Get Current Profile does not work with Bearer Auth

[helmut64]

I got the entire Bearer auth running with my standalone C++ Mac application which I like to port down to an ESP32 later on for energy switching based on metered data. Thanks for this great documentation.

When requesting the Profile "installer/agf/details.json”, the Bearer token based auth gives error 401. Using an HTTP session cookie e.g.:
”envoy_122143077773=xxx; sessionId=3TUYsfNoGCYPQmCyDPuvoMRAWV6OiNaA"
it works with a different session ID compared to the Bearer login session ID.
It works only if I login via Firefox to envoy.local via login with Enphase, then copying this session ID from the browser into my app.

PS: Have you logged into the Envoy via a TTY serial adapter to see the running code and the JavaScript code (maybe Node.js), or any other trick.

[Matthew1471]

/installer/* is currently restricted to tokens of prov or greater (the most recent update enforced role based access more strictly - previously we were able to get a lot with just a valid token), that's why you'll get a 401 Not Authorised if using the correct URL but with the wrong token for that URL:

{
  "anybody" :1,
  "monitor": 2,
  "owner": 2,
  "prov": 3,
  "support": 4,
  "sysadmin": 5,
  "installer": 6,
  "envoy": 7,
  "enphase": 7,
  "factory": 7
}

You won't be able to access this by logging into the Enphase site with an owner token, you will need to use your installer token (you can view the contents of the JWT in https://jwt.io).

Some of the URLs support the Bearer directly, but for most cases it is best to call check_jwt with the JWT and get the session ID that you then supply to the endpoints rather than the JWT. Have you seen the wrapper documentation

owner tokens are valid for 1 year but installer tokens are currently valid for 12 hours (just enough to provision the customer's system). Some of my examples take the username and password and renew the tokens automatically.

Check which role your token has (and the account you're using to log in) then try again and it should work.

I do plan to document which URLs require which roles in future. As for access to the platform, I actually have discovered a security vulnerability which allows me access to the system - Enphase Cyber Security are working on a fix (responsibly disclosed 26th July 2023, although I actually ended up finding ~7 issues)... but had I not found this it would have been fairly easy to check which URLs are accessible to which type of token or not based off the current documentation generator which is in this repo.

The code is actually Ruby and for the meters compiled native (both via Nginx and mongrel2) .

Glad you like the project.

Kind Regards,
Matthew

[helmut64]

Hi Matthew, thank for the quick answer, cool that you have access to the Envoy, add an additional user account that you can continue to investigate the Envoy after a new SW release.

The username/account is always the same in my test case. The difference is only that the non working session ID I get via the login.json login. The working one I get via the envoy.local login button which goes to:
https://entrez.enphaseenergy.com/authorize?code_challenge=ScInkHS2CAbrLT_O_a0EAQMRyvYOKK9FdJiAljFSRLU&client_id=envoy-ui-client&redirect_uri=https://helmut.dnshome.de/auth/callback&scope=122_ENVOY_SERIAL&response_type=code&code_challenge_method=S256
Yes I have an Enphase installer status and I can install batteries and provision entire sites.
You may know the "Enphase Battery Inside" tour you YT.

My long term goal is to get the Envoy and IQ7/IQ8 to produce power in an island mode, at present the System Controller is not available in Europe. I may need to join the three phases into a single one to have a chance to get this running. For this, understanding profiles is important. Also the PLC communication is probably of help to understand and maybe needed for this.

Best regards, Helmut

[Matthew1471]

My long term goal is to get the Envoy and IQ7/IQ8 to produce power in an island mode, at present the System Controller is not available in Europe.

I have that with the Tesla Powerwall system (specifically the Tesla Gateway).. The microinverters need to see a grid that is within safe parameters to continue operating. As the storage battery becomes fully charged the emulated grid can then use frequency-watt control to continue providing power to the home but encourage the third-party microinverters to safely reduce (and eventually stop) generating (as part of the grid profile which I personally believe is currently non-optimal for the UK). In the UK at least, one has to physically island from the utility to prevent the microinverters trying to power the grid and electrocuting the utility company's workers.

Enphase IQ8's Sunlight Backup (which does not require a battery and was true islandling depending solely on current PV conditions - but almost certainly still triggering a disconnect from the grid in the System Controller) will not make it to Europe but it doesn't sound like something that would work properly over here anyway (clouds and typically smaller installations due to our smaller homes)

The difference is only that the non working session ID I get via the login.json login

I am not using login.json I use {Authentication.AUTHENTICATION_HOST}/entrez_tokens, have you tried the examples at the wrapper documentation? I do not like the suggestion in Enphase's official docs to use Enlighten to get the token and prefer to talk to the authentication service once rather than go via Enlighten. The IQ Gateway itself goes via the authentication service and not via Enlighten.

You may know the "Enphase Battery Inside" tour you YT.
I went to the IQ8 and IQ Battery 5P roadshows in the UK. I'm getting worryingly good at supporting the platform now 🤣

For 3-phase systems the IQ Gateway I believe can only sit on 1-phase (as you would expect) so one would need to repeat the PLC data on the other phases by purchasing the IQ Relay this behaves as a "built-in phase coupler to distribute power line communications (PLC) signals across phases". There's probably third-party ways to accomplish the same thing, but I am not an electrician I am computer technical by trade.