Home of the Squeezebox™ & Transporter® network music players.
Results 1 to 4 of 4
  1. #1
    Senior Member meep's Avatar
    Join Date
    Aug 2007
    Location
    Ireland
    Posts
    189

    Best practice for plugin calling /jsonrpc.js with LMS password protection in place?

    So my Alexa plugin is close to feature complete. I'm now working on allowing it work when various LMS security settings are in place.

    If the user has enabled LMS password protection, I can make calls to /jsonrpc.js provided that I set the http authorization header correctly.

    However, to do so, I need to know the user password. I can ask users to enter this in my plugin settings page but I'm wondering if there's a better way for a plugin resident in an LMS to make json calls to the same LMS when password protection is enabled?

    Thanks
    Last edited by meep; 2017-04-13 at 08:44.


    ALEXA LMS SKILL: http://www.hab-tunes.com | Twitter: #habtunes
    Personal HA BLOG: http://mediaserver8.blogspot.com

    Squeezebox | Squeezebox Radio x 2 | Squeezebox Duet

  2. #2
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,628

    Best practice for plugin calling /jsonrpc.js withLMS password protection in place

    > However, to do so, I need to know the user password. I can ask users to
    > enter this in my plugin settings page but I'm wondering if there's a
    > better way for a plugin resident in an LMS to make json calls to the
    > same LMS when password protection is enabled?


    Wouldn't you need to do this on the "other" system which is talking to
    LMS, rather than in LMS itself?

    The password is encrypted before it's stored. Not strongly, but it is.
    Therefore you can't read it for your use.

    --

    Michael

  3. #3
    Senior Member meep's Avatar
    Join Date
    Aug 2007
    Location
    Ireland
    Posts
    189
    Quote Originally Posted by mherger View Post
    > However, to do so, I need to know the user password. I can ask users to
    > enter this in my plugin settings page but I'm wondering if there's a
    > better way for a plugin resident in an LMS to make json calls to the
    > same LMS when password protection is enabled?


    Wouldn't you need to do this on the "other" system which is talking to
    LMS, rather than in LMS itself?

    The password is encrypted before it's stored. Not strongly, but it is.
    Therefore you can't read it for your use.

    --

    Michael
    Hi Michael

    Thanks for getting back to me on this. I missed the notification somehow.

    The 'other' system has no direct access to make LMS calls. It sends commands to the plugin (now via MQTT so no open ports required). The plugin checks the inbound command for authenticity and whether it's a permitted command. If everything checks out, it makes the LMS call. The plugin then sends the response back to the 'other' system. In this way, I can restrict inbound commands to specific users and a specific sub-set of commands. So only the plugin itself needs to know the password.

    In any case, I've instituted a workaround - the plugin simply won't run if LMS password protection is in place.

    Peter


    ALEXA LMS SKILL: http://www.hab-tunes.com | Twitter: #habtunes
    Personal HA BLOG: http://mediaserver8.blogspot.com

    Squeezebox | Squeezebox Radio x 2 | Squeezebox Duet

  4. #4
    Senior Member
    Join Date
    May 2008
    Location
    Canada
    Posts
    3,008
    Quote Originally Posted by meep View Post
    Hi Michael

    Thanks for getting back to me on this. I missed the notification somehow.

    The 'other' system has no direct access to make LMS calls. It sends commands to the plugin (now via MQTT so no open ports required). The plugin checks the inbound command for authenticity and whether it's a permitted command. If everything checks out, it makes the LMS call. The plugin then sends the response back to the 'other' system. In this way, I can restrict inbound commands to specific users and a specific sub-set of commands. So only the plugin itself needs to know the password.

    In any case, I've instituted a workaround - the plugin simply won't run if LMS password protection is in place.

    Peter
    I did the same on my plugins, in the absence of a good idea to store securely the password
    LMS 7.7, 7.8 and 7.9 - 5xRadio, 3xBoom, 4xDuet, 1xTouch, 1 SB2. Sonos PLAY:3, PLAY:5, Marantz NR1603, JBL OnBeat, XBoxOne, XBMC, Foobar2000, ShairPortW, JRiver 21, 2xChromecast Audio, Chromecast v1 and v2, , Pi B3, B2, Pi B+, 2xPi A+, Odroid-C1, Odroid-C2, Cubie2, Yamaha WX-010, AppleTV 4, Airport Express

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •