core/homeassistant/components/http/auth.py

"""Authentication for HTTP component."""

import base64
import hmac
import logging

from aiohttp import hdrs
from aiohttp.web import middleware
import jwt

from homeassistant.core import callback
from homeassistant.const import HTTP_HEADER_HA_AUTH
from homeassistant.auth.providers import legacy_api_password
from homeassistant.auth.util import generate_secret
from homeassistant.util import dt as dt_util

from .const import KEY_AUTHENTICATED, KEY_REAL_IP

DATA_API_PASSWORD = 'api_password'
DATA_SIGN_SECRET = 'http.auth.sign_secret'
SIGN_QUERY_PARAM = 'authSig'

_LOGGER = logging.getLogger(__name__)


@callback
def async_sign_path(hass, refresh_token_id, path, expiration):
    """Sign a path for temporary access without auth header."""
    secret = hass.data.get(DATA_SIGN_SECRET)

    if secret is None:
        secret = hass.data[DATA_SIGN_SECRET] = generate_secret()

    now = dt_util.utcnow()
    return "{}?{}={}".format(path, SIGN_QUERY_PARAM, jwt.encode({
        'iss': refresh_token_id,
        'path': path,
        'iat': now,
        'exp': now + expiration,
    }, secret, algorithm='HS256').decode())


@callback
def setup_auth(app, trusted_networks, api_password):
    """Create auth middleware for the app."""
    old_auth_warning = set()

    @middleware
    async def auth_middleware(request, handler):
        """Authenticate as middleware."""
        authenticated = False

        if (HTTP_HEADER_HA_AUTH in request.headers or
                DATA_API_PASSWORD in request.query):
            if request.path not in old_auth_warning:
                _LOGGER.log(
                    logging.INFO if api_password else logging.WARNING,
                    'You need to use a bearer token to access %s from %s',
                    request.path, request[KEY_REAL_IP])
                old_auth_warning.add(request.path)

        if (hdrs.AUTHORIZATION in request.headers and
                await async_validate_auth_header(request, api_password)):
            # it included both use_auth and api_password Basic auth
            authenticated = True

        # We first start with a string check to avoid parsing query params
        # for every request.
        elif (request.method == "GET" and SIGN_QUERY_PARAM in request.query and
              await async_validate_signed_request(request)):
            authenticated = True

        elif (api_password and HTTP_HEADER_HA_AUTH in request.headers and
              hmac.compare_digest(
                  api_password.encode('utf-8'),
                  request.headers[HTTP_HEADER_HA_AUTH].encode('utf-8'))):
            # A valid auth header has been set
            authenticated = True
            request['hass_user'] = await legacy_api_password.async_get_user(
                app['hass'])

        elif (api_password and DATA_API_PASSWORD in request.query and
              hmac.compare_digest(
                  api_password.encode('utf-8'),
                  request.query[DATA_API_PASSWORD].encode('utf-8'))):
            authenticated = True
            request['hass_user'] = await legacy_api_password.async_get_user(
                app['hass'])

        elif _is_trusted_ip(request, trusted_networks):
            users = await app['hass'].auth.async_get_users()
            for user in users:
                if user.is_owner:
                    request['hass_user'] = user
                    break
            authenticated = True

        request[KEY_AUTHENTICATED] = authenticated
        return await handler(request)

    app.middlewares.append(auth_middleware)


def _is_trusted_ip(request, trusted_networks):
    """Test if request is from a trusted ip."""
    ip_addr = request[KEY_REAL_IP]

    return any(
        ip_addr in trusted_network for trusted_network
        in trusted_networks)


def validate_password(request, api_password):
    """Test if password is valid."""
    return hmac.compare_digest(
        api_password.encode('utf-8'),
        request.app['hass'].http.api_password.encode('utf-8'))


async def async_validate_auth_header(request, api_password=None):
    """
    Test authorization header against access token.

    Basic auth_type is legacy code, should be removed with api_password.
    """
    if hdrs.AUTHORIZATION not in request.headers:
        return False

    try:
        auth_type, auth_val = \
            request.headers.get(hdrs.AUTHORIZATION).split(' ', 1)
    except ValueError:
        # If no space in authorization header
        return False

    hass = request.app['hass']

    if auth_type == 'Bearer':
        refresh_token = await hass.auth.async_validate_access_token(auth_val)
        if refresh_token is None:
            return False

        request['hass_refresh_token'] = refresh_token
        request['hass_user'] = refresh_token.user
        return True

    if auth_type == 'Basic' and api_password is not None:
        decoded = base64.b64decode(auth_val).decode('utf-8')
        try:
            username, password = decoded.split(':', 1)
        except ValueError:
            # If no ':' in decoded
            return False

        if username != 'homeassistant':
            return False

        if not hmac.compare_digest(api_password.encode('utf-8'),
                                   password.encode('utf-8')):
            return False

        request['hass_user'] = await legacy_api_password.async_get_user(hass)
        return True

    return False


async def async_validate_signed_request(request):
    """Validate a signed request."""
    hass = request.app['hass']
    secret = hass.data.get(DATA_SIGN_SECRET)

    if secret is None:
        return False

    signature = request.query.get(SIGN_QUERY_PARAM)

    if signature is None:
        return False

    try:
        claims = jwt.decode(
            signature,
            secret,
            algorithms=['HS256'],
            options={'verify_iss': False}
        )
    except jwt.InvalidTokenError:
        return False

    if claims['path'] != request.path:
        return False

    refresh_token = await hass.auth.async_get_refresh_token(claims['iss'])

    if refresh_token is None:
        return False

    request['hass_refresh_token'] = refresh_token
    request['hass_user'] = refresh_token.user

    return True
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`"""Authentication for HTTP component."""`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`import base64`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`import hmac`
			`import logging`

Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`from aiohttp import hdrs`
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 02:42:31 +00:00			`from aiohttp.web import middleware`
Allow creating signed urls (#17759) * Allow creating signed urls * Fix parameter * Lint 2018-10-25 14:44:57 +00:00			`import jwt`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`from homeassistant.core import callback`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`from homeassistant.const import HTTP_HEADER_HA_AUTH`
Legacy api fix (#18733) * Set user for API password requests * Fix tests * Fix typing 2018-11-27 09:41:44 +00:00			`from homeassistant.auth.providers import legacy_api_password`
Allow creating signed urls (#17759) * Allow creating signed urls * Fix parameter * Lint 2018-10-25 14:44:57 +00:00			`from homeassistant.auth.util import generate_secret`
			`from homeassistant.util import dt as dt_util`

Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`from .const import KEY_AUTHENTICATED, KEY_REAL_IP`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
			`DATA_API_PASSWORD = 'api_password'`
Allow creating signed urls (#17759) * Allow creating signed urls * Fix parameter * Lint 2018-10-25 14:44:57 +00:00			`DATA_SIGN_SECRET = 'http.auth.sign_secret'`
			`SIGN_QUERY_PARAM = 'authSig'`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
			`_LOGGER = logging.getLogger(__name__)`


Allow creating signed urls (#17759) * Allow creating signed urls * Fix parameter * Lint 2018-10-25 14:44:57 +00:00			`@callback`
			`def async_sign_path(hass, refresh_token_id, path, expiration):`
			`"""Sign a path for temporary access without auth header."""`
			`secret = hass.data.get(DATA_SIGN_SECRET)`

			`if secret is None:`
			`secret = hass.data[DATA_SIGN_SECRET] = generate_secret()`

			`now = dt_util.utcnow()`
			`return "{}?{}={}".format(path, SIGN_QUERY_PARAM, jwt.encode({`
			`'iss': refresh_token_id,`
			`'path': path,`
			`'iat': now,`
			`'exp': now + expiration,`
			`}, secret, algorithm='HS256').decode())`


Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`@callback`
No more opt-out auth (#18854) * No more opt-out auth * Fix var 2018-12-02 15:32:53 +00:00			`def setup_auth(app, trusted_networks, api_password):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Create auth middleware for the app."""`
Only log change to use access token warning once (#15690) 2018-07-27 13:53:46 +00:00			`old_auth_warning = set()`

Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`@middleware`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`async def auth_middleware(request, handler):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Authenticate as middleware."""`
			`authenticated = False`

No more opt-out auth (#18854) * No more opt-out auth * Fix var 2018-12-02 15:32:53 +00:00			`if (HTTP_HEADER_HA_AUTH in request.headers or`
			`DATA_API_PASSWORD in request.query):`
Only log change to use access token warning once (#15690) 2018-07-27 13:53:46 +00:00			`if request.path not in old_auth_warning:`
Tweak log level for bearer token warning (#16182) 2018-08-25 05:57:36 +00:00			`_LOGGER.log(`
No more opt-out auth (#18854) * No more opt-out auth * Fix var 2018-12-02 15:32:53 +00:00			`logging.INFO if api_password else logging.WARNING,`
Change auth warning (#16216) 2018-08-27 08:37:03 +00:00			`'You need to use a bearer token to access %s from %s',`
Tweak log level for bearer token warning (#16182) 2018-08-25 05:57:36 +00:00			`request.path, request[KEY_REAL_IP])`
Only log change to use access token warning once (#15690) 2018-07-27 13:53:46 +00:00			`old_auth_warning.add(request.path)`
By default to use access_token if hass.auth.active (#15212) * Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint 2018-07-01 02:31:36 +00:00
			`if (hdrs.AUTHORIZATION in request.headers and`
No more opt-out auth (#18854) * No more opt-out auth * Fix var 2018-12-02 15:32:53 +00:00			`await async_validate_auth_header(request, api_password)):`
By default to use access_token if hass.auth.active (#15212) * Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint 2018-07-01 02:31:36 +00:00			`# it included both use_auth and api_password Basic auth`
			`authenticated = True`

Allow creating signed urls (#17759) * Allow creating signed urls * Fix parameter * Lint 2018-10-25 14:44:57 +00:00			`# We first start with a string check to avoid parsing query params`
			`# for every request.`
			`elif (request.method == "GET" and SIGN_QUERY_PARAM in request.query and`
			`await async_validate_signed_request(request)):`
			`authenticated = True`

No more opt-out auth (#18854) * No more opt-out auth * Fix var 2018-12-02 15:32:53 +00:00			`elif (api_password and HTTP_HEADER_HA_AUTH in request.headers and`
By default to use access_token if hass.auth.active (#15212) * Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint 2018-07-01 02:31:36 +00:00			`hmac.compare_digest(`
			`api_password.encode('utf-8'),`
			`request.headers[HTTP_HEADER_HA_AUTH].encode('utf-8'))):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`# A valid auth header has been set`
			`authenticated = True`
Legacy api fix (#18733) * Set user for API password requests * Fix tests * Fix typing 2018-11-27 09:41:44 +00:00			`request['hass_user'] = await legacy_api_password.async_get_user(`
			`app['hass'])`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00
No more opt-out auth (#18854) * No more opt-out auth * Fix var 2018-12-02 15:32:53 +00:00			`elif (api_password and DATA_API_PASSWORD in request.query and`
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`hmac.compare_digest(`
			`api_password.encode('utf-8'),`
			`request.query[DATA_API_PASSWORD].encode('utf-8'))):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`authenticated = True`
Legacy api fix (#18733) * Set user for API password requests * Fix tests * Fix typing 2018-11-27 09:41:44 +00:00			`request['hass_user'] = await legacy_api_password.async_get_user(`
			`app['hass'])`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00
By default to use access_token if hass.auth.active (#15212) * Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint 2018-07-01 02:31:36 +00:00			`elif _is_trusted_ip(request, trusted_networks):`
Always set hass_user (#18844) 2018-11-30 16:32:47 +00:00			`users = await app['hass'].auth.async_get_users()`
			`for user in users:`
			`if user.is_owner:`
			`request['hass_user'] = user`
			`break`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`authenticated = True`

			`request[KEY_AUTHENTICATED] = authenticated`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`return await handler(request)`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
Use proper signals (#18613) * Emulated Hue not use deprecated handler * Remove no longer needed workaround * Add middleware directly * Dont always load the ban config file * Update homeassistant/components/http/ban.py Co-Authored-By: balloob <paulus@home-assistant.io> * Update __init__.py 2018-11-21 19:55:21 +00:00			`app.middlewares.append(auth_middleware)`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`def _is_trusted_ip(request, trusted_networks):`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`"""Test if request is from a trusted ip."""`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`ip_addr = request[KEY_REAL_IP]`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`return any(`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`ip_addr in trusted_network for trusted_network`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`in trusted_networks)`
Add websocket API (#4582) * Add websocket API * Add identifiers to interactions * Allow unsubscribing event listeners * Add support for fetching data * Clean up handling code websockets api * Lint * Add Home Assistant version to auth messages * Py.test be less verbose in tox 2016-11-27 02:23:28 +00:00

			`def validate_password(request, api_password):`
			`"""Test if password is valid."""`
Update docstrings (#7361) * Update docstrings * Update docstrings * Update docstrings * Update docstrings * update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update tomato.py * Update isy994.py * Lint + fix tests * Lint 2017-04-30 05:04:49 +00:00			`return hmac.compare_digest(`
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`api_password.encode('utf-8'),`
			`request.app['hass'].http.api_password.encode('utf-8'))`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00

By default to use access_token if hass.auth.active (#15212) * Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint 2018-07-01 02:31:36 +00:00			`async def async_validate_auth_header(request, api_password=None):`
			`"""`
			`Test authorization header against access token.`

			`Basic auth_type is legacy code, should be removed with api_password.`
			`"""`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`if hdrs.AUTHORIZATION not in request.headers:`
			`return False`

Backend tweaks to make authorization work (#14339) * Backend tweaks to make authorization work * Lint * Add test * Validate redirect uris * Fix tests * Fix tests * Lint 2018-05-10 08:38:11 +00:00			`try:`
			`auth_type, auth_val = \`
			`request.headers.get(hdrs.AUTHORIZATION).split(' ', 1)`
			`except ValueError:`
			`# If no space in authorization header`
			`return False`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00
Always set hass_user (#18844) 2018-11-30 16:32:47 +00:00			`hass = request.app['hass']`

By default to use access_token if hass.auth.active (#15212) * Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint 2018-07-01 02:31:36 +00:00			`if auth_type == 'Bearer':`
Use JWT for access tokens (#15972) * Use JWT for access tokens * Update requirements * Improvements 2018-08-14 19:14:12 +00:00			`refresh_token = await hass.auth.async_validate_access_token(auth_val)`
			`if refresh_token is None:`
By default to use access_token if hass.auth.active (#15212) * Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint 2018-07-01 02:31:36 +00:00			`return False`

Break up websocket 2 (#17028) * Break up websocket 2 * Lint+Test * Lintttt * Rename 2018-10-01 14:09:31 +00:00			`request['hass_refresh_token'] = refresh_token`
Use JWT for access tokens (#15972) * Use JWT for access tokens * Update requirements * Improvements 2018-08-14 19:14:12 +00:00			`request['hass_user'] = refresh_token.user`
By default to use access_token if hass.auth.active (#15212) * Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint 2018-07-01 02:31:36 +00:00			`return True`

Pylint cleanups (#15626) * Pylint 2 no-else-return fixes * Remove unneeded abstract-class-not-used pylint disable 2018-07-23 08:16:05 +00:00			`if auth_type == 'Basic' and api_password is not None:`
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`decoded = base64.b64decode(auth_val).decode('utf-8')`
			`try:`
			`username, password = decoded.split(':', 1)`
			`except ValueError:`
			`# If no ':' in decoded`
			`return False`

			`if username != 'homeassistant':`
			`return False`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00
Always set hass_user (#18844) 2018-11-30 16:32:47 +00:00			`if not hmac.compare_digest(api_password.encode('utf-8'),`
			`password.encode('utf-8')):`
			`return False`

			`request['hass_user'] = await legacy_api_password.async_get_user(hass)`
			`return True`
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00
Pylint cleanups (#15626) * Pylint 2 no-else-return fixes * Remove unneeded abstract-class-not-used pylint disable 2018-07-23 08:16:05 +00:00			`return False`
Allow creating signed urls (#17759) * Allow creating signed urls * Fix parameter * Lint 2018-10-25 14:44:57 +00:00

			`async def async_validate_signed_request(request):`
			`"""Validate a signed request."""`
			`hass = request.app['hass']`
			`secret = hass.data.get(DATA_SIGN_SECRET)`

			`if secret is None:`
			`return False`

			`signature = request.query.get(SIGN_QUERY_PARAM)`

			`if signature is None:`
			`return False`

			`try:`
			`claims = jwt.decode(`
			`signature,`
			`secret,`
			`algorithms=['HS256'],`
			`options={'verify_iss': False}`
			`)`
			`except jwt.InvalidTokenError:`
			`return False`

			`if claims['path'] != request.path:`
			`return False`

			`refresh_token = await hass.auth.async_get_refresh_token(claims['iss'])`

			`if refresh_token is None:`
			`return False`

			`request['hass_refresh_token'] = refresh_token`
			`request['hass_user'] = refresh_token.user`

			`return True`