Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optional password disabling #373

Closed
xoseperez opened this issue Jan 6, 2018 · 4 comments
Closed

Optional password disabling #373

xoseperez opened this issue Jan 6, 2018 · 4 comments
Labels
web interface

Comments

@xoseperez
Copy link
Owner

Originally reported by: Oskari Rauta (Bitbucket: oskarirauta, GitHub: oskarirauta)

It would be great if there would be option to choose insecure mode when building a new firmware binary, for those who want to tinker with image.

I realise how bad it would be, if there would be no password protection at all, but sometimes I get a crazy idea (which usually leads to nothing useful, but the most important thing is to try, right?) and since I don't have a simulator or something similar, when testing these minor changes, I rebuild the image and flash it, it would speed up things, if after every flash attempt, I wouldn't need to re-login.

So for these testing images, I would set a flag that would disable password authentication, system would treat every request as authenticated.

Something like

#!arduino
#define PASSWORDLESS_DEBUGGING 0 // Insecurity caution! Enabling this will disable password querying completely.

Ofcourse, it's supposed to be set back to 0 with production version binary due to it being so insecure. Someone might think, what is the issue with passwordless login, and there's not much there, propably user already has the wifi password, which he could retrieve from settings backup file, if he gets this far, but the most dangerous issue is if wrong person flashes incompatible image, although on most devices, it's pretty easy to salvage by wiring hardware directly to ftdi adapter...

Anyway, my idea here is a something like "debug" mode, for those who like to make minor adjustments or try something, and speed it up a bit, by disabling authentication. This would not need a setting, because it would be "hardwired" to the binary, it should not stop user from changing password (even though there won't be authentication) - because this should just be there for testing purposes. And because while testing, everything should ofcourse be very similar to production environment...

And offcourse, why not, if once again happens, that authentication gets broken for some reason (like it was for sometime for Safari and some other browsers), this would also be a temporary solution to still use most up to date firmware version until issue gets sorted out...

This is not the most important thing, but just a great idea-
Some of my devices went to AP state, because kids used them, and did accidentally activate AP state with double clicking, so I decided to make some changes to my firmware:

1 ) remove double click feature (didn't know, I can remove it by setting double-click timeout to 0, had already made change to firmware when figured this one out)
2 ) replace long-long press function with original double click feature ( ap mode )
3 ) change timings, 3 seconds for long click (reset), and 15 seconds for long-long click (ap mode, originally factory reset)

Well, it was not difficult at all, due to great code structure by Xose, but as it usually is, things like these require some testing, and therefore, I had several builds to test (on phase at a time)..

And actually I was a bit on a side-track, trying to make a quick fix to by-pass password protection temporarily ;)

So anyway, if this isn't hard to implement, some people in the future might be glad for time and trouble saved :)

Anyway, once again, thank you Xose for great work, this is definitely the best available firmware for sonoff's ;)
@xoseperez
Copy link
Owner Author

Implemented in the dev branch as "USE_PASSWORD" and enabled by default. You can find it at the top of the general.h file.

As for the double-click, long-click,... you can also change the button behavior like this:

    #define BUTTON1_DBLCLICK        BUTTON_MODE_NONE
    #define BUTTON1_LNGCLICK        BUTTON_MODE_NONE
    #define BUTTON1_LNGLNGCLICK     BUTTON_MODE_AP

In the section for the device in the hardware.h file. Look for other sections like the TINKERMAN_ESPURNA_SWITCH. The timings are in the general.h file, but I guess you already found them.

@xoseperez
Copy link
Owner Author

Original comment by Oskari Rauta (Bitbucket: oskarirauta, GitHub: oskarirauta):

Thanks.

Actually I did just this, although I left reset for the long click, just changed duration to 3 seconds to prevent from accidental resets :)
But yes, first I went to somewhere else ;)

@xoseperez
Copy link
Owner Author

Released with 1.11.4

@xoseperez
Copy link
Owner Author

Removing milestone: 1.11.4 (automated comment)

xoseperez added a commit that referenced this issue Jan 24, 2018
@xoseperez
Build option to disable password check (USE_PASSWORD). Password check…
ff9ca1c 
… is enabled by default. Use at your own risk (#373)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
web interface
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xoseperez