* Do not propagate API password in service requests.
It makes service validation fail. The choice is to either handle it as an
optional key in every service handler and make sure it doesn't end up in event
stream and notifications, or to strip it as early as possible.
* Some places still need a forwarded api password.
- Event forwarding/remote api uses the local api password to
authenticate against the remote instance.
- The generated index.html at '/' embeds the api password.
* Do not propagate API password in service requests.
It makes service validation fail. The choice is to either handle it as an
optional key in every service handler and make sure it doesn't end up in event
stream and notifications, or to strip it as early as possible.
* Some places still need a forwarded api password.
- Event forwarding/remote api uses the local api password to
authenticate against the remote instance.
- The generated index.html at '/' embeds the api password.
In order to prevent a potential timing attack, it's important to make
sure the password check takes the same amount of time, regardless of
how many characters in the candidate password match the real password.
This commit does increase the verbosity of the authentication check.
Generally it is a good idea for authentication logic to be very clear,
even if that requires some extra verbosity.
Created three additional flags for the hass command:
-v - Toggle verbose log file output
—pid-file - Specify PID file path
—daemon - Launch as daemon (nix only)
The core now binds to SIGQUIT on nix systems to trigger a clean
shutdown.
Modified HTTP server to write logging messages through the logging
module.
Robbie Trencheny
Paulus Schoutsen
Jan Harkes
Josh Wright
Andrew McClure
Fabian Affolter
Fabian Affolter
Philip Lundrigan
Paulus Schoutsen
Jeff Schroeder
Ryan Kraus
jamespcole