HTTP interface won't check for api password on non existing path's anymore but throw 404.

2025-07-26 22:57:17 +00:00 · 2013-09-29 23:47:53 -07:00 · 2013-09-29 23:47:53 -07:00 · a75f396242
commit a75f396242
parent 77a69016d4
1 changed files with 82 additions and 76 deletions
--- a/homeassistant/httpinterface.py
+++ b/homeassistant/httpinterface.py
@ -91,22 +91,8 @@ class RequestHandler(BaseHTTPRequestHandler):

        get_data = parse_qs(url.query)

-        # Verify API password
-        if get_data.get('api_password', [''])[0] != self.server.api_password:
-            self.send_response(200)
-            self.send_header('Content-type','text/html')
-            self.end_headers()
-
-            write("<html>")
-            write("<form action='/' method='GET'>")
-            write("API password: <input name='api_password' />")
-            write("<input type='submit' value='submit' />")
-            write("</form>")
-            write("</html>")
-
-
-        # Serve debug URL
-        elif url.path == "/":
+        if url.path == "/":
+            if self._verify_api_password(get_data.get('api_password', [''])[0], False):
                self.send_response(200)
                self.send_header('Content-type','text/html')
                self.end_headers()
@ -185,14 +171,11 @@ class RequestHandler(BaseHTTPRequestHandler):
        self.server.logger.info(post_data)
        self.server.logger.info(action)

-
-        # Verify API password
-        if post_data.get("api_password", [''])[0] != self.server.api_password:
-            self._message(use_json, "API password missing or incorrect.", MESSAGE_STATUS_UNAUTHORIZED)
-
+        given_api_password = post_data.get("api_password", [''])[0]

        # Action to change the state
-        elif action == "state/change":
+        if action == "state/change":
+            if self._verify_api_password(given_api_password, use_json):
                category, new_state = post_data['category'][0], post_data['new_state'][0]

                try:
@ -205,6 +188,7 @@ class RequestHandler(BaseHTTPRequestHandler):

        # Action to fire an event
        elif action == "event/fire":
+            if self._verify_api_password(given_api_password, use_json):
                try:
                    event_name = post_data['event_name'][0]
                    event_data = None if 'event_data' not in post_data or post_data['event_data'][0] == "" else json.loads(post_data['event_data'][0])
@ -217,11 +201,33 @@ class RequestHandler(BaseHTTPRequestHandler):
                    # If JSON decode error
                    self._message(use_json, "Invalid event received.", MESSAGE_STATUS_ERROR)

-
        else:
            self.send_response(404)


+    def _verify_api_password(self, api_password, use_json):
+        if api_password == self.server.api_password:
+            return True
+
+        elif use_json:
+            self._message(True, "API password missing or incorrect.", MESSAGE_STATUS_UNAUTHORIZED)            
+
+        else:
+            self.send_response(200)
+            self.send_header('Content-type','text/html')
+            self.end_headers()
+
+            write = lambda txt: self.wfile.write(txt+"\n")
+            
+            write("<html>")
+            write("<form action='/' method='GET'>")
+            write("API password: <input name='api_password' />")
+            write("<input type='submit' value='submit' />")
+            write("</form>")
+            write("</html>")
+
+        return False
+
    def _message(self, use_json, message, status=MESSAGE_STATUS_OK):
        """ Helper method to show a message to the user. """
        log_message = "{}: {}".format(status, message)