Bugfix: Allow accessing API via api_password in url

2025-07-22 20:57:21 +00:00 · 2015-12-06 21:09:39 -08:00 · 2015-12-06 21:09:39 -08:00 · 39e3a3c463
commit 39e3a3c463
parent fd9da7f9de
2 changed files with 22 additions and 14 deletions
--- a/homeassistant/components/http.py
+++ b/homeassistant/components/http.py
@ -202,17 +202,12 @@ class RequestHandler(SimpleHTTPRequestHandler):
                    "Error parsing JSON", HTTP_UNPROCESSABLE_ENTITY)
                return

-        if self.server.api_password is None:
-            self.authenticated = True
-        elif HTTP_HEADER_HA_AUTH in self.headers:
-            api_password = self.headers.get(HTTP_HEADER_HA_AUTH)
-
-            if not api_password and DATA_API_PASSWORD in data:
-                api_password = data[DATA_API_PASSWORD]
-
-            self.authenticated = api_password == self.server.api_password
-        else:
-            self.authenticated = self.verify_session()
+        self.authenticated = (self.server.api_password is None
+                              or self.headers.get(HTTP_HEADER_HA_AUTH) ==
+                              self.server.api_password
+                              or data.get(DATA_API_PASSWORD) ==
+                              self.server.api_password
+                              or self.verify_session())

        if '_METHOD' in data:
            method = data.pop('_METHOD')
--- a/tests/components/test_api.py
+++ b/tests/components/test_api.py
@ -66,18 +66,31 @@ class TestAPI(unittest.TestCase):

    # TODO move back to http component and test with use_auth.
    def test_access_denied_without_password(self):
-        req = requests.get(
-            _url(const.URL_API_STATES_ENTITY.format("test")))
+        req = requests.get(_url(const.URL_API))

        self.assertEqual(401, req.status_code)

    def test_access_denied_with_wrong_password(self):
        req = requests.get(
-            _url(const.URL_API_STATES_ENTITY.format("test")),
+            _url(const.URL_API),
            headers={const.HTTP_HEADER_HA_AUTH: 'wrongpassword'})

        self.assertEqual(401, req.status_code)

+    def test_access_with_password_in_url(self):
+        req = requests.get(
+            "{}?api_password={}".format(_url(const.URL_API), API_PASSWORD))
+
+        self.assertEqual(200, req.status_code)
+
+    def test_access_via_session(self):
+        session = requests.Session()
+        req = session.get(_url(const.URL_API), headers=HA_HEADERS)
+        self.assertEqual(200, req.status_code)
+
+        req = session.get(_url(const.URL_API))
+        self.assertEqual(200, req.status_code)
+
    def test_api_list_state_entities(self):
        """ Test if the debug interface allows us to list state entities. """
        req = requests.get(_url(const.URL_API_STATES),