Using POST in the REST plugin

Discussion and support for individual OSA plugins
Message
Author
Vaughn
Site Admin
Posts: 1432
Joined: Thu May 13, 2010 2:17 pm

Re: Using POST in the REST plugin

#11 Post by Vaughn » Sun Jan 07, 2018 10:04 am

This is great! And with the problems I am having I am sure I will be making plenty of builds and testing cycles, so if you get it to a committable point, it can go in 049.

Do you think Google is about the same as Alexa as far as building skills goes?


Vaughn

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#12 Post by kherron » Sun Jan 07, 2018 3:47 pm

Vaughn wrote:Do you think Google is about the same as Alexa as far as building skills goes?Vaughn
I do not have a Google Home device, but I have briefly looked at their API and development methods.
And even though they seem to be similar in areas, they are also much different in other areas.
For example, Amazon calls them "Skills" where Google calls them "Actions". However, they both use "Intents" to determine what to do?

I have heard that the Google development console has more power and capabilities than Amazon's, But I have found that Amazon has updated their API GUI, and it is much cleaner and easier to use. I'm not sure what background language Google uses, but Amazon's Lambda with JavaScript was fairly easy to learn. Also, Amazon has some time behind them and has developed a more stable platform, But I'm sure Google has the finances to catch up quickly. Now they have the Apple version coming out too. However, I have heard that they do not plan to release an API for quite a while. So you will be stuck with only Cloud based compatible devices. (Rest, Nest, So on.......)

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#13 Post by kherron » Sun Jan 07, 2018 4:28 pm

UPDATE #2

I posted this on Github, but thought I should also share it here

I have now made the AuthKey required on ALL the REST request. (POST and GET)
This will prevent anyone with a low Trust Level, to not be able to GET any information they shouldn't.
So NOW, both POST and GET request will require an AuthKey to be sent with the request.
By going to the REST help page, you will see the new URL requirements.
for example: http://localhost:8732/api/help
I will also (as time permits) start updating the REST Wiki pages with this new information.

Also, I have finished implementing the new REST security to the Web UI Screens.
Every time the Screen page refreshes, (5 sec) there is a new Authentication key generated.
The Generation is done "Server Side" to make it harder to decode what and how it is being encrypted.

I also just, finished adding the new Rest Security to the Mobile Web UI tonight.
Had to make some changes there to implement the new security, so I will be testing with my phone for the next few days.

All of the new Security code is now in it's OWN class: OSAESecurity
This will help referencing the exact same code from multiple places, and will reduce double coding.
It will also help developers implement the new security in to new plugins, devices and applications.

I have looked into the Screens Application, as I thought the REST plugin was used here too.
But I can NOT find any references where the REST API is used.
Unless I'm missing something somewhere else :?:

Also, I am willing to look at the Android app, as I believe it uses the REST plugin too, but I'll be honest, I don't know that kind of coding.

Not sure what else uses the REST plugin, so if anyone knows of another plugin or application that is using the REST plugin to talk to OSA, please let me know and I can see what is needed to upgrade to the new security.

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#14 Post by kherron » Sun Jan 07, 2018 5:06 pm

UPDATE #3

I thought I would go ahead and throw this information out there also.

The REST plugin object now has 2 new Properties added:
1) APIKEY. This is the Rest Plugin API Key. This property is used by remote clients and devices to encrypt and decrypt user information for authentication. This can be any 32 character string. The rest plugin will automatically generate this when the plugin first runs. This is a required property, so to re-new the Key, simply change the property to a blank string (Space-bar), and run the new Rest Method: GenerateApiKey and a new key will be randomly generated.

2) APITimeOut. Enter the number of seconds the Rest plugin will allow a Time-Stamp of any received Authentication Key to be valid. Default is 60 (1 minute) The new security requires the Authentication Key to contain a current Time-Stamp that is formatted in a special way, and is then included with the user information, then encrypted. This Time-Stamp must fall within this number of seconds of the server's current time. To explain this further, lets take the default of 60 shown above. When the REST plugin receives a request, it gets the servers current date and Time. It then takes 1/2 (Half) of the above setting, and creates a before and after window. Our example would be: 30 seconds before and 30 seconds after the servers current time. So the Time-Stamp included in the Authentication key must fall between the Before and End times to be accepted. Otherwise it is considered outdated and rejected. This allows us to set this as low as possible to increase the security as new keys will be required. Depending on Lag and/or turnaround time, you may have to play with this setting to get it to work smoothly. I have tested with it set as low as 24, and did not have any issues. Also, for testing, this could be set to 7200, which will set a 2 hour window so developers can test or use a browser without having to generate a new key.

The System object will also have a new property added:
1) SecurityKey. This is the System Security Key. This property is used by remote clients and devices to encrypt and decrypt user information for authentication. This can be any 16 character string. The rest plugin will automatically generate this when the plugin first runs. This is a required property, so to re-new the Key, simply change the property to a blank string (Space-bar), and run the new Rest Method: GenerateSecurityKey and a new key will be randomly generated.

More to come!!

Vaughn
Site Admin
Posts: 1432
Joined: Thu May 13, 2010 2:17 pm

Re: Using POST in the REST plugin

#15 Post by Vaughn » Mon Jan 08, 2018 2:40 pm

Screens does not use REST, anything that has access to the OSA API just accesses the database directly. Most of what the full WEB UI uses should be OSA API calls also, just the Mobile version of it uses REST.


Vaughn

Vaughn
Site Admin
Posts: 1432
Joined: Thu May 13, 2010 2:17 pm

Re: Using POST in the REST plugin

#16 Post by Vaughn » Mon Jan 08, 2018 2:45 pm

On the new properties and stuff, if you export from the WebUI and copy me the OSA API calls for those changes, I will add them to the upgrade SQL script and apply them to the shipping DB.


Vaughn

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#17 Post by kherron » Thu Jan 11, 2018 8:17 am

Vaughn wrote:Screens does not use REST, anything that has access to the OSA API just accesses the database directly. Most of what the full WEB UI uses should be OSA API calls also, just the Mobile version of it uses REST.
And of course the Web UI Screens... OK Cool!

The Mobile side gave me a run for my money, but I think I've got it licked!
Unlike the Web UI Screens, there is NO update panel on the Mobile UI. So I had to take a different approach, to generate the Authentication keys.

Also, during this I have found an issues with the Sessions, as if you are already logged in on a computer, then try to login with the same User name on a Phone, there is a Session error shown in the Web Server log. I don't see any error on the screen, but there is definitely something going on here. So I am in the process of adding the User button to the Mobile UI, so we can log off and clear out session variables and such.

I will also look in to Issue #290 & #232 while i'm in there.
Vaughn wrote:On the new properties and stuff, if you export from the WebUI and copy me the OSA API calls for those changes, I will add them to the upgrade SQL script and apply them to the shipping DB.
No problem. I will send you those as an attachment to you email!

Also, one other thing. Issue #363. At one point I had this working, but with all the commits, I think something has been left out. Or it may only be my setup, but can you look in the DB and see if this got removed or not added? On my setup, I can only clear individual logs, if I do it on "ALL" it does not work.

Can you verify if you have the same issue?

Vaughn
Site Admin
Posts: 1432
Joined: Thu May 13, 2010 2:17 pm

Re: Using POST in the REST plugin

#18 Post by Vaughn » Tue Jan 16, 2018 3:31 am

kherron wrote:
Also, one other thing. Issue #363. At one point I had this working, but with all the commits, I think something has been left out. Or it may only be my setup, but can you look in the DB and see if this got removed or not added? On my setup, I can only clear individual logs, if I do it on "ALL" it does not work.

Can you verify if you have the same issue?
I never used or saw this feature, but it makes some sense to me, so I will check the code you posted in #363 git thread and make sure it is working. Now that the forum issue is fixed, I already feel better, I get depressed so easy, so I will try to tackle some work today and tomorrow..


Vaughn

User avatar
kherron
Posts: 646
Joined: Mon Dec 05, 2011 10:44 am
Location: Jacksonville, Fl.
Contact:

Re: Using POST in the REST plugin

#19 Post by kherron » Sun Jan 28, 2018 7:21 am

kherron wrote:Also, during this I have found an issues with the Sessions
I have figured this out.

The issue was in the MasterPage.
Since we have a mobile site and well as a standard site, we have 2 "MasterPages".
However, we are using the same default (Login screen) for both sites.

When a user logs in, there is an authentication cookie created and sent to the browser.
The "Timeout" is set during the creation of the cookie.
However, every time we visit a new page, the master page was trying to reset the timeout to start over.
So, as log as there was activity, a user would never be logged off.

This should can not be done in the Masterpage with our type of setup.
So, I have moved the "SetTimeOut()" function to each pages "OnLoad()".
This still renews your login timeout when you visit a new page, but no longer creates Session errors!

Will be included in my next commit! :D

Vaughn
Site Admin
Posts: 1432
Joined: Thu May 13, 2010 2:17 pm

Re: Using POST in the REST plugin

#20 Post by Vaughn » Mon Jan 29, 2018 10:39 am

What was them symptoms of the routine being in Masterpages? Just so I know what to look for in testing.

Vaughn

Post Reply