Add HMAC-SHA256 API authentication to board drivers and edit UI

- Both olimex_esp32_c6_evb and olimex_esp32_c6_evb_pn532 drivers now sign every API request with X-Request-Time / X-Request-Sig headers using HMAC-SHA256(api_secret, METHOD:path:unix_timestamp) - Board model gains api_secret column (nullable, default None) - boards.py edit route saves api_secret from form - edit.html adds API Secret input with cryptographic Generate button - If api_secret is empty/None, headers are omitted (backward compat)
2026-03-15 12:33:45 +02:00
parent 1152f93a00
commit 36de1623c2
5 changed files with 117 additions and 35 deletions
--- a/app/drivers/olimex_esp32_c6_evb/driver.py
+++ b/app/drivers/olimex_esp32_c6_evb/driver.py
@@ -29,7 +29,11 @@ The board POSTs to the registered callback_url whenever an input changes:
 """
 from __future__ import annotations

+import hashlib
+import hmac
 import logging
+import time as _time
+import urllib.parse
 import requests
 from typing import TYPE_CHECKING

@@ -42,9 +46,9 @@ logger = logging.getLogger(__name__)
 _TIMEOUT = 3


-def _get(url: str) -> dict | None:
+def _get(url: str, headers: dict | None = None) -> dict | None:
    try:
-        r = requests.get(url, timeout=_TIMEOUT)
+        r = requests.get(url, timeout=_TIMEOUT, headers=headers or {})
        r.raise_for_status()
        return r.json()
    except Exception as exc:
@@ -52,9 +56,9 @@ def _get(url: str) -> dict | None:
        return None


-def _post(url: str) -> dict | None:
+def _post(url: str, headers: dict | None = None) -> dict | None:
    try:
-        r = requests.post(url, timeout=_TIMEOUT)
+        r = requests.post(url, timeout=_TIMEOUT, headers=headers or {})
        r.raise_for_status()
        return r.json()
    except Exception as exc:
@@ -62,6 +66,18 @@ def _post(url: str) -> dict | None:
        return None


+def _auth(board: "Board", method: str, url: str) -> dict:
+    """Build HMAC-SHA256 auth headers. Returns {} when no api_secret set."""
+    secret: str = getattr(board, "api_secret", None) or ""
+    if not secret:
+        return {}
+    path = urllib.parse.urlparse(url).path
+    ts = str(int(_time.time()))
+    msg = f"{method}:{path}:{ts}".encode()
+    sig = hmac.new(secret.encode(), msg, hashlib.sha256).hexdigest()
+    return {"X-Request-Time": ts, "X-Request-Sig": sig}
+
+
 class OlimexESP32C6EVBDriver(BoardDriver):
    """Driver for the Olimex ESP32-C6-EVB board."""

@@ -75,15 +91,18 @@ class OlimexESP32C6EVBDriver(BoardDriver):
    # ── relay control ─────────────────────────────────────────────────────────

    def get_relay_status(self, board: "Board", relay_num: int) -> bool | None:
-        data = _get(f"{board.base_url}/relay/status?relay={relay_num}")
+        url = f"{board.base_url}/relay/status?relay={relay_num}"
+        data = _get(url, _auth(board, "GET", url))
        return bool(data["state"]) if data is not None else None

    def set_relay(self, board: "Board", relay_num: int, state: bool) -> bool:
        action = "on" if state else "off"
-        return _post(f"{board.base_url}/relay/{action}?relay={relay_num}") is not None
+        url = f"{board.base_url}/relay/{action}?relay={relay_num}"
+        return _post(url, _auth(board, "POST", url)) is not None

    def toggle_relay(self, board: "Board", relay_num: int) -> bool | None:
-        data = _post(f"{board.base_url}/relay/toggle?relay={relay_num}")
+        url = f"{board.base_url}/relay/toggle?relay={relay_num}"
+        data = _post(url, _auth(board, "POST", url))
        return bool(data["state"]) if data is not None else None

    # ── poll ──────────────────────────────────────────────────────────────────
@@ -99,12 +118,14 @@ class OlimexESP32C6EVBDriver(BoardDriver):
        input_states: dict = {}

        if board.num_relays > 0:
-            probe = _get(f"{board.base_url}/relay/status?relay=1")
+            url = f"{board.base_url}/relay/status?relay=1"
+            probe = _get(url, _auth(board, "GET", url))
            if probe is None:
                return _offline
            relay_states["relay_1"] = bool(probe.get("state", False))
        elif board.num_inputs > 0:
-            probe = _get(f"{board.base_url}/input/status?input=1")
+            url = f"{board.base_url}/input/status?input=1"
+            probe = _get(url, _auth(board, "GET", url))
            if probe is None:
                return _offline
            input_states["input_1"] = bool(probe.get("state", False))
@@ -113,13 +134,15 @@ class OlimexESP32C6EVBDriver(BoardDriver):

        # Board is reachable — collect remaining endpoints
        for n in range(2, board.num_relays + 1):
-            data = _get(f"{board.base_url}/relay/status?relay={n}")
+            url = f"{board.base_url}/relay/status?relay={n}"
+            data = _get(url, _auth(board, "GET", url))
            if data is not None:
                relay_states[f"relay_{n}"] = bool(data.get("state", False))

        input_start = 2 if (board.num_relays == 0 and board.num_inputs > 0) else 1
        for n in range(input_start, board.num_inputs + 1):
-            data = _get(f"{board.base_url}/input/status?input={n}")
+            url = f"{board.base_url}/input/status?input={n}"
+            data = _get(url, _auth(board, "GET", url))
            if data is not None:
                input_states[f"input_{n}"] = bool(data.get("state", True))

@@ -133,7 +156,7 @@ class OlimexESP32C6EVBDriver(BoardDriver):

    def register_webhook(self, board: "Board", callback_url: str) -> bool:
        url = f"{board.base_url}/register?callback_url={callback_url}"
-        ok = _post(url) is not None
+        ok = _post(url, _auth(board, "POST", url)) is not None
        if ok:
            logger.info("Webhook registered on board '%s' \u2192 %s", board.name, callback_url)
        else:
@@ -144,7 +167,8 @@ class OlimexESP32C6EVBDriver(BoardDriver):

    def get_nfc_status(self, board: "Board") -> dict | None:
        """Return current NFC reader status (last UID, access_state, auth config)."""
-        return _get(f"{board.base_url}/nfc/status")
+        url = f"{board.base_url}/nfc/status"
+        return _get(url, _auth(board, "GET", url))

    def set_nfc_config(
        self,
@@ -153,12 +177,7 @@ class OlimexESP32C6EVBDriver(BoardDriver):
        relay_num: int = 1,
        pulse_ms: int = 3000,
    ) -> bool:
-        """Push NFC access-control config to the board.
-
-        auth_uid:  authorized card UID (e.g. "04:AB:CD:EF"); empty = any card opens relay.
-        relay_num: which relay to open on a matching card (1-4).
-        pulse_ms:  how long to hold the relay open in milliseconds (100-60000).
-        """
+        """Push NFC access-control config to the board."""
        import urllib.parse

        url = (
@@ -167,7 +186,7 @@ class OlimexESP32C6EVBDriver(BoardDriver):
            f"&relay={relay_num}"
            f"&pulse_ms={pulse_ms}"
        )
-        result = _post(url)
+        result = _post(url, _auth(board, "POST", url))
        if result:
            logger.info(
                "NFC config pushed to board '%s': uid='%s' relay=%d pulse=%dms",