Add HMAC-SHA256 API authentication to board drivers and edit UI

- Both olimex_esp32_c6_evb and olimex_esp32_c6_evb_pn532 drivers now sign every API request with X-Request-Time / X-Request-Sig headers using HMAC-SHA256(api_secret, METHOD:path:unix_timestamp) - Board model gains api_secret column (nullable, default None) - boards.py edit route saves api_secret from form - edit.html adds API Secret input with cryptographic Generate button - If api_secret is empty/None, headers are omitted (backward compat)
2026-03-15 12:33:45 +02:00
parent 1152f93a00
commit 36de1623c2
5 changed files with 117 additions and 35 deletions
--- a/app/drivers/olimex_esp32_c6_evb_pn532/driver.py
+++ b/app/drivers/olimex_esp32_c6_evb_pn532/driver.py
@@ -37,7 +37,10 @@ The board also POSTs an NFC card event on every card detection:
 """
 from __future__ import annotations

+import hashlib
+import hmac
 import logging
+import time as _time
 import urllib.parse
 import requests
 from typing import TYPE_CHECKING
@@ -51,9 +54,9 @@ logger = logging.getLogger(__name__)
 _TIMEOUT = 3


-def _get(url: str) -> dict | None:
+def _get(url: str, headers: dict | None = None) -> dict | None:
    try:
-        r = requests.get(url, timeout=_TIMEOUT)
+        r = requests.get(url, timeout=_TIMEOUT, headers=headers or {})
        r.raise_for_status()
        return r.json()
    except Exception as exc:
@@ -61,9 +64,9 @@ def _get(url: str) -> dict | None:
        return None


-def _post(url: str) -> dict | None:
+def _post(url: str, headers: dict | None = None) -> dict | None:
    try:
-        r = requests.post(url, timeout=_TIMEOUT)
+        r = requests.post(url, timeout=_TIMEOUT, headers=headers or {})
        r.raise_for_status()
        return r.json()
    except Exception as exc:
@@ -71,6 +74,25 @@ def _post(url: str) -> dict | None:
        return None


+def _auth(board: "Board", method: str, url: str) -> dict:
+    """Build HMAC-SHA256 auth headers for a request to the board.
+
+    Returns an empty dict when no api_secret is configured on the board
+    so that unauthenticated boards continue to work without changes.
+
+    Message format: "METHOD:path:unix_timestamp"
+    e.g.            "GET:/nfc/status:1710512345"
+    """
+    secret: str = getattr(board, "api_secret", None) or ""
+    if not secret:
+        return {}
+    path = urllib.parse.urlparse(url).path
+    ts = str(int(_time.time()))
+    msg = f"{method}:{path}:{ts}".encode()
+    sig = hmac.new(secret.encode(), msg, hashlib.sha256).hexdigest()
+    return {"X-Request-Time": ts, "X-Request-Sig": sig}
+
+
 class OlimexESP32C6EVBPn532Driver(BoardDriver):
    """Driver for the Olimex ESP32-C6-EVB board with PN532 NFC reader."""

@@ -84,15 +106,18 @@ class OlimexESP32C6EVBPn532Driver(BoardDriver):
    # ── relay control ─────────────────────────────────────────────────────────

    def get_relay_status(self, board: "Board", relay_num: int) -> bool | None:
-        data = _get(f"{board.base_url}/relay/status?relay={relay_num}")
+        url = f"{board.base_url}/relay/status?relay={relay_num}"
+        data = _get(url, _auth(board, "GET", url))
        return bool(data["state"]) if data is not None else None

    def set_relay(self, board: "Board", relay_num: int, state: bool) -> bool:
        action = "on" if state else "off"
-        return _post(f"{board.base_url}/relay/{action}?relay={relay_num}") is not None
+        url = f"{board.base_url}/relay/{action}?relay={relay_num}"
+        return _post(url, _auth(board, "POST", url)) is not None

    def toggle_relay(self, board: "Board", relay_num: int) -> bool | None:
-        data = _post(f"{board.base_url}/relay/toggle?relay={relay_num}")
+        url = f"{board.base_url}/relay/toggle?relay={relay_num}"
+        data = _post(url, _auth(board, "POST", url))
        return bool(data["state"]) if data is not None else None

    # ── poll ──────────────────────────────────────────────────────────────────
@@ -104,12 +129,14 @@ class OlimexESP32C6EVBPn532Driver(BoardDriver):
        input_states: dict = {}

        if board.num_relays > 0:
-            probe = _get(f"{board.base_url}/relay/status?relay=1")
+            url = f"{board.base_url}/relay/status?relay=1"
+            probe = _get(url, _auth(board, "GET", url))
            if probe is None:
                return _offline
            relay_states["relay_1"] = bool(probe.get("state", False))
        elif board.num_inputs > 0:
-            probe = _get(f"{board.base_url}/input/status?input=1")
+            url = f"{board.base_url}/input/status?input=1"
+            probe = _get(url, _auth(board, "GET", url))
            if probe is None:
                return _offline
            input_states["input_1"] = bool(probe.get("state", False))
@@ -117,13 +144,15 @@ class OlimexESP32C6EVBPn532Driver(BoardDriver):
            return _offline

        for n in range(2, board.num_relays + 1):
-            data = _get(f"{board.base_url}/relay/status?relay={n}")
+            url = f"{board.base_url}/relay/status?relay={n}"
+            data = _get(url, _auth(board, "GET", url))
            if data is not None:
                relay_states[f"relay_{n}"] = bool(data.get("state", False))

        input_start = 2 if (board.num_relays == 0 and board.num_inputs > 0) else 1
        for n in range(input_start, board.num_inputs + 1):
-            data = _get(f"{board.base_url}/input/status?input={n}")
+            url = f"{board.base_url}/input/status?input={n}"
+            data = _get(url, _auth(board, "GET", url))
            if data is not None:
                input_states[f"input_{n}"] = bool(data.get("state", True))

@@ -137,7 +166,7 @@ class OlimexESP32C6EVBPn532Driver(BoardDriver):

    def register_webhook(self, board: "Board", callback_url: str) -> bool:
        url = f"{board.base_url}/register?callback_url={callback_url}"
-        ok = _post(url) is not None
+        ok = _post(url, _auth(board, "POST", url)) is not None
        if ok:
            logger.info("Webhook registered on board '%s' → %s", board.name, callback_url)
        else:
@@ -148,11 +177,13 @@ class OlimexESP32C6EVBPn532Driver(BoardDriver):

    def get_nfc_status(self, board: "Board") -> dict | None:
        """Return current NFC reader status (last UID, access_state, auth config)."""
-        return _get(f"{board.base_url}/nfc/status")
+        url = f"{board.base_url}/nfc/status"
+        return _get(url, _auth(board, "GET", url))

    def get_nfc_config(self, board: "Board") -> dict | None:
        """Return current NFC access-control configuration from the board."""
-        return _get(f"{board.base_url}/nfc/config")
+        url = f"{board.base_url}/nfc/config"
+        return _get(url, _auth(board, "GET", url))

    def set_nfc_config(
        self,
@@ -173,7 +204,7 @@ class OlimexESP32C6EVBPn532Driver(BoardDriver):
            f"&relay={relay_num}"
            f"&pulse_ms={pulse_ms}"
        )
-        result = _post(url)
+        result = _post(url, _auth(board, "POST", url))
        if result:
            logger.info(
                "NFC config pushed to board '%s': uid='%s' relay=%d pulse=%dms",