Integration with Span?

My Panel updated yesterday shortly after noon. I found the issue on GitHub listed above and I’m hoping the pull request gets merged and pushed publicly shortly. I don’t want to cobble mine together for the interim fix.

1 Like

I have been hit by the latest update today and I have pulled @sargonas test fix and so far everything is working as intended. If anyone else wants to test this fix add this link to your HACS repo:

Of note, when you hit the blue add repository button and search for Span multiple will now come up as it is now an official HACS Integration (congrats @gdgib !). To check if you have the right Integration go into one and on the upper right 3 vertical dots select “Repository” and it should redirect to sargonas’ repo. Download and go to Devices, for me it identified it immediately after reboot.

The only issue I had was I accidentally hit the auth token (don’t know if that works yet?) and I was locked into selecting that until I rebooted HA again. Be sure to authenticate via proximity and do the 3 button door test and you’re in.

Tested multiple breakers and measured one lead with my clamp meter and amps followed along with the watts it was posting (offhand anyway, still want to track over period to see why reports are not exact).

2 Likes

It does. :sunglasses:

Happy to hear my patch is working for folks!

As others have said, yes… if you are suffering from a broken integration due to the latest firmware, my fork will fix it if you add it manually to your integration.

There is an open PR for it to be merged back in, just waiting for gdgib to acknowledge it. It has only been a week,so I’m giving him a fair share of time for the benefit of the doubt, but if we end up at the end of the year with no response from him then I may look into supplanting the HACS version with my updated one. However that’s a break glass in case of emergency option. (And if I did do that, I would kick my repo out into its own GH Org and share admin with a few other community maintainers so that I am not a bus factor, while at it.)

As someone else said as well, there is a bug if you start the Auth Token flow, you can’t elegantly back out of it. I did not code that flow, it was recently merged into Main pending the next release a few months back by someone else, but I am going to open an issue and tag them on here this week and simultaneously see if I can’t figure out myself how to put in a simple return flow back to the menu if you wind up going down the wrong path.

4 Likes

Nice!

I will have to dust off my CLI post JSON knowledge it looks like…

Detailed instructions are in the README in my repo, but here is an exact CLI example for you (that I just added to the readme as well). Remember to replace the IP with your IP address, and the home-assistant-123435 with a random UID of your choosing, just to be safe.

curl -X POST https://192.168.1.2/api/v1/auth/register -H 'Content-Type: application/json' -d '{"name": "home-assistant-123456", "description": "Home Assistant Local Span Integration"}'
2 Likes

Thanks! I was able to pull it off from your readme file last night, it has just been a real long time since I went into any CLI interface.

It’s some nice work, integration has been rock solid since downloading.

Also bit by the latest firmware update — noticing that the curl against the SSL interface is getting a connection refused. The SPAN panel itself isn’t listening on 443/tcp, so neither version of the integration is working for me. Thinking about reaching out to SPAN support.

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
8000/tcp open http-alt
8080/tcp open http-proxy

Anyone else running into this?

My panel also wasn’t listening on 443. Weirdly, I did set it up about a week ago with the auth token, but it kept asking me to press the button every couple of days or so. I deleted the integration to set it up again hoping it would stop prompting me every few days, but when I tried to make the same call in the same way, I got the same error as @variousplaces.

I was able to make the call over http (no s), and get the access token, but that’s possibly more concerning than if I weren’t. I suppose there’s a reason I set up a vlan only for IoT devices, but this thing punches a hole through to the open web anyway, so listening on port 80 and returning an access token is concerning. @mbbush, it’s been a while since you weighed in here, but this seems worth raising internally.

Thanks for this! I just tried your fork and my panels are showing back up again.

This is not an official response from Span, it’s just something I wrote off the top of my head.

The span panel’s local API uses non-SSL http calls on port 80. AFAIK it’s never supported SSL, although I could be wrong about that. It’s worth noting that homeassistant also uses non-SSL http calls on the local network. You probably also log in to your home router using plain http. This is actually a pretty common pattern for local traffic, and for good reason.

Why? Because in order to use SSL effectively, you need a certificate signed by a well-trusted root CA, and that certificate has to be bound to a domain name, and the traffic has to actually use that domain name. This is exceptionally difficult, if not actually impossible, to do when the traffic is being routed entirely locally over a homeowner’s network. You’re connecting to your panel over your network, using we-don’t-know-what domain name (probably just the ip address, which I don’t think you can even get a CA to issue a SSL certificate for).

The other option is what e.g. zwavejs-ui uses, which is a self-signed SSL certificate. My understanding is that the reason it does this is that browsers will refuse to allow camera data to be sent to a non-secure website, even if it’s on your LAN. The result is that cameras work for scanning QR codes, but a scary “not secure” warning shows up in most browsers that will be confusing to most users, because the SSL cert doesn’t have a valid chain of trust back to a trusted CA.

I’m not a security expert, but I really don’t see the problem with using http connections for traffic that never leaves your home network. If you configured your router to port forward external traffic to the span panel on port 80, then yes, it would be a security concern, but in the same way that choosing to leave your front door wide open 24/7 is a security concern. You should just … not do that.

As far as the threat model, the only sensitive information being transmitted over the http LAN connection is the auth token itself, which is completely useless for anything besides access to the local api of that one panel. It’s completely separate from anything used for cloud connectivity or the span mobile app, and the validation happens entirely on the panel itself. This was a deliberate design choice to provide resiliency in the face of e.g. a problem with your internet connection or with Span’s cloud servers.

I think there’s a lot of confusion about the sate of authentication in the HA integration itself. It’s pretty much all working, and I opened a PR against @sargonas 's fork (which he merged) clarifying some of the documentation.

The essence of it is that the proof of proximity is used once, for the integration to get a token, which it then automatically saves and reuses. So you won’t have to repeat the door button trick when the panel reboots or gets a firmware update.

1 Like

Thanks Matt for the reply, @sargonas and @NathanCu both helped me up above and got the auth token working as expected - and so far has been very robust.

The specific issue I was raising was if you selected the auth route and did not have your token yet you couldn’t go back to proximity authentication to first install the integration.

Been there, done that. You just blow away the integration, restart HA and install the integration by ip address. Or grab a new token from the panel.

After some issues blowing away the integration (I had a second discovery of my existing panel that I had previously ignored and forgotten about), I was able pull down the @sargonas fork and get it up and running with auth.

2 Likes

@gdgib Brand new to HA over the weekend having received my HA Green and got it up and running over the weekend. Was entirely motivated by this thread so as to be able to get my Span integrated in with my Tesla gateway, etc.

But Step 1 in the setup of installing HACS is tripping me up (note - no trouble getting the Span authentication token which I have ready and standing by). Appear to have successfully gone through all the installation steps, except when then finally selecting HACS in the sidebar so I can go get the Span integration, I get a very simple HTML page (image here


), not any kind of app like other screen shots show (e.g. Getting started | HACS).

Presume it’s some kind of config bust, but too new to HA to understand (and not a programmer at all)?

I would welcome any tips to fix HACS as presume from there on would be straight forward, but also wondering whether there is a different way to install the Span integration without going through HACS?

@gdgib Never mind. After working on this since yesterday, found the problem in another thread here. Problem trying to install HACS

On to install Span integration now…!

@gdgib Sorry for simple newbie question, but what does the “Host” input field require during initial setup? Using IP address only yields “unknown error” and using full url (i.e. “http://x.x.x.x” yields “failed to connect” error.

IP address is correct as can readily connect via browser.

Initiating “proof of proximity” test didn’t change the outcome.

Already have the access token standing by if I can get past this step…

Which integration did you try to install? The default one in HACS mawhave an issue (read above just a few posts about recent breaking changes by span that requires an integration edit in the user end.)

@NathanCu Thanks. Looks like indeed may be referring to wrong repository? When I click on the right 3 vertical dots in the Span integration row of HACS, it takes me to what appears to be the master @gdgib repository, not the @sargonas one in the link posted. Version shows as 0.0.7. That was the most recent one to come up in the integration install.

Can I manually redirect to the later “fork” or do I need to uninstall/reinstall using a different path?

1 Like