* New translations automation.properties (Italian)
* New translations restauth.properties (German)
* New translations restauth.properties (Italian)
* New translations addons.properties (Italian)
* New translations restauth.properties (Danish)
* New translations restauth.properties (Finnish)
* New translations restauth.properties (Hungarian)
* New translations restauth.properties (Polish)
* New translations addons.properties (Italian)
* New translations brokerConnectionInstance.properties (Italian)
* New translations i18n.properties (Italian)
* New translations inbox.properties (Italian)
* New translations marketplace.properties (German)
* New translations marketplace.properties (Hebrew)
* New translations marketplace.properties (Hungarian)
* New translations marketplace.properties (Italian)
* New translations restauth.properties (Italian)
* New translations tags.properties (Italian)
* New translations tags.properties (Polish)
* New translations validation.properties (Italian)
The issue occurs when expired entries are removed from the cache.
Also adds some unit tests in which the same issue could be reproduced.
Fixes#2528
Signed-off-by: Wouter Born <github@maindrain.net>
* New translations brokerConnectionInstance.properties (Russian)
* New translations DefaultSystemChannels.properties (Russian)
* New translations firmware.properties (Russian)
* New translations inbox.properties (Russian)
* New translations LanguageSupport.properties (Russian)
* New translations restauth.properties (Russian)
* New translations SystemProfiles.properties (Russian)
* New translations tags.properties (Russian)
* New translations voice.properties (Russian)
* New translations addons.properties (Czech)
* New translations audio.properties (Czech)
* New translations brokerConnectionInstance.properties (Czech)
* New translations chart.properties (Czech)
* New translations DefaultSystemChannels.properties (Czech)
* New translations ephemeris.properties (Czech)
* New translations hli.properties (Czech)
* New translations i18n.properties (Czech)
* New translations inbox.properties (Czech)
* New translations jsonStorage.properties (Czech)
* New translations lsp.properties (Czech)
* New translations marketplace.properties (Czech)
* New translations marketplace.properties (Dutch)
* New translations marketplace.properties (Ukrainian)
* New translations network.properties (Czech)
* New translations persistence.properties (Czech)
* New translations restauth.properties (Czech)
* New translations sitemap.properties (Czech)
* New translations SystemProfiles.properties (Czech)
* New translations tags.properties (Czech)
* New translations voice.properties (Czech)
Following the discussion in #2476, I believe the order and "advanced" status of config parameters in API Security (`system:restauth`) should be changed.
This promotes "Implicit User Role" to a non-advanced option (even if it can break some clients, it is clearly stated in the description), and demotes "Allow Basic Authentication" to an advanced option (API Tokens can be used to authenticate to the API as a better alternative to Basic).
Signed-off-by: Yannick Schaus <github@schaus.net>
* New translations tags.properties (German)
* New translations sitemap.properties (Ukrainian)
* New translations network.properties (Italian)
* New translations hli.properties (Greek)
* New translations lsp.properties (Greek)
* New translations validation.properties (Greek)
* New translations units.properties (Greek)
* New translations messages.properties (Greek)
* New translations firmware.properties (Greek)
* New translations i18n.properties (Greek)
* New translations jsonStorage.properties (Greek)
* New translations persistence.properties (Greek)
* New translations addons.properties (Greek)
* New translations restauth.properties (Greek)
* New translations ephemeris.properties (Greek)
* New translations inbox.properties (Greek)
* New translations audio.properties (Greek)
* New translations sitemap.properties (Greek)
* New translations tags.properties (Greek)
* New translations DefaultSystemChannels.properties (Greek)
* New translations chart.properties (Greek)
* New translations network.properties (Greek)
* New translations voice.properties (Greek)
* New translations brokerConnectionInstance.properties (Greek)
* New translations LanguageSupport.properties (Greek)
* New translations SystemProfiles.properties (Greek)
* New translations restauth.properties (Hebrew)
* New translations addons.properties (Hebrew)
* New translations jsonStorage.properties (Hebrew)
* New translations chart.properties (Hebrew)
* New translations DefaultSystemChannels.properties (Polish)
* New translations LanguageSupport.properties (Polish)
* New translations audio.properties (Polish)
* New translations voice.properties (Polish)
* New translations SystemProfiles.properties (Polish)
* New translations units.properties (Polish)
* New translations validation.properties (Polish)
* New translations validation.properties (Finnish)
* New translations messages.properties (Polish)
* New translations tags.properties (Polish)
* New translations firmware.properties (Polish)
* New translations chart.properties (Polish)
* New translations inbox.properties (Polish)
* New translations ephemeris.properties (Polish)
* New translations restauth.properties (Polish)
* New translations addons.properties (Polish)
* New translations persistence.properties (Polish)
* New translations jsonStorage.properties (Polish)
* New translations network.properties (Polish)
* New translations i18n.properties (Polish)
* New translations jsonStorage.properties (Finnish)
* New translations i18n.properties (Finnish)
* New translations network.properties (Finnish)
* New translations voice.properties (Dutch)
* New translations persistence.properties (Dutch)
* New translations addons.properties (Dutch)
* New translations restauth.properties (Dutch)
* New translations ephemeris.properties (Dutch)
* New translations inbox.properties (Dutch)
* New translations audio.properties (Dutch)
* New translations hli.properties (Dutch)
* New translations brokerConnectionInstance.properties (Dutch)
* New translations lsp.properties (Dutch)
* New translations jsonStorage.properties (Dutch)
* New translations chart.properties (Dutch)
* New translations i18n.properties (Dutch)
* New translations network.properties (Dutch)
* New translations DefaultSystemChannels.properties (Italian)
* New translations audio.properties (Ukrainian)
* New translations inbox.properties (Ukrainian)
* New translations restauth.properties (Ukrainian)
* New translations addons.properties (Ukrainian)
* New translations i18n.properties (Ukrainian)
* New translations network.properties (Ukrainian)
* New translations lsp.properties (Italian)
* New translations lsp.properties (German)
* New translations lsp.properties (Finnish)
* New translations lsp.properties (Hebrew)
* New translations hli.properties (German)
* New translations hli.properties (Finnish)
* New translations hli.properties (Hebrew)
* New translations hli.properties (Italian)
* New translations brokerConnectionInstance.properties (Italian)
* New translations brokerConnectionInstance.properties (Hebrew)
* New translations brokerConnectionInstance.properties (Finnish)
* New translations jsonStorage.properties (German)
* New translations jsonStorage.properties (Spanish)
* New translations network.properties (Spanish)
* New translations tags.properties (Italian)
* New translations voice.properties (Hebrew)
* New translations i18n.properties (Hebrew)
* New translations network.properties (Hebrew)
* New translations jsonStorage.properties (Hebrew)
* New translations chart.properties (Hebrew)
* New translations persistence.properties (Hebrew)
* New translations inbox.properties (Italian)
* New translations jsonStorage.properties (Finnish)
* New translations audio.properties (Finnish)
* New translations inbox.properties (Finnish)
* New translations ephemeris.properties (Finnish)
* New translations restauth.properties (Finnish)
* New translations addons.properties (Finnish)
* New translations persistence.properties (Finnish)
* New translations chart.properties (Finnish)
* New translations addons.properties (Hebrew)
* New translations voice.properties (Finnish)
* New translations i18n.properties (Finnish)
* New translations network.properties (Finnish)
* New translations audio.properties (Hebrew)
* New translations inbox.properties (Hebrew)
* New translations ephemeris.properties (Hebrew)
* New translations restauth.properties (Hebrew)
* New translations audio.properties (Italian)
* New translations ephemeris.properties (Italian)
* New translations restauth.properties (Italian)
* New translations network.properties (Italian)
* New translations addons.properties (Italian)
* New translations persistence.properties (Italian)
* New translations jsonStorage.properties (Italian)
* New translations chart.properties (Italian)
* New translations voice.properties (Italian)
* New translations i18n.properties (Italian)
* New translations i18n.properties (German)
* New translations restauth.properties (German)
* New translations addons.properties (German)
* New translations persistence.properties (German)
* New translations chart.properties (German)
* New translations voice.properties (German)
* New translations network.properties (German)
* New translations inbox.properties (German)
* New translations ephemeris.properties (German)
* New translations audio.properties (German)
* New translations voice.properties (Ukrainian)
* New translations ephemeris.properties (Ukrainian)
* New translations chart.properties (Ukrainian)
* New translations jsonStorage.properties (Ukrainian)
* New translations persistence.properties (Ukrainian)
* New translations voice.properties (German)
These workarounds to prevent false positives can be removed now the EEAs allow for proper null analysis.
Signed-off-by: Wouter Born <github@maindrain.net>
This adds API tokens as a new credential type. Their format is:
`oh.<name>.<random chars>`
The "oh." prefix is used to tell them apart from a JWT access token,
because they're both used as a Bearer authorization scheme, but there
is no semantic value attached to any of the other parts.
They are stored hashed in the user's profile, and can be listed, added
or removed managed with the new `openhab:users` console command.
Currently the scopes are still not checked, but ultimately they could
be, for instance a scope of e.g. `user admin.items` would mean that the
API token can be used to perform user operations like retrieving info
or sending a command, _and_ managing the items, but nothing else -
even if the user has more permissions because of their role (which
will of course still be checked).
Tokens are normally passed in the Authorization header with the Bearer
scheme, or the X-OPENHAB-TOKEN header, like access tokens.
As a special exception, API tokens can also be used with the Basic
authorization scheme, **even if the allowBasicAuth** option is not
enabled in the "API Security" service, because there's no additional
security risk in allowing that. In that case, the token should be
passed as the username and the password MUST be empty.
In short, this means that all these curl commands will work:
- `curl -H 'Authorization: Bearer <token>' http://localhost:8080/rest/inbox`
- `curl -H 'X-OPENHAB-TOKEN: <token>' http://localhost:8080/rest/inbox`
- `curl -u '<token>[:]' http://localhost:8080/rest/inbox`
- `curl http://<token>@localhost:8080/rest/inbox`
2 REST API operations were adding to the AuthResource, to allow
authenticated users to list their tokens or remove (revoke) one.
Self-service for creating a token or changing the password is more
sensitive so these should be handled with a servlet and pages devoid
of any JavaScript instead of REST API calls, therefore for now they'll
have to be done with the console.
This also fixes regressions introduced with #1713 - the operations
annotated with @RolesAllowed({ Role.USER }) only were not authorized
for administrators anymore.
* Generate a unique salt for each token
Reusing the password salt is bad practice, and changing the
password changes the salt as well which makes all tokens
invalid.
Put the salt in the same field as the hash (concatenated
with a separator) to avoid modifying the JSON DB schema.
* Fix API token authentication, make scope available to security context
The X-OPENHAB-TOKEN header now has priority over the Authorization
header to credentials, if both are set.
* Add self-service pages to change password & create new API token
Signed-off-by: Yannick Schaus <github@schaus.net>
* Allow basic authentication to authorize API access
Closes#1699.
Note, this opens a minor security issue that allows an attacker
to brute force passwords by making calls to the API - contrary to
the authorization page, the credentials parsing for the REST API
is stateless & doesn't have a lock mechanism to lock user accounts
after too many failed login attempts.
Signed-off-by: Yannick Schaus <github@schaus.net>
Catch specific exceptions and don't log errors but instead add an appropriate message and preserve the stacktrace.
Signed-off-by: Wouter Born <github@maindrain.net>
Currently the AuthFilter will try to find a token in the
X-OPENHAB-TOKEN HTTP header - only when it finds a cookie
named X-OPENHAB-AUTH-HEADER. It can cause problems because
browsers or proxies might block the cookie from being sent
for various reasons (for instance if there's a path set
for it).
There is no downside IMHO to always try to fallback to
checking the X-OPENHAB-TOKEN header for a token, if and
only if it's not already provided in the Authorization
header. It is the responsibility of the client to decide
how it wants to authorize the request among the available
options - by checking a cookie, or something else entirely.
Also removed the '?api_key=' option because Swagger UI
doesn't provide tokens that way anymore.
Signed-off-by: Yannick Schaus <github@schaus.net>
