HTTP interface won't check for api password on non existing path's anymore but throw 404.

homeassistant/httpinterface.py

@@ -91,22 +91,8 @@ class RequestHandler(BaseHTTPRequestHandler):
 
         get_data = parse_qs(url.query)
 
-        # Verify API password
+        if url.path == "/":
-        if get_data.get('api_password', [''])[0] != self.server.api_password:
+            if self._verify_api_password(get_data.get('api_password', [''])[0], False):
-            self.send_response(200)
-            self.send_header('Content-type','text/html')
-            self.end_headers()
-
-            write("<html>")
-            write("<form action='/' method='GET'>")
-            write("API password: <input name='api_password' />")
-            write("<input type='submit' value='submit' />")
-            write("</form>")
-            write("</html>")
-
-
-        # Serve debug URL
-        elif url.path == "/":
                 self.send_response(200)
                 self.send_header('Content-type','text/html')
                 self.end_headers()
@@ -185,14 +171,11 @@ class RequestHandler(BaseHTTPRequestHandler):
         self.server.logger.info(post_data)
         self.server.logger.info(action)
 
-
+        given_api_password = post_data.get("api_password", [''])[0]
-        # Verify API password
-        if post_data.get("api_password", [''])[0] != self.server.api_password:
-            self._message(use_json, "API password missing or incorrect.", MESSAGE_STATUS_UNAUTHORIZED)
-
 
         # Action to change the state
-        elif action == "state/change":
+        if action == "state/change":
+            if self._verify_api_password(given_api_password, use_json):
                 category, new_state = post_data['category'][0], post_data['new_state'][0]
 
                 try:
@@ -205,6 +188,7 @@ class RequestHandler(BaseHTTPRequestHandler):
 
         # Action to fire an event
         elif action == "event/fire":
+            if self._verify_api_password(given_api_password, use_json):
                 try:
                     event_name = post_data['event_name'][0]
                     event_data = None if 'event_data' not in post_data or post_data['event_data'][0] == "" else json.loads(post_data['event_data'][0])
@@ -217,11 +201,33 @@ class RequestHandler(BaseHTTPRequestHandler):
                     # If JSON decode error
                     self._message(use_json, "Invalid event received.", MESSAGE_STATUS_ERROR)
 
-
         else:
             self.send_response(404)
 
 
+    def _verify_api_password(self, api_password, use_json):
+        if api_password == self.server.api_password:
+            return True
+
+        elif use_json:
+            self._message(True, "API password missing or incorrect.", MESSAGE_STATUS_UNAUTHORIZED)            
+
+        else:
+            self.send_response(200)
+            self.send_header('Content-type','text/html')
+            self.end_headers()
+
+            write = lambda txt: self.wfile.write(txt+"\n")
+            
+            write("<html>")
+            write("<form action='/' method='GET'>")
+            write("API password: <input name='api_password' />")
+            write("<input type='submit' value='submit' />")
+            write("</form>")
+            write("</html>")
+
+        return False
+
     def _message(self, use_json, message, status=MESSAGE_STATUS_OK):
         """ Helper method to show a message to the user. """
         log_message = "{}: {}".format(status, message)