FHEM commands by curl no longer working.

Begonnen von andyclimb, 13 März 2017, 09:45:14

Vorheriges Thema - Nächstes Thema

andyclimb

My commands that I used to issue using curl are no longer working since I updated to the latest version last week. I get HTTP 400.... even getting a jsonList does not work


➜  ~ curl -vvv http://192.168.1.25:8083/fhem\?cmd\=jsonlist2\&XHR\=1
*   Trying 192.168.1.25...
* TCP_NODELAY set
* Connected to 192.168.1.25 (192.168.1.25) port 8083 (#0)
> GET /fhem?cmd=jsonlist2&XHR=1 HTTP/1.1
> Host: 192.168.1.25:8083
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Content-Length: 0
< X-FHEM-csrfToken: csrf_388773353881229
< Content-Type: text/html; charset=UTF-8
<
* Curl_http_done: called premature == 0
* Connection #0 to host 192.168.1.25 left intact


these do not work either


curl http://192.168.1.25:8083/fhem?cmd=set%20mqtt_stereo%20on > /dev/null
curl http://192.168.1.25:8083/fhem?cmd=set%20spdifremote%20itunes > /dev/null


any ideas?
AM

nesges

"csrfToken" is your cue. I use the following shell script (edit HOST and PORT):

CMD=$@
HOST=wopr
PORT=8083
TOKEN=`curl -s -D - "http://$HOST:$PORT/fhem&XHR=1" | awk '/X-FHEM-csrfToken/{print $2}'`
URL="http://$HOST:$PORT/fhem?XHR=1&fwcsrf=$TOKEN"
URL=${URL%$'\r'}
DATA="cmd=$CMD"

curl -s -G "$URL" --data-urlencode "$DATA"

andyclimb

OK.  that was it. 
set it to none.  job done. 

thank you.
AM

andyclimb

So the CSRFTOKEN is not working quite as expected.  I can set it to blank when its has not been defined as an attribute before, in which case my URLs that I use to control FHEM work as they used to.  However, if i restart then the CSRFTOKEN is set to 1 and everything stops working.  I have to delete the attr, then set it back to none for everything to start working again.  Seems a bit counter intuitive / a pain.  Is this expected behaviour?

Am i missing something or has controlling fhem by web links and curl commands just got a lot more difficult?
AM

rudolfkoenig

I dont know what you mean with "I can set it to blank", csrfToken can take the attributes described in the commandref.
Default is random, so not everybody is using the same token. You can change it to a fixed value which is probably just as good as random.

With none you have a security hole if you are visiting this FHEMWEB instance with your web-browser.

andyclimb

I understand that there is a security risk with it being disabled, but that is what i would like at the moment.  As it stands I have everything from scripts on various rpi's to HA_bridge for control via alexa, and this update has just stopped everything from working in one update.

I can run a seperete WEB instance, on a different port with this enabled for my general browsing. 

The point is that if i set it to none, which is what i would like in this instance, at least as a temporary fix for me to learn how to change everything, it goes back to a value 1 on reboot. 
AM

rudolfkoenig

Zitatif i set it to none [...] it goes back to a value 1 on reboot.
Sorry, with none I mean the 4 characters n,o,n and e as in
attr WEB csrfToken none
I just clarified the documentation.

andyclimb

ah.  that did not work before. but it does now.  thanks
AM

andyclimb

Thanks for the help guys.  @nesges your script works a treat.  I now have everything working with the token!
AM

andyclimb

If anyone is interested.  Here is a script to watch an xbmc listener and send fhem commands based on it.  Also shows how to extract the card token and send valid request.  Took me a while to work out that require makes the case lower for headers...

var Xbmc = require('xbmc-listener');
var request = require('request');

var xbmc = new Xbmc({
    host: '192.168.1.138',
    username: 'xxxxx',
    password: 'xxxxx'
});


var host = "192.168.1.25";
var port = "8083";
var baseurl = 'http://' + host + ':' + port + "/fhem&XHR=1";

var cmdlist = [
    "set spdifremote tv",
    "set mqtt_stereo on",
    "set mqtt_tv on"
]

xbmc.connect();

xbmc.on('play', function(data) {

    request(baseurl, function(err, response, body) {
        var token = response.headers['x-fhem-csrftoken'];
        //console.log("TOKEN = " + token);
        var url = baseurl + "&fwcsrf=" + token;

        for (var i in cmdlist) {
            var cmd = url + "&cmd=" + encodeURIComponent(cmdlist[i]);
            request(cmd);
            //console.log(cmd);
        }
    });
});
AM