Password not working on Graphs tab - resolved

Hi:

We setup a password for one of our units. As expected, when we go into the main page authentication asks for User Name and password. We can then access the unit normally.

However, for the Graphs tab (and apparently only that tab) the following happens:

  • When initially selecting the Graphs tab the page is displayed correctly.
  • Once one of the measurements is selected in its checkbox the authentication window pops up again and it won’t accept the user/pass anymore.
  • If we close the authentication window and go back to the main page the window pops up again, so it seems as if the session is being closed. I’m not familiar with authentication so it may be an obvious behavior.

I’m also attaching the most recent entries from the Message Log, basically what is displayed from the Tools menu tab.

MessageLog Latest on 20180810.txt (9.8 KB)

The Log includes the following error, which most likely is unrelated: “EmonService: Invalid configuration.” That’s most likely (I think) happening due to deleted inputs that are still listed in the Emon configuration window (everything named Input_XX).

Thanks.

It behaves differently on different platforms and browsers. What are you using?

Also, are you using both admin and user passwords? If so, could you try setting just an admin password? I can reproduce a similar problem when a user password is set.

If you are still getting this, could you post your config.txt file (w/o the Emoncms key).

Thanks.

Hi:

We tested with Chrome and Firefox; same thing; it kept popping up the authentication window.

Days before this we tried to setup a User password but we were never able to login using it.

Anyway. It’s working now, but I don’t understand why. What I did: I went to Setup/Passwords, validated the Admin password, then reentered the admin password (so it remains the same) without typing anything at the User password box and it has been working since then. I don’t know if not entering a user password automatically deletes it, though.

Regarding the EmonService error I tried removing the now invalid inputs but the window never shows a save button, so I’m stuck with those. However, the service is not fully configured so it shouldn’t be a problem I guess. See the image below.

Edit: Forgot to attach the config file.

config file.txt (3.0 KB)

Yes, it does. The password menu sets both passwords. Leaving either blank removes it and you cannot set a user password without also setting an admin password. To remove all passwords, save that menu without specifying any passwords.

Your config file was damaged. I have fixed it. config file.txt (2.6 KB)

Thanks a lot.

So the error was related to the damaged file, not configuration.

Another thing: While I was again checking status, and still with an admin password but no user password I noticed that the Device Name text box in the Setup/Device tab was grayed out. I removed the admin pass and the field is now editable.

Device%20Name%20grayed%20out

I’m including again the config file in case it is of any help.

config file 20180815.txt (2.6 KB)

Thanks.

That’s by design. with digest authorization, IoTaWatt doesn’t store the actual password, but a cryptographic hash of it that also includes the device name. When you enter the password, your browser creates another hash using the password, the device name, and some other things unique to the request. That way, the authorization is secure.

So since I don’t really know what your password is, I can’t save the new crypto If you change the device name. I force you to remove the password, change the device name, and set a new password.

I hope to get the time to document that (and fix the user led) soon.

So that’s why. Thanks !!!

Hi Bob,
I have just received my IoTaWatt and am very happy with it. However I am also having problems with username/password not working on the Graph+, Original Graph or HTML Query. The Graph+ page shows this if I press Esc to get out of the login dialog:

### IotaWatt Graph+

#### 401 Unauthorized

http://iotawatt.local/query?format=json&header=yes&resolution=high&missing=null&begin=d&end=s&select=[time.utc.unix,Input_0.Volts.d1]&group=auto

I have set both an admin and user password and have the latest major version 02_05_00. When I clear both passwords there are no issues.

When I set the passwords, I can login normally to the config app using username “admin” and the password. The username “user” and the read-only password doesn’t work to login to the config app.

What’s happening here? Thanks.

Can you try using only an admin password? The user password is about to be deprecated, it doesn’t work as intended.

Am I wasting my time trying to set both admin and user passwords? Cannot get it to work when accessing from the internet side (router port forwarding to IotaWatt) entering “user” for the username and the password I set. It continually prompts for the username and password, won’t accept what is entered.

user only allows access to read only data. If you are trying to run the config app, you will need to use the admin password.

Mixed results. Using Chrome on Android 6 (Note 4) it constantly prompts for the user name and password. (Same behavior going at it from the LAN side or Internet side.) Does not seem to accept logging in as user. Using Chome on Win7 x64 I can log in as user (password “user” - no quotes) using http://iotawatt.local/graph2.htm and that works. Navigating to http://iotawatt.local continually prompts for and rejects the user login. I was expecting the main page to simply have fewer options available to “user” but maybe it’s intended you have to go directly to the graph? Still no idea why it doesn’t work on the phone the same as desktop.

TBH there’s not much use for the user password. It’ s intent was for public facing data display only. If your going top hold my feet to the fire on this, you’re going to have to make the case for why it’s necessary.

I’m just trying to understand how it is supposed to work and clarify if it’s broken or deprecated or what. How useful or important the feature is it would be a matter of opinion but my impression is it was meant to allow showing/sharing your information with others via a publicly accessible URL without giving them admin credentials.

That’s the intent. The config app isn’t one of those shares. Graph is. You could also create your own app to display data. The /status endpoint works at user auth, as does /query and the
various endpoints associated with the old graph (although they are deprecated).

You can see the various endpoints and their auth in this block of code from webserver:

if(serverOn(authUser,  F("/status"),HTTP_GET, handleStatus)) return;
  if(serverOn(authAdmin, F("/vcal"),HTTP_GET, handleVcal)) return;
  if(serverOn(authAdmin, F("/command"), HTTP_GET, handleCommand)) return;
  if(serverOn(authUser,  F("/list"), HTTP_GET, printDirectory)) return;
  if(serverOn(authAdmin, F("/config"), HTTP_GET, handleGetConfig)) return;
  if(serverOn(authAdmin, F("/edit"), HTTP_DELETE, handleDelete)) return;
  if(serverOn(authAdmin, F("/edit"), HTTP_PUT, handleCreate)) return;
  if(serverOn(authUser,  F("/feed/list.json"), HTTP_GET, handleGetFeedList)) return;
  if(serverOn(authUser,  F("/feed/data.json"), HTTP_GET, handleGetFeedData)) return;
  if(serverOn(authAdmin, F("/graph/create"),HTTP_POST, handleGraphCreate)) return;
  if(serverOn(authAdmin, F("/graph/update"),HTTP_POST, handleGraphCreate)) return;
  if(serverOn(authAdmin, F("/graph/delete"),HTTP_POST, handleGraphDelete)) return;
  if(serverOn(authUser,  F("/graph/getall"), HTTP_GET, handleGraphGetall)) return;
  if(serverOn(authUser,  F("/graph/getallplus"), HTTP_GET, handleGraphGetallplus)) return;
  if(serverOn(authAdmin, F("/auth"), HTTP_POST, handlePasswords)) return;
  if(serverOn(authUser,  F("/nullreq"), HTTP_GET, returnOK)) return;
  if(serverOn(authUser,  F("/query"), HTTP_GET, handleQuery)) return;
  if(serverOn(authUser,  F("/DSTtest"), HTTP_GET, handleDSTtest)) return;
  if(serverOn(authAdmin, F("/update"), HTTP_GET, handleUpdate)) return;
1 Like

By “config app” you mean the main menu… that index.html right off the root directory provides? Can’t view the live status without first clicking the Status button. So I tried extracting what’s necessary for the status view to work and uploaded it as status.htm but it only works when logging in as admin. I also uploaded added favicon.ico but it still balks with a not authorized response.

Looking at the webserver code I’m guessing this block is the main limiting factor when trying to access files like htm, txt, ico when logged in as ‘user’.

  authLevel level = authAdmin;
  if(path.startsWith(F("/user/")) ||
     path.startsWith(F("/graphs/")) ||
     path.startsWith(F("/graph.")) ||
     path.startsWith(F("/graph2."))){
    level = authUser;
  }

As far as I can tell that allows the graphs to work and not much else.

status.htm (18.5 KB)

The status endpoint is an API that returns the data index.htm uses to display the status. If you browse to:

http://iotawatt.local/status?inputs=yes&outputs=yes

You will get an authorization request, and if you enter the user credentials it will work. The response is json. You would need to write an app to issue the API and display the data.

The first line allows access to anything in a directory called /user/. You can put your app in there and access it with user credentials. Regardless of where it comes from, any application must be running with admin credentials in the browser if it tries to use API endpoints protected as admin.

Look, it’s not a robust unix system with unlimited memory and processing. The ESP8266 is spending 67% of it’s time monitoring your electricity use and the rest trying to act like a real computer using very limited resources. I don’t know of very few ESP8266 applications that do digest authentication, and I don’t know of any others that do multiple users classes. The underlying tools do not support it.

I’m not complaining, just trying to understand how it works and what is possible. I’ve been slinging code full time since 1993 but mostly what I do is C# (.NET), Microsoft stack, database, Windows services, etc. HTML, Javascript, and C++ aren’t my areas of expertise to put it mildly. :slight_smile:

1 Like

I think I finally got it working the way I wanted. I put everything in the /user directory like you said. I had to drop copies of config.txt, tables.txt, and cnfstyle.css in there as well, which isn’t ideal, but it got me further down the road. I added some HTML to tell the browser not to request favicon.icon and removed reference to burden.txt and that seemed to help with the browser repeatedly prompting for the credentials. Need to go test it on my phone now… and crack open a beer. :beer:

status.htm (18.2 KB)