Anyone working on a way to bring back api_password?

I have a few major systems that use api_password and the Python API (primarily this). All of which are now very broken because of api_password being removed. I’m thinking the best way to get it working again is to make a proxy. Another idea would be to add the new auth to the Python API, which so far is beyond my abilities. Does anyone know of an example or idea where I could start on either of these? I did look at putting api_password back into hass but the PR for removing it is quite extensive so I’m thinking that isn’t practical. My python is super-hacky so go easy :slight_smile:

Thanks.

Python API : https://pastebin.com/1Hs3BEAk
api_password removal PR : https://github.com/home-assistant/home-assistant/pull/27656

1 Like

Putting a password in an URL is a pretty terrible idea from a security perspective, can you not use Auth tokens instead?

1 Like

If you want this, you will need to create a long lived access token and configure NGINX to proxy all requests and add the authorization header to each request.

@balloob Thanks so much for the hint!! I’ll look into that.

Initial testing tells me this is going to work. You can secure it more by adding localhost etc.

server {
    listen 8124;
    location / {
        proxy_pass http://localhost:8123;
        proxy_set_header Authorization "Bearer Th34J2XQxyzHPHtmHdcF1h4";

    }
}

I’m running NGINX here already for Google Assistant integration/external SSL, so it appears an additional port could be used like in the example above. My question is where are you getting the Bearer key information?

I can generate a long lived token on HA, but not sure what to do after that to put it in use by this method? I’m running HA, NGINX, etc all on Windows so none of the examples I have seen mention ways to do this with Windows.

Thanks.

Is it possible to do this with the NGINX Home Assistant SSL proxy addon? I’m struggling with where to add this code. Here’s what didn’t work:

  1. Create file \share\nginx_proxy\servers.conf
  2. Paste the provided code into that file, setting the bearer token to be my long live token
  3. In the addon config, set active to true and servers to “nginx_proxy/servers.conf”
  4. Restart addon
  5. Try to access from http://localhost:8124, get ERR_CONNECTION_REFUSED

The bearer token is the long lived access token. Paste it in place of the abbreviated key in the example I posted.

Did you get this to work?

I currently use the following url in homeassistant to grab the camera from fully kiosk:

http://wallpanel_ip:2323?cmd=getCamshot&password=pwd

I like to use them as security cameras but motioneye won’t allow me to use that url, so I use the below proxy.

http://localhost:8123/api/camera_proxy/camera.wall_panel.

The latest update breaks this and I am trying to figure out a way to keep this functionality. I hate to think I have to proxy a proxy to get this to work, but so far its the best lead I have.

I wasn’t able to get it to work. I’m using HADashboard and they have a fix in version 4.0 so I decided to just wait for that. In the meantime, I’m using Home Panel for my home dashboard.

I was in the same boat, using hardware that supports only simple GET requests and didn’t want to run proxy just for this case.
I’ve managed to write a super simple custom component that brings back legacy api_password API authentication to newer hass versions (tested on 0.103.5).

Please use it only at your own risk. It seems to work fine for me, but my auth setup is pretty basic and I’m no expert in hass.
Hope it helps.

1 Like

@biern Thanks for sharing. I’ll try it at some point because it seems like the additional nginx layer adds a noticeable delay to my TV remote.