Log in on the connection before privileged port commands (add/inherit/remove)#24
Conversation
|
Honestly, I have never tried these functions. They were implemented by another contributor. However, we have a method to flag those commands that require authentication: an array here. Would that work for you? |
|
Apologies, I wrote this PR from notes I made while first setting up my gateway, before I'd found the session-timeout issue from #23, so I'd reached the wrong conclusion. I've re-tested and you're right: adding these commands to I'll change this PR to just add |
ports add/inherit/remove fire ADD_PORT/INHERIT_PORT/REMOVE_PORT, which the gateway rejects with PERMISSION_DENIED when the session token is stale. They were missing from loginRequiredCommands, so autoLogin never ran for them and they fired with an idle-expired (or zero) token. Add them so autoLogin obtains a valid token first. loginRequired matches on the leaf cmd.Use, so the shared leaf names "add" and "remove" also flag `users add` / `users remove` as login-required. That is harmless and arguably correct, since those commands need a session too. The consts are named generically (AddCmdUse/InheritCmdUse/RemoveCmdUse) to reflect that they are not ports-specific. Most robust together with dropping the fixed TokenExpirationTime timer (see the related re-login PR), since the gateway idle-expires tokens far sooner than any fixed timer.
|
Updated to your approach: One heads-up: since |
879f1fd to
ce00d1c
Compare
|
Thank you! Regarding the |
Problem
ports add,ports inherit, andports removefireADD_PORT/INHERIT_PORT/REMOVE_PORTon a fresh per-command connection (viaGeneric) carrying only a token. (These commands are also not inloginRequired, so nothing logs in for them either.)On my gateway (firmware
EE001425-15) those commands are rejected withPERMISSION_DENIEDunless theLOGINhappened on the same connection as the privileged command. A valid token alone, which is fine forSetState/GetStatus, was not enough for these. The official app issues these on its single persistent post-login connection, which is presumably why it never hits this.Caveat: this may be gateway/firmware specific. Your gateway may well accept the current token-only path for these commands (the
ports inherit/addhelp text suggests it worked for you), so I don't want to claim this is universal. But logging in on the connection is harmless where it already worked and is what the app does, so it seemed like a safe fix either way. Happy to adjust if you'd rather gate it or handle it differently.Fix
Log in on the connection before the port-management command. The three CLI commands now take
username/password(from config) instead of a token, and the wrappers doLoginthen the command on the one connection.Notably nothing else was needed on my gateway. I first assumed a session-init handshake (
GET_USER_RIGHTS/GET_GROUPS/GET_GW_VERSION/GET_NAME) was required, but comparing against the decompiled app (it sends the teach command with a null payload straight down the logged-in connection, no pre-handshake) and testing showed login-on-connection alone was enough here.Testing
Against my gateway,
ports addwith no remote pressed:Previously this returned
PERMISSION_DENIED(12). GettingADD_PORT_ERRORrather than a port id also means no port was created.