You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We currently have no security at all on the web ui and websocket api that is served by the car. This means that anyone can, if they know or can guess the car's local name, can open the web ui and operate the car. We should add an optional username and password that must be entered in the basic auth prompt of the browser and in the initial websocket GET request's Authorization header in order to use those features.
Allow the use to set a username and password for basic auth in their myconfig.py configuration. The default is no username (None) in which case a basic authorization is not required.
If myconfig.py has a non-None username then the car's web server will require basic authorization to use the web ui and the websocket api.
It is ok to use the default basic auth challenge that the web server provides when opening the web page.
For websocket apai, if the username is non-Null in the myconfig.py, then the webserver should check the value of the Authorization header against the username and password in the myconfig.py file and return a 403 Forbidden response if they do not match. Further, if the username in myconfig.py is non-Null and the websocket request does not contain an Authorization header then the webserver should respond with a 401 Not Authorized response.
The text was updated successfully, but these errors were encountered:
We currently have no security at all on the web ui and websocket api that is served by the car. This means that anyone can, if they know or can guess the car's local name, can open the web ui and operate the car. We should add an optional username and password that must be entered in the basic auth prompt of the browser and in the initial websocket GET request's
Authorization
header in order to use those features.Authorization
header against the username and password in the myconfig.py file and return a 403 Forbidden response if they do not match. Further, if the username in myconfig.py is non-Null and the websocket request does not contain anAuthorization
header then the webserver should respond with a 401 Not Authorized response.The text was updated successfully, but these errors were encountered: