Sulkta-OSS/adacam-api
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
adacam-api/install.sh
Cobb 22fba16c0c
All checks were successful
gitleaks / scan (push) Successful in 35s
Details
security: random per-device API token + one-shot pairing window (CRIT auth-bypass fix) 
The bearer token was sha256(serial)[:32] and the serial is served unauthenticated, so anyone reaching :5000 could compute it and take the device over. Now: token is a random secrets.token_urlsafe(32) at /data/adacam/api_token (never derived from serial); /pair only returns it during a one-shot pairing window (/data/adacam/pairing_open, opened by adacam-pair or install.sh, closes after one pair); require_auth uses hmac.compare_digest. NEEDS ON-DEVICE PAIRING TEST before merge to main — see SECURITY-PAIRING.md.
2026-06-13 09:48:29 -07:00

46 lines
1.5 KiB
Bash
Executable file
Raw Permalink Blame History

#!/bin/bash
# adacam-api installer for Hivemapper Bee device
set -e
INSTALL_DIR="/opt/adacam"
DATA_DIR="/data/adacam"
echo "[*] Installing adacam-api..."
# Create directories
mkdir -p "$INSTALL_DIR" "$DATA_DIR"
# Copy files
cp -r adacam_api main.py requirements.txt "$INSTALL_DIR/"
# Install the pairing helper (opens a one-shot /pair window — see SECURITY-PAIRING.md)
install -m 0755 bin/adacam-pair /usr/local/bin/adacam-pair
# Install Python dependencies
pip3 install --no-cache-dir -r "$INSTALL_DIR/requirements.txt"
# Install systemd service
cp systemd/adacam-api.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable adacam-api
# Note: Config is generated by liberate.sh or on first API start
# We don't validate Python imports here as the working directory matters
if [ ! -f "$DATA_DIR/config.json" ]; then
echo "[*] Config will be generated on first API start"
fi
# Open a one-shot pairing window on a FRESH provision so the first app pair works
# out of the box (it closes after one successful pair). On an existing install
# (token already issued) we leave the window closed — re-pair with `adacam-pair`.
if [ ! -f "$DATA_DIR/api_token" ]; then
: > "$DATA_DIR/pairing_open"
chmod 600 "$DATA_DIR/pairing_open" 2>/dev/null || true
echo "[*] Pairing window opened for first pair (run 'adacam-pair' to reopen later)"
fi
echo "[*] Starting adacam-api..."
systemctl restart adacam-api
systemctl status adacam-api --no-pager || true
echo "[+] Installation complete. API running on port 5000"
Reference in a new issue View git blame Copy permalink