Homepage Widget API Error

[TheCBiker]

Is there an existing issue for this?

• I have searched the existing open and closed issues and I checked the docs https://github.com/jokob-sk/NetAlertX/tree/main/docs

Current Behavior

Since version 24.10.12 an API error appears in the homepage widget.

Expected Behavior

Correct display of data fields in the homepage widget.

Steps To Reproduce

No response

app.conf

No response

docker-compose.yml

No response

What branch are you running?

Production

app.log

Error log from Homepage Widget:

API-Fehler: Invalid data
URL: http://192.168.XXX.XXX:20211/php/server/devices.php?action=getDevicesTotals
Antwortdaten:

<title>NetAlert X | Log in</title>

NetAlert^x

Enter your password

Remember
(valid for 7 days)

Log in

<div style="padding-top: 10px;">
  <button class="btn btn-xs btn-primary btn-block btn-flat" onclick="Passwordhinfo()">Password Information</button>
</div>

X

Password Information

Passwords are set via the Set Password plugin. Check the SETPWD docs if you have issues logging in.

<script src="lib/AdminLTE/bower_components/jquery/dist/jquery.min.js"></script> <script src="lib/AdminLTE/bower_components/bootstrap/dist/js/bootstrap.min.js"></script> <script src="lib/AdminLTE/plugins/iCheck/icheck.min.js"></script> <script> $(function () { $('input').iCheck({ checkboxClass: 'icheckbox_square-blu e', radioClass: 'iradio_square-blue', increaseArea: '20%' /* optional */ }); }); function Passwordhinfo() { var x = document.getElementById("myDIV"); if (x.style.display === "none") { x.style.display = "block"; } else { x.style.display = "none"; } } </script>

Debug enabled

• I have read and followed the steps in the wiki link above and provided the required debug logs and the log section covers the time when the issue occurs.

[jokob-sk]

Hi @TheCBiker ,

I assume you have a password set? If so, try to disable the password functionality.

[TheCBiker]

ok if I remove the password it works. But why did it work with password in the previous version?

[jokob-sk]

Glad to hear that! These changes should increase the overall security of the application going forward. I might create some alternative ways to retrieve the data, so that it's accessible even when a password is set, but the first step is to improve the security.

[TheCBiker]

I understand. thank you

[shamoon]

Homepage dev here. So to clarify the api previously did not use any kind of auth and at some point you may add it? I’ll follow the issue here for if / when you can do and we’ll update on our side to support

[jokob-sk]

Thanks @shamoon 🙏if you have any suggestions how other apps are handling this, please let me know. My first thoughts would be either to exclude this API path from authentication, create a new endpoint not requiring authentication or adding support for for a API token/bearer/authentication header.

There is already a SYNC_api_token header bypass build in to support the synchronization plugin if that's something we can use if Homepage supports passing it in the request.

NetAlertX/front/php/templates/security.php

Line 58 in 3d9bf32

$api_token = getConfigValue('/^SYNC_api_token.*=/', $configLines, "'");

Thanks in advance for the help.

[shamoon]

I think token / bearer auth is ideal choice (I think this app deals with sensitive-enough stuff that leaving it completely open isn't ideal). But of course I don't know what your codebase is like and how much of a pain that is (generally Im happy to help with PRs etc but don't really have the bandwidth at the moment).

I'd say low priority but I'll follow along!

[jokob-sk]

Thanks, understandable. So if Homepage already supports consuming bearer tokens, then this should be already supported in NetAlertX in the current version.

Auth header: Authorization
Format: Bearer <SYNC_api_token>

NetAlertX/front/php/templates/security.php

Lines 34 to 65 in 3d9bf32

	$authHeader = apache_request_headers()['Authorization'] ?? '';
	$sessionLogin = isset($_SESSION['login']) ? $_SESSION['login'] : 0;
	// Start session if not already started
	if (session_status() == PHP_SESSION_NONE) {
	session_start();
	}
	// Handle logout
	if (!empty($_REQUEST['action']) && $_REQUEST['action'] == 'logout') {
	session_destroy();
	setcookie(COOKIE_SAVE_LOGIN_NAME, "", time() - 3600);
	redirect('index.php');
	}
	// Load configuration
	if (!file_exists(CONFIG_PATH)) {
	die("Configuration file not found.");
	}
	$configLines = file(CONFIG_PATH);
	// Handle web protection and password
	$nax_WebProtection = strtolower(trim(getConfigLine('/^SETPWD_enable_password.*=/', $configLines)[1] ?? 'false'));
	$nax_Password = getConfigValue('/^SETPWD_password.*=/', $configLines);
	$api_token = getConfigValue('/^SYNC_api_token.*=/', $configLines, "'");
	$expectedToken = 'Bearer ' . $api_token;
	// Authentication Handling
	if ($nax_WebProtection == 'true') {
	if ($authHeader === $expectedToken) {
	$_SESSION['login'] = 1; // User authenticated with bearer token

Let me know if I need to support a different format or if this is already workable.

[shamoon]

Oh cool, yea, lemme try it out!

Sorry for being lazy, Im not super familiar with the app, where do you get the SYNC_api_token?

[shamoon]

Got it, and yup, works! 😎

I'll PR homepage, feel free to close this =)

[jokob-sk]

Nah all good :) Thanks for the help and supporting the app in Homepage

For anyone reading - you set the token in NetAlertX here:

[Byrnesdigital]

Nah all good :) Thanks for the help and supporting the app in Homepage

For anyone reading - you set the token in NetAlertX here:

My apologies but how does one generate an API token? This is what I'm currently staring at

And this is the API error I'm getting on Homepage, I'm assuming for not having the api token set up in services.

[shamoon]

Did you try… typing one into that field?

[Byrnesdigital]

Did you try… typing one into that field?

Of course....not. Wasn't sure if it was the kinda thing that had to be generated by the app itself. Managed to create a token, pop it in there, and now I'm good to go.

[jokob-sk]

Added a button to generate one and mentioned in teh description taht any value can be used:

[jokob-sk]

released -> closing