logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

How to Enable Web Authentication in OpenBeken Version 1.17.342 and newer

castorw 2964 16
ADVERTISEMENT
Reply Cool? Ranking DIY | New topic
Notify about new articles
  • Login window for the administrative interface with the password field filled.
    Intro
    Authentication to administrative interface is present for most connected devices and a basic security requirement. OpenBeken supports web authentication since version 1.17.342. Web authentication is implemented using simple HTTP basic authentication mechanism. This allows protection of devices against unwanted access or malicious configuration or control. When web authentication is enabled the entire web admin interface and APIs are protected with HTTP basic authentication. This (currently) does not apply to various integrations implemented within OpenBeken.

    Supported platforms:
    * OpenBK7231T,
    * OpenBK7231N,
    * OpenXR809,
    * OpenBL602.

    Setup
    To enable web password authentication login to your OpenBeken device web interface and enter Config -> Configure WiFi & Web configuration section.

    On the bottom you can see Web Authentication section. This section provides two options:
    * Enable web authentication - enables web authentication and will require user to log in before accessing web admin interface,
    * Admin Password - password to be used.

    Username is always admin.

    Screenshot showing network authentication interface with an enabled option and a password field.


    Usage
    Next time you will access web portal or API, you will be required to enter username (admin) and configured password. Any integrations using any web-based API will need to authenticate as well.

    Login window with basic HTTP authentication showing user admin.


    Safe Mode
    By default web authentication (if configured) is enabled even when the device enters Safe Mode. This acts as a security measure, since device creates open AP to which anyone can connect and could possibly control the device or even misconfigure it to cause damage (eg. relays used to control heating, water pumps, etc.).

    If you, however, wish to disable password authentication is safe mode, this can be done using global flag 44 in Config -> Configure General/Flags section. It is not recommended though.

    Configuration window with flag options in the OpenBeken interface.


    And that would be all, now your device has at least some basic security when it comes to administration 😉

    Cool? Ranking DIY
    About Author
    castorw
    Level 1  
    Offline 
    castorw wrote 1 posts with rating 2. Been with us since 2023 year.
  • ADVERTISEMENT
  • #2 20860396
    p.kaczmarek2
    Moderator Smart Home
    This is surely a very important feature. Here's a link to the first public build that includes it:
    https://github.com/openshwprojects/OpenBK7231T_App/releases/tag/1.17.343
    Btw, the LittleFS issue we've spoke about is fixed now. I just had to reduce the binary size by 2KB...
    Helpful post? Buy me a coffee.
  • #3 21244001
    mbk_med
    Level 3  
    Hi, is it possible to have Authentication on the W600 platform?
    Thank you.
  • #4 21244010
    p.kaczmarek2
    Moderator Smart Home
    @divadiow do you have W600 at hand? @max4elektroda ?
    Helpful post? Buy me a coffee.
  • #5 21244038
    max4elektroda
    Level 20  
    Sorry, no W600 here, but W800, which is in the same line with W600 for the define in new_pins.h.
    So I could try with W800
  • ADVERTISEMENT
  • #6 21244053
    divadiow
    Level 34  
    p.kaczmarek2 wrote:
    @divadiow do you have W600 at hand? @max4elektroda ?

    a transplanted TW-02 in a mini switch. Air602 in the post.
  • #7 21244064
    max4elektroda
    Level 20  
    PR1369 is compiling ATM

    Added after 27 [minutes]:

    Ahh, its missing a "char webPassword[33]" in "mainConfig_t".

    If I calculated correctly and we have "initCommandLine[512]" starting at 0x000005E0 (dec 1504),
    we end at 2016 leaving only 32 to fill 2048
    Screenshot of source code displaying sections related to W600 and W800 platforms.
    So can we put the 33 bytes to the "unusedSectorAB" for W600 and W800?
  • #8 21244121
    mbk_med
    Level 3  
    >>21244010 Hi, I have 3 wall sockets with a W600 that I just successfully flashed.
  • #9 21244140
    p.kaczmarek2
    Moderator Smart Home
    My memory may not be right but I seem to remember that there was some issue with config size on W600 or W800.... that it was failing to save config when the config size was bigger than given threshold... but I am not sure....
    Helpful post? Buy me a coffee.
  • #10 21244175
    max4elektroda
    Level 20  
    O.k, made a PR with a password reduced to 30 bytes.
    Tested W800 : After OTA I had to restart it by hand and then at least WiFi config was gone (started as Open AP).
    But setting SSID and PW worked and I could set web password successfully.

    @p.kaczmarek2 : Is the change to new_pins.h o.k.?
    Is 2048 the limit as expected?

    Code changes in C source files.
  • ADVERTISEMENT
  • #12 21244198
    max4elektroda
    Level 20  
    Nice, did your config "survive" the update on W600?
  • #13 21244201
    p.kaczmarek2
    Moderator Smart Home
    Wait, shouldn't config stay if you don't change the size of config structure?
    As per new_cfg.c:
    Code: C / C++
    Log in, to see the code

    It ignores the fields and just interprets whole config as a single bytes block.
    Helpful post? Buy me a coffee.
  • #14 21244210
    max4elektroda
    Level 20  
    I didn't attach serial, so I can't tell what was wrong...
    In the end it seems to work
  • ADVERTISEMENT
  • #15 21244243
    divadiow
    Level 34  
    max4elektroda wrote:
    Nice, did your config "survive" the update on W600?

    appears to have done. did OTA to latest public then OTA to PR.

    The only minor behavioural thing is that the password is ineffective if you use the same browser session after setting the password. device reboots, ctrl-f5, all just bring up OBK as if no password. And even the admin password checkbox and password are clear. Go incognito or use a different browser then it works and shows as set.
  • #16 21244260
    max4elektroda
    Level 20  
    Yes, that's the problem with the used basic auth, it's saved in the browser as long as the tab/window isn't closed; since there is no additional information, it will access the device even after a reboot.
  • #17 21266762
    max4elektroda
    Level 20  
    p.kaczmarek2 wrote:
    It ignores the fields and just interprets whole config as a single bytes block.

    Since @divadiow asked in git: @p.kaczmarek2 could you please take a look in git if my assumption about the reason is reasonable ;-)?
Reply Cool? Ranking DIY | New topic
Notify about new articles
Report a violation of the law

Topic summary

Web authentication has been implemented in OpenBeken starting from version 1.17.342, utilizing HTTP basic authentication to secure the administrative interface and APIs against unauthorized access. Users can enable this feature by accessing the web interface and navigating to the WiFi & Web configuration section. Discussions include inquiries about the possibility of enabling authentication on the W600 platform, with users sharing experiences and technical challenges related to configuration sizes and memory limitations. Some users reported successful flashing of devices and the need for adjustments in password storage. Issues with browser session persistence affecting password effectiveness were also noted, highlighting the limitations of basic authentication in retaining session data.
Summary generated by the language model.
Popular Topics
ADVERTISEMENT