Having trouble with http and basic auth

Alan_F

I'm trying to move a Vera scene over to MSR and having trouble getting the authentication to work. The use case is to send http commands to a Dahua camera twice a day to change its mode.

In Vera it works by simply using the username and password in the URL. e.g. luup.inet.wget("user:password@IPaddress/configManager.cgi?action=..." , 5)

This format didn't work from a reactor http call, resulting in a 401 error. I tried moving the username and password to the http request headers section (Authentication: Basic base64encoded-user:password) and still am getting a 401 response.

I have another rule that is successfully using basic authentication and the formats look the same, so I'm not sure what is different about this one. I logged into the camera and changed the logon method from digest to basic (although it was working for the Vera requests when it was set to digest).

This is the last thing that is running from my Vera. Before I try to implement this in Node-Red, does anyone have any suggestions for other things I could try in MSR to get it to work?

tunnus

You should be able to use Run lua -action

toggledbits

@alan_f said in Having trouble with http and basic auth:

This format didn't work from a reactor http call, resulting in a 401 error. I tried moving the username and password to the http request headers section (Authentication: Basic base64encoded-user:password) and still am getting a 401 response.

Please show us exactly what you did here.

Also, did you look at the logs to see what the request was finally sending?

Alan_F

I took the UserName and Password, used a base 64 encoder and input "UserName:Password" into the encoder. I took the output of the encoder ("ABCDEFGXXX") and entered (no quotes) "Authentication: Basic ABCDEFGXXX" into the http headers field. I have another http request in another rule that hits an API to control my thermostat and it work correctly using exactly the same process.

The logs don't appear to make any reference to the http header:

[latest-21297]2021-11-01T22:21:55.816Z Engine:INFO Set PTZ Camera to Day Mode rule<SET> all actions completed.
[latest-21297]2021-11-01T22:21:55.845Z Engine:ERR Engine#1 reaction Set PTZ Camera to Day Mode rule<SET> step 3 HTTP request to http://xxx.xxx.xxx.xxx/cgi-bin/ptz.cgi?action=start&channel=0&code=GotoPreset&arg1=0&arg2=18&arg3=0 failed: 401 Unauthorized
[latest-21297]2021-11-01T22:21:55.854Z Engine:ERR Engine#1 reaction Set PTZ Camera to Day Mode rule<SET> step 1 HTTP request to http://xxx.xxx.xxx.xxx/cgi-bin/configManager.cgi?action=setConfig&VideoInMode[0].Config[0]=0 failed: 401 Unauthorized

Prior to attempting to use the http header field I had tried the below format, with the username and password in front of the URL:

[latest-21297]2021-11-01T12:58:08.125Z Engine:ERR Engine#1 reaction Set PTZ Camera to Night Mode rule<SET> step 3 HTTP request to http://UserName:Password@xxx.xxx.xxx.xxx/cgi-bin/configManager.cgi?action=setConfig&VideoInExposure[0][1].Value1=1000&VideoInExposure[0][1].Value2=1000 failed: 401 Unauthorized

I did get this working in Node-Red using digest authentication in a http-request node, so it probably isn't worth too much of everyone's time to track it down. I would prefer to have it in MSR because it is so much more user-friendly for me, but I can leave it in Node-Red if I can't figure out how to do it in MSR.

@toggledbits - Long overdue additional donation on its way. Thanks for all your efforts and the end-user support.

tunnus

@alan_f, as said, you could try 'run lua' action, although direct http request is by far the most optimum solution (and would not depend on Vera's existence...)

toggledbits

@alan_f said in Having trouble with http and basic auth:

took the UserName and Password, used a base 64 encoder and input "UserName:Password" into the encoder. I took the output of the encoder ("ABCDEFGXXX") and entered (no quotes) "Authentication: Basic ABCDEFGXXX" into the http headers field. I have another http request in another rule that hits an API to control my thermostat and it work correctly using exactly the same process.

And can you detail that exactly, please? If you used a command line tool, for example, with an echo statement, then you would likely have a newline added to the byte string and that would spoil the encoding. If you used a web encoder, that also may accidentally encode a newline depending on how you pasted the data, and there are a few that give incorrect results, especially if any Unicode characters are involved in the password.

You can do this directly in the Headers of your request:

Authorization: Basic ${{urlencode(username + ':' + password)}}

Now, you go on to say that you got it working with Digest authentication on NR. Many sites do not allow HTTP Basic auth any more, and require you to use Digest. When you include a header like that above, you are specifically sending Basic, not Digest, and the target site may not be allowing it. Likewise, when you place the username and password in the URL, that's Basic, not Digest. So I suspect your site only allows Digest. I can add separate username and password fields to the HTTP Request action so that Reactor can more fully negotiate the authentication on the request.

Alan_F

Still 401 unauthorized using

Authorization: Basic ${{urlencode('username' + ':' + 'password')}}

(I added single quotes around username and password because it couldn't evaluate it without them)

I just tried it using basic auth in NR and it failed with 401, so the issue appears to be that the camera won't accept basic authentication. There is a setting to allow it, but it doesn't seem to make a difference when I change it.

When I was calling the command from the Vera luup it was using the http://username;password@IP?command syntax. I was sure that meant that it was using basic authentication all along. I don't understand enough about the different authentication methods to know whether it was really doing digest authentication based off of that URL format.

So while I'm good for now with using NR, it would be useful to figure out how to handle digest authentication for http requests in MSR. Is it just a matter of setting the right headers or does it require enhancements to MSR itself?

(The thread title should probably be "Having trouble with http and digest auth")

toggledbits

Still 401 unauthorized using

That's expected. The server want's digest auth.

@alan_f said in Having trouble with http and basic auth:

When I was calling the command from the Vera luup it was using the http://username;password@IP?command syntax. I was sure that meant that it was using basic authentication all along.

No, wget was helping you. The initial request went with Basic authentication, and the server rejected it with a 401 asking for Digest, so wget took the username and password from the URL and used it for digest authentication. That behavior is easy to confirm using one of the many digest echo-back/test sites available:

wget https://anybody:anywhere@httpbin.org/digest-auth/auth/anybody/anywhere

If you run this on a Linux command line, you'll see wget get a 401 and re-ask with digest:

pi@rpi4-1:~/Documents/MSR $ wget  https://anybody:anywhere@httpbin.org/digest-auth/auth/anybody/anywhere
--2021-11-02 13:46:06--  https://anybody:*password*@httpbin.org/digest-auth/auth/anybody/anywhere
Resolving httpbin.org (httpbin.org)... 34.192.79.103, 18.232.227.86, 54.156.165.4, ...
Connecting to httpbin.org (httpbin.org)|34.192.79.103|:443... connected.
HTTP request sent, awaiting response... 401 UNAUTHORIZED
Authentication selected: Digest realm="me@kennethreitz.com", nonce="901f9613ed31b5946d70e2c9c48e5b55", qop="auth", opaque="0e8c62a78c3b807801aed4341e958d57", algorithm=MD5, stale=FALSE
Reusing existing connection to httpbin.org:443.
HTTP request sent, awaiting response... 200 OK
Length: 50 [application/json]
Saving to: ‘anywhere’

anywhere                            100%[=================================================================>]      50  --.-KB/s    in 0s

2021-11-02 13:46:06 (28.3 MB/s) - ‘anywhere’ saved [50/50]

Authorization: Basic ${{urlencode('username' + ':' + 'password')}}
(I added single quotes around username and password because it couldn't evaluate it without them)

Strings always have to be quoted. I gave the structure as variables. If you're hard-coding them you can just do "username:password" as a single string with no concatenation (no + operators).

Alan_F

I updated to the latest version and it is working with Digest auth and the new username / password fields. You are going to spoil us with this pace of development