, and disable it, on a VPS, then allow writes to their database. Or, opening up their web port from their local PC to allow people to help admin their bot and then leaving the DB open for writes that way as well.

I get making it easier, but, I also don’t want to make it too easy to expose a write operation to the DB.


#3

I didn’t realise that I could add webauth= to the url but even so, I am still getting access denied instead of the json data as before

I never had to use webauth parameter before. in the case above, I am using the key for webauth in the bootlogin.txt


#4

Try removing the webauth string from your botlogin and restart the bot. The bot will generate a new one which should work after.


#5

% curl localhost:27005/dbquery?table=command&getKeys
{“error”:“access denied”}

[Nyx] /opt/iobot
% curl localhost:27005/dbquery?table=command&getKeys&webauth=f0v3ZkKVGt2FgyfL7wtmTkYSRKbwqR
{“table”:{“table_name”:“command”,“keylist”:[{“key”:“2”},{“key”:“Hello”},{“key”:“age”},{“key”:“asjdifjsdafk;sjdfkjdskfawefijafjiajfiiej”},{“key”:“banana”},{“key”:“chill”},{“key”:“destiny”},{“key”:“followage”},{“key”:“frogyou”},{“key”:“game”},{“key”:“hash”},{“key”:“hellothere”},{“key”:“hithere”},{“key”:“insult”},{“key”:“lb”},{“key”:“nasty”},{“key”:“playtime”},{“key”:“ptsadd”},{“key”:“temp”},{“key”:“test2”},{“key”:“testapi”},{“key”:“testchar”},{“key”:“testt”},{“key”:“testtags”},{“key”:“testurl”},{“key”:“testurl2”},{“key”:“this”},{“key”:“title”},{“key”:“touser”},{“key”:“tst”},{“key”:“uptime”},{“key”:“weather”},{“key”:“yourmom”}]}}

So, I decided to go back in time:

illusion% git checkout v2.0.6
Previous HEAD position was c29741f… Merge pull request #151 from scania123/master
HEAD is now at 14c245a… Merge pull request #213 from scania123/master

  /* Query List:
   *
   * table=tableName&getKeys       - Get list of keys.
   * table=tableName&getData=key   - Get a specific row of data.
   * table=tableName&tableExists   - Return if the table exists or not.
   * table=tableName&keyExists=key - Return if a key exists in a table or not.
   */
  private void handleDBQuery(String uriPath, String[] uriQueryList, HttpExchange exchange, Boolean hasPassword) {
      JSONStringer jsonObject = new JSONStringer();
      String[] keyValue;
      String   dbTable = null;
      Boolean  dbExists;

      if (!hasPassword) {
          jsonObject.object().key("error").value("access denied").endObject();
          sendHTMLError(403, jsonObject.toString(), exchange);
          return;
      }

I am perplexed as to when it was working without an authorization header or code, that has been there since I first wrote the class…

commit e4e047ce8cd33f3cd5da06ca1a5bbefd94e4efd3
Author: IllusionaryOne [email protected]
Date: Thu Mar 10 14:36:07 2016 -0700

Support DB Queries with NEW HTTP Server
**NEWHTTPServer.java**
- Supports simple queries into the database via HTTP
- The header must include either "password: oauth_password" or "webauth: webauth_password"
- Query table exists: table=*tableName*&tableExists
    - Returns: { "table" : { "table_name": "tableName", "exists" : true } }
- Query table keys: table=*tableName*&getKeys
    - Returns: { "table" : { "table_name": "tableName", "keylist" : [ { "key" : "keyString" } ] } }
- Query if key exists: table=*tableName*&keyExists=*key*
    - Returns: { "table" : { "table_name": "tableName", "key" : "keyString", "keyExists": true } }
- Query key data: table=*tableName*&getData=*key*
    - Returns: { "table" : { "table_name": "tableName", "key" : "keyString", "value": "valueString" } }

Let me know what version you had that it didn’t require it, I’d like to double check that there isn’t a security issue in place.

Thanks!


#6

this worked right up until the latest nightly. I tried the webauth removal from botlogin.txt and it works with webauth as a parameter on the url, thanks @ScaniaTV

here are screenshots @IllusionaryOne

v2.3.6

latest nightly


#7

Can you try going in incognito mode with version 2.3.6 and see if you get access denied there while making a request to the API?


#8

incognito mode shows the access denied message.

perhaps minor panic over? :smiley:


#9

So, the reason why you can access the API on your browser is because chrome is saving your panel password, which is sent in the header when you make the request. Once you switch to incognito mode the password is no longer there, now why doesn’t this work in version 2.3.7.1 is a good question. I would have to look at the recent code changes to find out.


#10

This topic was automatically closed after 30 days. New replies are no longer allowed.