/rest/sitemaps returning 401 even when authenticated with Implicit user role turned off

chuci · February 21, 2024, 4:32pm

Hi there,

I’ve got a local 4.1 install running behind nginx with SSL using the build-in auth (i.e. no basic auth in nginx, just a straight pass through). I want to disable “Implicit user role” for the rest API but this apparently breaks the Android App.

As far as I can tell the reverse proxy is working properly, I’m able to use an existing session as well as start a new session in private browsing. The only smoking gun I have for something being wrong is that even when authenticated I get a 401 for /rest/sitemaps and I wonder if this is why the android app is not happy.

172.24.0.250 - - [21/Feb/2024:16:21:11 +0000] "POST /rest/auth/token HTTP/1.1" 200 841 "https://oh/settings/" "Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
172.24.0.250 - - [21/Feb/2024:16:21:11 +0000] "GET /rest/sitemaps HTTP/1.1" 401 74 "https://oh/settings/" "Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
172.24.0.250 - - [21/Feb/2024:16:21:11 +0000] "GET /service-worker.js HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
172.24.0.250 - - [21/Feb/2024:16:21:11 +0000] "GET /rest/ HTTP/1.1" 200 446 "https://oh/settings/" "Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
172.24.0.250 - - [21/Feb/2024:16:21:11 +0000] "GET /rest/services HTTP/1.1" 200 582 "https://oh/settings/" "Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
172.24.0.250 - - [21/Feb/2024:16:21:11 +0000] "GET /rest/inbox HTTP/1.1" 200 33 "https://oh/settings/" "Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"

Turning the implicit user role on and I get a 200 for the sitemap but I’m reticent to do that because I want to expose things that should require authentication.

Searching the forum hasn’t yielded anything quite like this. Has anyone got any ideas/pointers?

Thanks!

rlkoshak · February 21, 2024, 5:11pm

If you turn off the implicit user role, you need to provide authentication to openHAB from the Android app and then configure even the local connection with a username and password (assuming basic auth is enabled) or enter the API token into the username for the local connection. (assuming API token based auth).

Basic UI doesn’t support logging in like MainUI does so you have to do the authentication in the app itself when you disable the implicit user role.

chuci · February 22, 2024, 11:09am

Hi Rich, thanks for the quick reply.

So I generated an API key for the admin user and have that in the local connection as the username but still no dice with the android app. I think I’m hitting this android app issue so it appears the only way forward (until this is merged into core) is to enable the Implicit User Role and add basic authentication instead.