Adding Token Support for Client Device Unique Identification

[tagaf]

At the moment seems that devices can be created and unique tokens are assigned to them, but when a client device needs to make a POST request for using methods like openDoorByNFC or getCredits no tokens id are requested in the POST request by the methods, which are now implemented. As Vongomben suggests it is critical for the system safety that those methods identify the device to which are answering before giving any sensible information.

[xrmx]

Are you sure the credits api does not check the token validity? Please provide a reproducer so i can eventually fix that. Regarding the open door we have already a WIP PR handling that here OfficineArduinoTorino#2

[tagaf]

In the views.py file, which contains the methods, that one client can access by means of get or post requests(in urls.py there's the list); it is straightforward to see that all the methods do not ask for any id_device or token, just use_device() does it. The latter it is not usable by means of get or post request, since it is not present in urls.py If you want to implement Door as a device, then you should probably merge loginByNFC and use_device methods, and check that response is done also checking time_slots and permissions.
The Card_credit api seems not using the machine_token since as is written in line 236 of views.py , only "nfc_id" and "amount" are needed as data in the post request for credit updating method.

[xrmx]

Authorization is handled on an HTTP header (i.e. Authorization: Token yourtoken) not in the request parameters. If you can call this api without a valid token header and getting something else than a 403 status code please provide a reproducer as it is indeed a security issue.

[tagaf]

#!/usr/bin/python

import sys    
sys.path.insert(0, '/usr/lib/python2.7/bridge/')
from urllib2 import Request, urlopen, URLError, HTTPError
from urllib import urlencode
import json
import httplib

#this script was written in order to send a POST request to the server, and
#send back to arduino microcontroller the response of the server. This script 
#is called through arduino YUN Bridge library, therefore name of this script
#and the name of the script it is run in the arduino sketch must match.
#In order to execute the POST request two informations are needed
# the nfc_id retrieved by the nfc reader, which is passed by arduino
#microcontroller as command line argument, and the base url 
#which you can find here



#url of the server also, it is possible to edit /etc/hosts in order to mask ip 
baseurl='labchat.officine.cc:8443'

#taken from urls.py in labadmin repository on github
urls={'doorNFC':'/labadmin/labAdmin/opendoorbynfc/','userUpd':'/labadmin/labAdmin\updateUsers/','id':'/labadmin/labAdmin/user/identity/','nfcUs':'/labadmin/labAdmin/nfc/users/','cred':'labadmin/labAdmin/card/credits/'}

data={}
if len(sys.argv)!=2:
	#needed since arduino calls this script and passes as command line argument the nfc_id 
	print "False"
	print "uid code missing or corrupted"
else:
	current_uid=sys.argv[1]
	#formatting the post request                              
	data['nfc_id']=current_uid
	params = urlencode(data)
	headers={"Content-Type":"application/x-www-form-urlencoded"}
	#connecting to the server
	conn = httplib.HTTPSConnection(baseurl)
	try: 
		conn.request("POST", urls['doorNFC'], params, headers)
		response = conn.getresponse()	
	except HTTPError as e:
    		print 'False'
		print 'Error code:',e.code
	except URLError as e:
		print 'False'
    		print 'Reason:', e.reason
	else:
		rjson=response.read()
		rdata = json.loads(rjson)
		try:
			print rdata['open']
			for user in rdata['users']:
				print user['name']
#if the dictionary rdata is empty a TypeError will be raised		
		except TypeError:
			print "False"
			print "Card not associated to any user"

This code can request to the server the access with whatever nfc_id (passed as command line argument), please note that this code was developed to be run on Arduino Yun, but can be easily adapted to run on whatever system. Note also that no token is given just nfc_id. As @vongomben told me the token should be hardcoded in each client and given to the server in order to uniquely identify the client.

[xrmx]

There's already a WIP PR fixing that, please replicate it with the cred api call that use the same code for authentication handling.