Clean Python Flask replacement for odc-api (Hivemapper Bee liberation)
Cobb Hayes
beead1d6b0
- requirements.txt: bump floors past known CVEs (flask>=2.3.2 fixes CVE-2023-30861, requests>=2.32.0 fixes CVE-2023-32681 + CVE-2024-35195, redis>=5.0 fixes CVE-2023-28858/9). - LICENSE: add MIT text (README claimed MIT but the file was missing). - /api/1/debug/redis-keys: require auth. Was unauthenticated info-disclosure on the LAN/AP side. |
||
|---|---|---|
| adacam_api | ||
| systemd | ||
| .gitignore | ||
| install.sh | ||
| LICENSE | ||
| main.py | ||
| README.md | ||
| requirements.txt | ||
adacam-api
Clean Python Flask replacement for Hivemapper's odc-api — a 434k-line Node.js monolith with a filed CVE. This service runs on the Hivemapper Bee (HDC-S) dashcam as part of the adacam liberation stack.
What it does
- Serves API endpoints for the Varroa Android app and adamaps-forwarder
- Reads GPS data from Redis (
GNSSFusion30Hz) - Stores landmark detections in SQLite
- Forwards detections to AdaMaps API (with offline queuing)
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /api/1/landmarks/last/{N} |
Last N detections |
| POST | /api/1/landmarks |
Ingest new detection |
| GET | /api/1/gnssConcise/latestValid |
Current GPS fix |
| GET | /api/1/status |
Device status |
| GET | /api/1/deviceinfo |
Device identity |
| GET | /api/1/recording/frames/latest |
Latest frame path |
Note: /api/1/cmd is intentionally NOT implemented — that was the CVE.
Installation
./install.sh
This will:
- Copy files to
/opt/adacam/ - Install Python dependencies
- Enable and start the systemd service
- Generate a device ID on first run
Configuration
Config file: /data/adacam/config.json
{
"device_id": "auto-generated UUID",
"adamaps_key": "<your-adamaps-ingest-key>",
"adamaps_api": "https://api.adamaps.org",
"ap_interface": "wlp1s0f0",
"tunnel_host": "",
"tunnel_user": "",
"tunnel_port": 2222
}
Requirements
- Python 3.8+
- Redis (for GPS/IMU data)
- Flask, redis-py, requests
License
MIT