FHEM Forum

FHEM => English Corner => Thema gestartet von: andyclimb am 13 März 2017, 09:45:14

Titel: FHEM commands by curl no longer working.
Beitrag von: andyclimb am 13 März 2017, 09:45:14
My commands that I used to issue using curl are no longer working since I updated to the latest version last week. I get HTTP 400.... even getting a jsonList does not work

➜  ~ curl -vvv\?cmd\=jsonlist2\&XHR\=1
*   Trying
* Connected to ( port 8083 (#0)
> GET /fhem?cmd=jsonlist2&XHR=1 HTTP/1.1
> Host:
> User-Agent: curl/7.51.0
> Accept: */*
< HTTP/1.1 400 Bad Request
< Content-Length: 0
< X-FHEM-csrfToken: csrf_388773353881229
< Content-Type: text/html; charset=UTF-8
* Curl_http_done: called premature == 0
* Connection #0 to host left intact

these do not work either

curl > /dev/null
curl > /dev/null

any ideas?
Titel: Antw:FHEM commands by curl no longer working.
Beitrag von: nesges am 13 März 2017, 10:02:37
"csrfToken" is your cue. I use the following shell script (edit HOST and PORT):

TOKEN=`curl -s -D - "http://$HOST:$PORT/fhem&XHR=1" | awk '/X-FHEM-csrfToken/{print $2}'`

curl -s -G "$URL" --data-urlencode "$DATA"
Titel: Antw:FHEM commands by curl no longer working.
Beitrag von: andyclimb am 13 März 2017, 10:31:49
OK.  that was it. 
set it to none.  job done. 

thank you.
Titel: Antw:FHEM commands by curl no longer working.
Beitrag von: andyclimb am 15 März 2017, 12:27:58
So the CSRFTOKEN is not working quite as expected.  I can set it to blank when its has not been defined as an attribute before, in which case my URLs that I use to control FHEM work as they used to.  However, if i restart then the CSRFTOKEN is set to 1 and everything stops working.  I have to delete the attr, then set it back to none for everything to start working again.  Seems a bit counter intuitive / a pain.  Is this expected behaviour?

Am i missing something or has controlling fhem by web links and curl commands just got a lot more difficult?
Titel: Antw:FHEM commands by curl no longer working.
Beitrag von: rudolfkoenig am 15 März 2017, 12:38:34
I dont know what you mean with "I can set it to blank", csrfToken can take the attributes described in the commandref.
Default is random, so not everybody is using the same token. You can change it to a fixed value which is probably just as good as random.

With none you have a security hole if you are visiting this FHEMWEB instance with your web-browser.
Titel: Antw:FHEM commands by curl no longer working.
Beitrag von: andyclimb am 15 März 2017, 12:44:06
I understand that there is a security risk with it being disabled, but that is what i would like at the moment.  As it stands I have everything from scripts on various rpi's to HA_bridge for control via alexa, and this update has just stopped everything from working in one update.

I can run a seperete WEB instance, on a different port with this enabled for my general browsing. 

The point is that if i set it to none, which is what i would like in this instance, at least as a temporary fix for me to learn how to change everything, it goes back to a value 1 on reboot. 
Titel: Antw:FHEM commands by curl no longer working.
Beitrag von: rudolfkoenig am 15 März 2017, 13:00:13
Zitatif i set it to none [...] it goes back to a value 1 on reboot.
Sorry, with none I mean the 4 characters n,o,n and e as in
attr WEB csrfToken none
I just clarified the documentation.
Titel: Antw:FHEM commands by curl no longer working.
Beitrag von: andyclimb am 15 März 2017, 16:38:29
ah.  that did not work before. but it does now.  thanks
Titel: Antw:FHEM commands by curl no longer working.
Beitrag von: andyclimb am 17 März 2017, 14:27:57
Thanks for the help guys.  @nesges your script works a treat.  I now have everything working with the token!
Titel: Antw:FHEM commands by curl no longer working.
Beitrag von: andyclimb am 18 März 2017, 16:49:45
If anyone is interested.  Here is a script to watch an xbmc listener and send fhem commands based on it.  Also shows how to extract the card token and send valid request.  Took me a while to work out that require makes the case lower for headers...

var Xbmc = require('xbmc-listener');
var request = require('request');

var xbmc = new Xbmc({
    host: '',
    username: 'xxxxx',
    password: 'xxxxx'

var host = "";
var port = "8083";
var baseurl = 'http://' + host + ':' + port + "/fhem&XHR=1";

var cmdlist = [
    "set spdifremote tv",
    "set mqtt_stereo on",
    "set mqtt_tv on"


xbmc.on('play', function(data) {

    request(baseurl, function(err, response, body) {
        var token = response.headers['x-fhem-csrftoken'];
        //console.log("TOKEN = " + token);
        var url = baseurl + "&fwcsrf=" + token;

        for (var i in cmdlist) {
            var cmd = url + "&cmd=" + encodeURIComponent(cmdlist[i]);