GL-S200 Code Example - Access Denied

I finally upgraded my first S200 to the new version 4.7.0-0500 for testing and it seems that the update has broken the "Code" examples, and all of my code. The RPC mechanism seems to be broken?

root@GL-S200:/usr/bin# curl -s localhost/rpc -d '{"jsonrpc":"2.0","id":"0","method":"call","params":["","gw","get_device_list",{}]}'
{"id":"0","jsonrpc":"2.0","error":{"message":"Access denied","code":-32000}}

The curl that you provided in the examples, and that I use in all of my code, is now failing with an Access denied" error?

@lancer Any ideas on what is occurring here, and what the fix is?

As a side note, I looked and is does appear that a number of the rpc packages are out of date?

rpcd
2021-03-11-ccb75178-2
2022-02-19-8d26a1ba-1 new
22.94 KB

rpcd-mod-file
2021-03-11-ccb75178-2
2022-02-19-8d26a1ba-1 new
7.19 KB

rpcd-mod-iwinfo
2021-03-11-ccb75178-2
2022-02-19-8d26a1ba-1 new
7.47 KB

Not that this is the issue ... but hopefully you are aware.

Hi @Humancell ,
You need to fill the right token in your json like:

curl -s localhost/rpc -d '{"jsonrpc":"2.0","id":"0","method":"call","params":["qXCj2GGXvEN4yYiS1ra1uWhgRxF4Yt2c","gw","get_device_list",{}]}'

You should replace the token "qXCj2GGXvEN4yYiS1ra1uWhgRxF4Yt2c" with your right token which you could get from your console.

image1325×845 79 KB

Hello,

Thank you ... that seems to have worked! Where was that documented? And why do I have to get it from the browser console for such an important change and piece of information?

Hi,

I think it was not documented, I will follow it in time.
And as for the token, only if you have logged in the Admin Panel you could get it from the browser console, and it would refresh every time you log.

Does this mean that every time I log into my web console it will change the token and break my scripts?

Yep, it actually will

Do you have an estimate of when this critical bug will be fixed??

I don't think it is a bug. Instead, it was designed that way for security.

It is completely a bug!

To say that every time I login to the web interface it is going to break all of my scripts that are installed and running via cron is most certainly a bug.

My scripts are calling the APIs to retrieve data from the TDBs and then posting the data to the cloud. So they must keep running no matter what.

You are now making me insert this key into my script, but then are telling me that if I then login into the web interface it will change the key and break my scripts. This is broken and will not work.

Please report this as a bug. This change has broken the product severely and made the scripts and APIs almost useless.

The so called "Bug" is the lack of documentation. But the function you are describing is how securing a API request works.
A good start would be Http RESTful API - GL.iNet IoT Docs

1. Use your credentials to gather a token.
2. Use the token within a timeframe to gather your information or place your settings
3. If the token is too old, get a new one, start from 1.

Of course you could send your credentials with every request ... But how would this be secure?

I don't know if we talk about bash (.sh) or python (.py) ... But I am too lazy to write both. So shell it will be.

#!/bin/bash

user='root'
pwd='Very53cur3!'
host='192.168.8.1'

There is only one user on the router. So the username should be the same. But i hope your password differs from mine. The IP is the default IP.

asn=$(curl -X POST -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","method":"challenge","params": {"username": "'$user'"},"id": 0}' http://$host/rpc -s )

alg=$(jq -n "$asn" | jq '.result.alg' | tr -d '"')
salt=$(jq -n "$asn" | jq '.result.salt' | tr -d '"')
nonce=$(jq -n "$asn" | jq '.result.nonce' | tr -d '"')

The first request is against the API with your known username. It could be hardcoded root. But no. ... This request will get you the used algorithm, the salt and the nonce. And split it.

saltedpwd=$(openssl passwd -1 -salt "$salt" "$pwd")

An attacker could sniff the whole conversation and get the salt before, it could be less secure. But the above written password is not send at any time in clear text!

hash=$(echo -n "$user:$saltedpwd:$nonce" | md5sum | cut -d' ' -f1)

sid=$(curl -X POST -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","method":"login","params": {"username": "'$username'", "hash": "'$hash'"},"id": 0}' http://$host/rpc -s | jq '.result.sid' | tr -d '"')

Do your API things:

curl -X POST -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","method":"call","params":["'$sid'", ... some JSON jibber jabber ... ],"id": 0}' http://$host/rpc -s 

I hope this helps as a start ...
Ah, don't forget the timings ... If I remember correct, the first 3 steps needs to be done in 2000ms, the final request could take a little longer.

Hello @LupusE ,

Thanks for jumping in, but I'm not sure that you are familiar with the GL-S200. The lack of documentation is not what you think, and the authentication is not what you are looking at.

These scripts are running on the S200, and accessing the RPC APIs that are documented (partially) here: Overview - GL.iNet IoT Docs

If you read the entire thread you'll see that this thread is about a completely different authentication. The link I just provided does not include the new "key" requirement that @Barry provided in his answers. He did provide the correct solution, HOWEVER there is a BUG in the code due to the fact that they are rotating the key every time someone logs into the web portal ... according to @Barry

I am currently discussing this with the leadership of GL-iNet to get this resolved ... and hopefully they can do this soon as it is breaking all of our installed systems. I was about to publish some of my sample scripts using this RPC API, but now they all break. In the past, the new "key" was not required, and now that it's required all of the scripts are broken by a simple login to the web portal.

They should ahve created a proper API Key management if they were going to do this.