User authorization coming next week


#1

The last ALPHA release incorporated lwip 2 which works well for VPN or other WAN access. So with the actual communications running smoothly, it’s now possible to open up a port on your router to access port 80 on the IoTaWatt and use it from anywhere on the internet. All of the features work. You can configure, look at the log, and use the graph application. WIth a good connection, it’s not really different from being on the same LAN.

So now that you can open it to access from anywhere, so can everyone else. One thing leads to another and now I’ve added user authentication to make it difficult for hackers to access your IoTaWatt.

In the absence of a true secure connection, I opted to use what is called digest authentication, which has been around a long time. Although it has vulnerabilities, it’s a significant barrier to all but sophisticated hackers. I think it’s a good balance for IoTaWatt given that there isn’t much incentive to expend a lot of time and energy hacking one, but you be the judge.

The new scheme will introduce two new optional user/password credentials with the fixed usernames of admin and user (case sensitive). The passwords for each of these credential sets can be specified with a new passwords tab under the setup menu.

If you do not elect to set an admin password, your IoTaWatt will continue to work as it always has with no apparent authorization required for anything.

If you do specify an admin password, you will be required to sign-in whenever you initiate a browser session with the IoTaWatt. Once you sign-in, your IoTaWatt will work as it always has with no apparent authorization required for anything, for the life of that browser session.

Most of the IoTaWatt resources require admin level authorization when an admin password has been specified, and all resources are available when signed in as admin. There is a group of resources, intended for reading data. Those resources can be accessed by anyone if the user password is not specified, or by anyone who signs in as user with the user password.

Those user resources include the APIs to query the datalogs, and access to the directory/user on the SDcard. So for instance, the graph.htm and graph.js files can be copied from root to the /user directory and run from there without admin level authorization.

The passwords are only sent to IoTaWatt when you first set them or subsequently change them. The actual passwords are not retained by IoTaWatt. Care must be taken not to lose them. There is a procedure for reverting back to no passwords, but that requires physical access to the SDcard within the IoTaWatt.

While retaining robust support for Emoncms and InfluxDB, this enhancement makes it possible to operate with a standalone IoTaWatt setup and access the data directly from anywhere on the internet. As I move into a new phase of documenting with Read the Docs, I will make the query APIs more transparent so that hopefully, more apps will surface that can directly use the IoTaWatt.