By default to use access_token if hass.auth.active (#15212)

* Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint
2018-06-30 19:31:36 -07:00 · 2018-06-30 19:31:36 -07:00 · f874efb224
commit f874efb224
parent 3da4642194
8 changed files with 468 additions and 83 deletions
--- a/homeassistant/components/websocket_api.py
+++ b/homeassistant/components/websocket_api.py
@ -315,26 +315,32 @@ class ActiveConnection:
                authenticated = True

            else:
+                self.debug("Request auth")
                await self.wsock.send_json(auth_required_message())
                msg = await wsock.receive_json()
                msg = AUTH_MESSAGE_SCHEMA(msg)

-                if 'api_password' in msg:
-                    authenticated = validate_password(
-                        request, msg['api_password'])
-
-                elif 'access_token' in msg:
+                if self.hass.auth.active and 'access_token' in msg:
+                    self.debug("Received access_token")
                    token = self.hass.auth.async_get_access_token(
                        msg['access_token'])
                    authenticated = token is not None

+                elif ((not self.hass.auth.active or
+                       self.hass.auth.support_legacy) and
+                      'api_password' in msg):
+                    self.debug("Received api_password")
+                    authenticated = validate_password(
+                        request, msg['api_password'])
+
            if not authenticated:
-                self.debug("Invalid password")
+                self.debug("Authorization failed")
                await self.wsock.send_json(
-                    auth_invalid_message('Invalid password'))
+                    auth_invalid_message('Invalid access token or password'))
                await process_wrong_login(request)
                return wsock

+            self.debug("Auth OK")
            await self.wsock.send_json(auth_ok_message())

            # ---------- AUTH PHASE OVER ----------
@ -392,7 +398,7 @@ class ActiveConnection:
            if wsock.closed:
                self.debug("Connection closed by client")
            else:
-                _LOGGER.exception("Unexpected TypeError: %s", msg)
+                _LOGGER.exception("Unexpected TypeError: %s", err)

        except ValueError as err:
            msg = "Received invalid JSON"
@ -403,7 +409,7 @@ class ActiveConnection:
            self._writer_task.cancel()

        except CANCELLATION_ERRORS:
-            self.debug("Connection cancelled by server")
+            self.debug("Connection cancelled")

        except asyncio.QueueFull:
            self.log_error("Client exceeded max pending messages [1]:",