Cobb
22fba16c0c
All checks were successful
gitleaks / scan (push) Successful in 35s
The bearer token was sha256(serial)[:32] and the serial is served unauthenticated, so anyone reaching :5000 could compute it and take the device over. Now: token is a random secrets.token_urlsafe(32) at /data/adacam/api_token (never derived from serial); /pair only returns it during a one-shot pairing window (/data/adacam/pairing_open, opened by adacam-pair or install.sh, closes after one pair); require_auth uses hmac.compare_digest. NEEDS ON-DEVICE PAIRING TEST before merge to main — see SECURITY-PAIRING.md.
16 lines
764 B
Bash
Executable file
16 lines
764 B
Bash
Executable file
#!/bin/sh
|
|
# adacam-pair — open a ONE-SHOT pairing window on the device.
|
|
#
|
|
# While the window is open, GET /pair returns the device's random API token
|
|
# exactly once, then the window closes automatically. Run this on the device
|
|
# (over the local console / SSH) whenever you want to (re)pair the Varroa app.
|
|
#
|
|
# This is the physical-presence gate that replaces the old broken scheme where
|
|
# the token was derivable from the unauthenticated serial.
|
|
set -eu
|
|
mkdir -p /data/adacam
|
|
: > /data/adacam/pairing_open
|
|
chmod 600 /data/adacam/pairing_open 2>/dev/null || true
|
|
echo "Pairing window OPEN."
|
|
echo "Open the Varroa app and pair now — the window closes after one successful pair."
|
|
echo "If you don't pair, close it manually with: rm -f /data/adacam/pairing_open"
|