* Use local timezone for log and history dates
* home-assistant-js fix
* Submodule updates not included so travis can build
* Separate Date and DateTime http validators
* Include submodule reference
* Update frontend
* Depreciate ssl2/3
Following the best practices as defind here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
* Updated comment with better decription
Links to the rational rather than the config generator; explains link.
* add comment mentioning intermediate
When a browser makes a CORS request, it often makes a 'preflight'
options request in order to make sure the resource is valid, and that
it has the right CORS access. This adds a default OPTIONS handler for
all views. If a view needs to customize the OPTIONS handler for some
reason, it's free to, but this way CORS will work.
* Add CORS support to WSGI
* Remove X-HA-Access as a CORS header, because as @JshWright so elegantly put it: "CORS controls access to response headers, not request headers"
This commit adds back the config validation for the http component. It
was removed during the WSGI shuffle. This is just a direct copy of what
@robbiet480 added in ab294d12f7 (with some testing to verify it still
works).
* Fix TLS with eventlet
This fixes a simple error on my part when implementing the WSGI stuff.
eventlet.wrap_ssl() returns a wrapped socket, it does not modify the
object passed to it. We need to grab the returned value and use that.
* Fix style issue
* Do not propagate API password in service requests.
It makes service validation fail. The choice is to either handle it as an
optional key in every service handler and make sure it doesn't end up in event
stream and notifications, or to strip it as early as possible.
* Some places still need a forwarded api password.
- Event forwarding/remote api uses the local api password to
authenticate against the remote instance.
- The generated index.html at '/' embeds the api password.
* Do not propagate API password in service requests.
It makes service validation fail. The choice is to either handle it as an
optional key in every service handler and make sure it doesn't end up in event
stream and notifications, or to strip it as early as possible.
* Some places still need a forwarded api password.
- Event forwarding/remote api uses the local api password to
authenticate against the remote instance.
- The generated index.html at '/' embeds the api password.
In order to prevent a potential timing attack, it's important to make
sure the password check takes the same amount of time, regardless of
how many characters in the candidate password match the real password.
This commit does increase the verbosity of the authentication check.
Generally it is a good idea for authentication logic to be very clear,
even if that requires some extra verbosity.
Daniel Høyer Iversen
Fabian Affolter
Robbie Trencheny
Paulus Schoutsen
AlucardZero
Dan
Josh Wright
Jan Harkes
Andrew McClure
Fabian Affolter