Using POST in the REST plugin

Discussion and support for individual OSA plugins
Message
Author
User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Using POST in the REST plugin

#1 Post by kherron » Sun Dec 03, 2017 12:47 pm

I am currently working on developing an Amazon Alexa Skill, that will allow communications with OSA using the REST API.

I am having very good success with the GET functions.
For example:
Q. Alexa, Ask OSA the State of Living room Lights?
A: The Living Room Lights are Off.
or
Q. Alexa, Ask OSA if Dawn is Home?
A: Dawn is currently Here.
However, I am not able to get any of the POST commands to work???
For example:

Code: Select all

http://localhost:8732/api/object/Back%20Porch/On?param1=&param2=
When I try this I get:
Method not allowed. Please see the service help page for constructing valid requests to the service.
Any Ideas on what would cause this. I have opened port 8732 in my firewall.

mattw
Posts: 11
Joined: Wed Aug 31, 2016 8:56 pm
Location: UK

Re: Using POST in the REST plugin

#2 Post by mattw » Thu Dec 07, 2017 3:01 pm

I also had the same problem while trying to run an OSA method from another system using REST. Never had the time to investigate in any great depth, so not going to be much help other than to say you're not the only one.

The mobile interface works no problem, which I believe also uses REST, so I just assumed it was me doing something wrong.

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#3 Post by kherron » Sun Dec 10, 2017 7:55 am

Mattw,

Thank you for your reply.
I have solved my issue. (It was in my AWS function).

I now have a "WORKING" skill for the Alexa Echo that can communicate with my OSA server via the REST plugin! :D
"Yes" I know it's not very secure right now, as I had to open the REST port on my router and port forward to my OSA server.
However, for the Time being, it works, and I can update security measures after we decide how we are going to secure the REST plugin.

So far, I have created 5 Intents that are working.

1) GetOSAObjectStateIntent - This will retrieve an objects state and have Alexa tell you. "What is the state of Kitchen?". "I have found that the Kitchen is Occupied."
2) GetOSAObjectPropertyIntent - This will retrieve an Object Property value and have Alexa tell you. "What is the Temperature of Thermostat?". "Thermostat Temperature value is 72."
3) SetOSAObjectPropertyIntent - This will set an objects property value. "Set Off Timer of Kitchen to 10." " I have set the Kitchen's Off Timer to 10."
4) RunOSAObjectMethodIntent - This will execute an Object method. (NO PARAMS) "Turn Front Porch to Off." " I have completed Off for the Front Porch."
5) RunOSAObjectMethodParamsIntent - This will execute an Objects method with Params. "Run Cool setpoint on Thermostat with value 78." " I have completed Cool Setpoint for the Thermostat to 78."

I will continue to test and improve the Utterances and commands, but my main objective was to at least get something to work!

I do NOT plan to publish this on the Alexa site, as it is not secure. However, I am willing to export it to a package, so anyone else that is interested can upload it to their AWS account and use it on their amazon echo devices. (I will add it to my GitHub - KHerron)
This skill uses a config.json file that holds the address and port to communicate back to your router.
This must be done in the AWS Lambda console by each user.
This way that information is not being sent out. (a little more secure)

Anyhow, that's my update on this for now.
Welcome for any input or converations....

Thanks again!

Vaughn
Site Admin
Posts: 1432
Joined: Thu May 13, 2010 2:17 pm

Re: Using POST in the REST plugin

#4 Post by Vaughn » Thu Dec 14, 2017 5:27 am

Awesome, I was scared to even try this. The REST security will have to become a top priority in the next release so we can include this!


Vaughn

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#5 Post by kherron » Thu Dec 14, 2017 6:43 am

It was a little scary at first for me too.
But after getting my Dot, and logging in to the AWS console, I started to understand the structure.

However, it is a complicated process, much like creating an android app, there are a LOT of steps.
Also, learning more about Lambda code, Amazon Skill ASK and using Node.js.

That is all for the coding side, then there is the Skill that includes the Events, Intents, Utterances, Slots and Synonyms.
Which by the way, I got working yesterday. Now I can say "Run Channel Up on Bravia" or I can say "Run Channel up on Flat Screen".

Anyhow, there is also another side of this we can do too!
Alexa also has an API that can be access from 3rd party software.
So, I think we should also create an Alexa plugin for OSA that would allow OSA to invoke intents on the echo.
For example, for notifications. Alexa could notify changes in state or property values, or announce that a method or script is being ran.

So, once I am fairly comfortable with my Skill, I will then start on a plugin.

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#6 Post by kherron » Sun Dec 17, 2017 11:02 am

I have been looking in to ways we can secure the REST plugin.

I have found that there are several ways we can do it.
There is OAuth1A, OAuth2, HTTPS or API Keys.

Out of these, the easiest to implement would be the API Key.
The rest pluigin would have a method added, that would generate an API key for each user(Person) in the database.
Then this key would be used as authentication when accessing or using the REST service.
It would then look up the matching user, and apply their trust levels and security settings.

Also, we could make it where, to generate a new key, you would simply delete the key in the Users properties, then re-run the REST GenerateAPIKey method again.

If this sounds worth perusing, let me know and I can start playing around with it.
As My Alexa is using the REST api, and I can test access using it also.

Vaughn
Site Admin
Posts: 1432
Joined: Thu May 13, 2010 2:17 pm

Re: Using POST in the REST plugin

#7 Post by Vaughn » Mon Dec 18, 2017 11:56 am

As long as you don't pass the api key in the URL.

I read several of security guides that had so many things to watch out for in addition to just adding authentication like that. But when it came to code to implement any of it, it was a little intimidating for me and not the type of stuff I really want to work on. So if you want to add anything, it would very welcomed and very productive towards OSA to be publicly usable. I will make sure I understand anything you add incase I have to work on it in the future, but this would still save me a lot of stress and time.

The same happened to me when looking at just adding SSL to the web site. I get lost as I just don't have much web experience. I will eventually force myself to learn these things, but my brain can put off things I don't enjoy working on for a very long time and it has been hurting the project over the past few years.

Keep me posted and thanks,


vaughn

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#8 Post by kherron » Mon Dec 18, 2017 1:16 pm

OK, I will see what I can do on my end for this.

We will have to send something in the URL or in the Headers for authentication.....
So, it looks like what ever we do, it has to be encrypted.

I did read somewhere where someone used an API key + a Secrect word + the date.
Then you Base64 encode it all together.
for example:

Code: Select all

Base64Encode("1G3h45Y6mn7BC92K" + user.password + Now());
Then the REST plugin can decode this string and verify the 3 components.
Use the Secrect to lookup the user.
And the API key would change automatically every day.

Other wise it looks like we have to some how use HTTPS so we can encrypt the whole payload and then send Username:Password as needed.

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#9 Post by kherron » Fri Dec 22, 2017 11:07 am

OK...
Here I am again. :D

I have been looking in to this as I feel as Vaughn does, that some type of security needs to be implemented in to the REST.API plugin.

With so many ways to complete this, we have to keep in mind that what ever we put in place on the server side has to be able to be implemented on the client side.
For example, any application that uses the rest plugin to communicate with OSA will have to be revised to implement the new security.
This would mainly include, but not be limited to: The Web UI Screens page and the mobile app.

So first, I looked in to what it would take to move the Rest.API over to HTTPS.
Even though the development side would not be that difficult, it would put a strain on the end user.
As they would have to know how to create a "Self Signed" certificate and know where and how to implement it on the rest port of the OSA server computer.

So now, I'm looking at encrypting the data manually using an API Key and a SALT vector that is only known by the user and the server.
The Rest plugin would have a new property that holds a 64 character Randomly generated API key.
There is also a 16 character randomly generated "Salt" vector.

So, from the Client side, (Web UI Screens page, Mobile App or my Alexa skill), before sending a REST command, the app would have to know 4 things.
1) The Rest API Key
2) The Salt Vector
3) The User name.
4) The User password.

first the password is encrypted using the API key and the Salt vector.
Then the username is added to the end of the string:
KRIJqfnv18xfqcBs1cuNj=:username
Then, the whole string is encrypted again using the API key and the Salt vector.

Then the end resulting string is added to the end of the rest api url.
for example: http://192.168.xxx.xxx:8732/api/kitchen ... 5iTmmwGzs=

So now the Rest API Decrypts the last item using the same API Key and the same salt vector.
From here the Rest API now knows the User name, and can look up the person object by name.
Then, It can decrypt the password and see if it matches the object.

One big issue we must consider by doing any of this, is:
You will no longer be able to run a REST request just using a browser. as the Encryption would require coding.

Thoughts....

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#10 Post by kherron » Sun Dec 24, 2017 8:23 am

UPDATE:

I have finished the coding in the Rest API to implement my security changes.
I am currently adding the required code to my Alexa skill and the WebUi Screens, so I can use them to test.

I have also decided to add a DateTime value to the Authintication key, and plan to narrow it down to a 2-3 minute window.
Basically, this means that the authentication key would only be valid for a 2-3 minute time frame before it changes.
This also means that any device or application accessing OSA using REST would have to have the correct Date and Time that matches the OSA server.

This is why I am thinking 2-3 minutes. This would allow for a little time difference in devices, but nit a very long time.
Also, if someone was able to intercept your API Authentication Key, it would no longer be valid after 3 minutes.

I also have added a method to the REST plugin that will allow users to request a current valid Authentication key.
This will be sent to the Logs page only. However, users can use this to test any rest commands from a browser.
They will just have to do it again after 3 minutes to get a new key.

Not getting any responses, so I'm guessing everyone is on board so far!

Merry Christmas, hope everyone has a GREAT holiday!

Post Reply