REST API: Different URL/resource for authentification and data

DaMacCNG · July 25, 2021, 11:25pm

Hello guys,

I have two questions regarding Home Assistant and REST Integration since I am trying to integrate a HDMI-Switching AV device via REST and the REST_Switch Integration.

My AV Device has different URL(resources) for authentification and where I send my GET and POST with data. How do i configure the two URLs (resources) in the configuration.yaml?

URL for authentification:

“https://[IP-Adress]/userlogin.html”

URL for sending/receiving data:

“https://[IP-Adress]/Device/DeviceSpecific”

Does the REST Integration automaticly safe all HTTPOnly Cookies send as answer by the device after authentification, like for example POSTMAN does?

Thanks in advance!

smck83 · July 26, 2021, 1:58am

How about a separate REST sensor to login and store the auth key

And then a separate REST command for each action and then a template switch

#################################
#### LIVING ROOM - SWITCH     #####
################################
  - platform: template
    switches:
      climatereact_livingroom:
        value_template: "{{ is_state_attr('sensor.sensibo_living_room', 'enabled', true) }}"
        unique_id: 232343cb7e79-8asd1211caacsdsd
        friendly_name: Climate React - Living Room
        turn_on:
         - service: rest_command.sensibo_climate_react
           data: 
            deviceid: "AbCdEfgH"
            enabled: "true"
         - delay: 2
         - service: homeassistant.update_entity
           entity_id: sensor.sensibo_living_room
        turn_off:
         - service: climate.turn_off
           entity_id: climate.living_room
         - service: rest_command.sensibo_climate_react
           data: 
            deviceid: "AbCdEF"
            enabled: "false"
         - delay: 2
         - service: homeassistant.update_entity
           entity_id: sensor.sensibo_living_room
        icon_template: >-
          {% if is_state_attr('sensor.sensibo_living_room', 'enabled', true) %}
            mdi:fan-auto
          {% else %}
            mdi:fan-off
          {% endif %}

koying · July 26, 2021, 7:07am

HA does not handle cookies, nor allow integration of html “login forms”.
Doesn’t your AV has a proper auth API, like OAuth2? Or API keys?

DaMacCNG · July 26, 2021, 7:43am

I am not sure since my knowledge about Authentification processes is very limited…

The documentation tells me these steps must be followed to authenticate and start a session:

Send an HTTPS GET request to the server hostname with the URL set to the login page “/userlogin.html”
Answer: Copy the value of the TRACKID cookie. This cookie must be entered as a header in the following POST request.
Next, send an HTTPS POST request to the server hostname with the URL set to the login page /userlogin.html. The POST request must include the following information:

Headers
- Add a Cookie header with a value of TRACKID=[value], where [value] is the value of the TRACKID cookie shown in the image above.
- Add an Origin header with a value of [deviceip], where [deviceip] is the IP address of the device.
- Add a Referer header with a value of [deviceip]/userlogin.html, where [deviceip] is the IP address of the device.
Body
- Enter the admin login credentials for the device in URL‑encoded format as raw data. The login key is the username value and the passwd key is the password value. Refer to the following sample syntax.

login=<username>&&passwd=<password>

→ If the POST request is valid, the server returns a 200 OK response.

The response also contains authentication cookies that must be saved, as they will be required on all the subsequent requests. The following HTTPONLY cookies must be saved by the client for any API call:

AuthByPasswd
TRACKID
iv
tag
userid
usrstr

If i follow these steps with POSTMAN i can establish a session with the device and send GET and POST as i wish.

My question is, if this will work with the authentification methods provided by the Restful Integration in HA?

As an alternative i could establish a session with WebSocket but i didnt look into that until now.

koying · July 26, 2021, 7:49am

As I said, I’m not aware of HA being able to handle cookies, so if the login process involves them, that’s a dead-end using standard RESTfull. Websocket won’t get you further using out-of-the-box HA either.

If there is no way around it, your only option would be to create a custom component.