My Notes on remote access for UI6

Hello all

Thanks to Richard excellent notes which I followed strictly , I managed to build a HTML / JS page which gets user login & pwd and do all the MMS protocol to get the list of units. it works absolutely fine and I get back the expected device table in JSON like these:

{“PK_Device”:“35101627”,“PK_DeviceType”:“1”,“PK_DeviceSubType”:“2”,“MacAddress”:“00:0e:8f:7f:71:ab”,“Server_Device”:“vera-us-oem-device12.mios.com”,“Server_Device_Alt”:“vera-us-oem-device11.mios.com”,“PK_Installation”:“256712”,“DeviceAssigned”:“2015-01-31 22:55:10”}

{“PK_Device”:“45101392”,“PK_DeviceType”:“1”,“PK_DeviceSubType”:“2”,“MacAddress”:“d4:21:22:fc:cc:ad”,“Server_Device”:“vera-us-oem-device11.mios.com”,“Server_Device_Alt”:“vera-us-oem-device12.mios.com”,“PK_Installation”:“256712”,“Using_2G”:“0”,“DeviceAssigned”:“2015-02-16 12:10:46”}

But …

it only works when I disable Chrome Same Origin Domain policy ( with the cmd line flag --disable-web-security ). this is normal & expected because the web server hosting my page is not in the same domain as VERA MMS servers and the VERA MMS servers do not have the proper CORS allowance headers in the response.

Now the question is how do I get around that ? I need to offer a login page which is available when I am out of the home to perform the authentication and then to access VERA remotely. How do people go around the some domain origin issue ? is it because I use jQuery ?

attached my page code ( single page , and a screen shot that shows the result when it works by disabling same domain origin security )

thx for your help
Alexis

I gave up and did the whole thing in PHP.
plus , note that once you have the relay server token, you can pass it on the url as described here
http://forum.micasaverde.com/index.php/topic,30863.msg221291.html#msg221291

[quote=“amg0, post:41, topic:181032”]Hello all

Thanks to Richard excellent notes which I followed strictly , I managed to build a HTML / JS page which gets user login & pwd and do all the MMS protocol to get the list of units. it works absolutely fine and I get back the expected device table in JSON like these:

{“PK_Device”:“35101627”,“PK_DeviceType”:“1”,“PK_DeviceSubType”:“2”,“MacAddress”:“00:0e:8f:7f:71:ab”,“Server_Device”:“vera-us-oem-device12.mios.com”,“Server_Device_Alt”:“vera-us-oem-device11.mios.com”,“PK_Installation”:“256712”,“DeviceAssigned”:“2015-01-31 22:55:10”}

{“PK_Device”:“45101392”,“PK_DeviceType”:“1”,“PK_DeviceSubType”:“2”,“MacAddress”:“d4:21:22:fc:cc:ad”,“Server_Device”:“vera-us-oem-device11.mios.com”,“Server_Device_Alt”:“vera-us-oem-device12.mios.com”,“PK_Installation”:“256712”,“Using_2G”:“0”,“DeviceAssigned”:“2015-02-16 12:10:46”}

But …

it only works when I disable Chrome Same Origin Domain policy ( with the cmd line flag --disable-web-security ). this is normal & expected because the web server hosting my page is not in the same domain as VERA MMS servers and the VERA MMS servers do not have the proper CORS allowance headers in the response.

Now the question is how do I get around that ? I need to offer a login page which is available when I am out of the home to perform the authentication and then to access VERA remotely. How do people go around the some domain origin issue ? is it because I use jQuery ?

attached my page code ( single page , and a screen shot that shows the result when it works by disabling same domain origin security )

thx for your help
Alexis[/quote]

Thanks a lot for this javascript sample! exactly what I was looking for!

Did you ever get it to work?

Could the unexplained error be when running this script from a local folder and not from a valid address?

I’ll start debugging your code right away, If you did resolve it however please let me know.

[quote=“amg0, post:41, topic:181032”]Hello all

Thanks to Richard excellent notes which I followed strictly , I managed to build a HTML / JS page which gets user login & pwd and do all the MMS protocol to get the list of units. it works absolutely fine and I get back the expected device table in JSON like these:

{“PK_Device”:“35101627”,“PK_DeviceType”:“1”,“PK_DeviceSubType”:“2”,“MacAddress”:“00:0e:8f:7f:71:ab”,“Server_Device”:“vera-us-oem-device12.mios.com”,“Server_Device_Alt”:“vera-us-oem-device11.mios.com”,“PK_Installation”:“256712”,“DeviceAssigned”:“2015-01-31 22:55:10”}

{“PK_Device”:“45101392”,“PK_DeviceType”:“1”,“PK_DeviceSubType”:“2”,“MacAddress”:“d4:21:22:fc:cc:ad”,“Server_Device”:“vera-us-oem-device11.mios.com”,“Server_Device_Alt”:“vera-us-oem-device12.mios.com”,“PK_Installation”:“256712”,“Using_2G”:“0”,“DeviceAssigned”:“2015-02-16 12:10:46”}

But …

it only works when I disable Chrome Same Origin Domain policy ( with the cmd line flag --disable-web-security ). this is normal & expected because the web server hosting my page is not in the same domain as VERA MMS servers and the VERA MMS servers do not have the proper CORS allowance headers in the response.

Now the question is how do I get around that ? I need to offer a login page which is available when I am out of the home to perform the authentication and then to access VERA remotely. How do people go around the some domain origin issue ? is it because I use jQuery ?

attached my page code ( single page , and a screen shot that shows the result when it works by disabling same domain origin security )

thx for your help
Alexis[/quote]

I played with your html/scripts (which is kind of a specialty of mine in case anyone else need/want help)
There is one bug I think I found:

in getSessionToken you build the URL “https://”+server+“/info/session/token”;
but according to the TO text file notes, this request needs to go to this URL hard coded: “https://us-authd11.mios.com/info/session/token”;

changed that, but still not working. I’m getting an error my server is not allowed to make CORS requests to us-authd11.mios.com, this is something they block on their server. This it why it would work from .NET or other platforms, and won’t work from JavaScript.
You are using local file - which will never work with CORS, I hosted it on my http://localhost:4422 and it was still rejected.

One more note: you should use request type “jsonp” for cross origin support, but again if it is blocked at the server there is nothing you can do.

shame :frowning:

Did anyone get any luck accessing this via pure JavaScript? This is something I would be very interested in, as I could build a very simple mobile friendly responsive UI page that does the basic day to day operations without bothering with hosting/running server side code.

[quote=“sirpinky, post:44, topic:181032”][quote=“amg0, post:41, topic:181032”]Hello all

Thanks to Richard excellent notes which I followed strictly , I managed to build a HTML / JS page which gets user login & pwd and do all the MMS protocol to get the list of units. it works absolutely fine and I get back the expected device table in JSON like these:

{“PK_Device”:“35101627”,“PK_DeviceType”:“1”,“PK_DeviceSubType”:“2”,“MacAddress”:“00:0e:8f:7f:71:ab”,“Server_Device”:“vera-us-oem-device12.mios.com”,“Server_Device_Alt”:“vera-us-oem-device11.mios.com”,“PK_Installation”:“256712”,“DeviceAssigned”:“2015-01-31 22:55:10”}

{“PK_Device”:“45101392”,“PK_DeviceType”:“1”,“PK_DeviceSubType”:“2”,“MacAddress”:“d4:21:22:fc:cc:ad”,“Server_Device”:“vera-us-oem-device11.mios.com”,“Server_Device_Alt”:“vera-us-oem-device12.mios.com”,“PK_Installation”:“256712”,“Using_2G”:“0”,“DeviceAssigned”:“2015-02-16 12:10:46”}

But …

it only works when I disable Chrome Same Origin Domain policy ( with the cmd line flag --disable-web-security ). this is normal & expected because the web server hosting my page is not in the same domain as VERA MMS servers and the VERA MMS servers do not have the proper CORS allowance headers in the response.

Now the question is how do I get around that ? I need to offer a login page which is available when I am out of the home to perform the authentication and then to access VERA remotely. How do people go around the some domain origin issue ? is it because I use jQuery ?

attached my page code ( single page , and a screen shot that shows the result when it works by disabling same domain origin security )

thx for your help
Alexis[/quote]

I played with your html/scripts (which is kind of a specialty of mine in case anyone else need/want help)
There is one bug I think I found:

in getSessionToken you build the URL “https://”+server+“/info/session/token”;
but according to the TO text file notes, this request needs to go to this URL hard coded: “https://us-authd11.mios.com/info/session/token”;

changed that, but still not working. I’m getting an error my server is not allowed to make CORS requests to us-authd11.mios.com, this is something they block on their server. This it why it would work from .NET or other platforms, and won’t work from JavaScript.
You are using local file - which will never work with CORS, I hosted it on my http://localhost:4422 and it was still rejected.

One more note: you should use request type “jsonp” for cross origin support, but again if it is blocked at the server there is nothing you can do.

shame :frowning:

Did anyone get any luck accessing this via pure JavaScript? This is something I would be very interested in, as I could build a very simple mobile friendly responsive UI page that does the basic day to day operations without bothering with hosting/running server side code.[/quote]

Sirpinky
I think the “https://”+server+“/info/session/token” is correct, it is the doc which is wrong i believe ( not 100% sure ), I believe we are supposed to dynamically get the server name for load balancing or High availability reason. However it does not make a great deal of difference

the BIG problem is the lack of CORS support on vera side servers. without that, and without them supporting jsonp we cannot have a javascript client side approach unfortunately. I think with a command flag when you launch chrome you can disable all the CORS security enforcement made by the browser and in that case you will see it working fine if I remember (“Chrome --args --disable-web-security”)

so I did get this whole thing working but with PHP. This url https://vera-ui.strongcubedfitness.com/Veralogin.php is the external MMS login facitiliy for my ALTUI plugin (MiOS Apps)

bringing some life back to this post, I am trying to get this working for UI7, but had a few questions:

I obtained the JSON for the AuthToken & AuthSigToken, but I am not sure I have the right response. my mustache template:

{{Identity}}~{{IdentitySignature}}~{{Server_Account}}

returns over 3,000 bytes. I know that the notes mentioned ‘long’ strings, but is that what I should expect?

I’m trying to build a web hook from which I can get an updated “SessionToken” to make calls to Vera from a micro controller, but handling all of that… I don’t know if my MCU will be able to handle that and actually perform some functions.

Or… are my Identity and IdentitySignature actually static, and could I just refresh the SessionToken with the same call (I can then offload that call to my web hook tool)?

I believe I understand the process to get this working, I just don’t really know a lot about this kind of message signing enough to get a flavor if I can get this all on my MCU.

Although this is excellent work, I’m still baffled that not a single official piece of documentation has been published surrounding these changes… or am I just missing them?

I received a document from them … but I have never seen it published.
It was a good document describing their API … but was still lacking … which is why I posted my notes.

I know this is old, but I’ve also created a test python script to show how to do authentication and run requests remotely.

Hope someone s still watching this thread…

I have got remote access working… except I seem to be getting quite a bit of failures from te AUTH servers… I’m not sure if this is a temporary issue, or just me…

https://us-autha.mios.com/autha/auth/username/?SHA1Password=886649f0d6116c97910877ef9ba7304cfbd9e340&PK_Oem=1

is the url I’m caling… it’s dynamic, so the above is a composed url.
I orignially used autha11, then tried autha12 servers… then decided to use the failoverurl (think its’ probably better anyway)…

What’s’ happening is that randomly, I get success, but a failure on the next call… the failure is allways the same:

ERROR: Connection to server

I am not sure what this even means… The only theory I have is that somehow this is a error, because of to many calls to the server?

I have been testing my app quite a bit, and this seemed to have cropped up now…

Any insight would be super…

Thx T

You should always use the URL with the trailing numbers in the host name.

The reason is that the MCV protocol calls for the ODD numbers to be the primary connection and the ODD number + 1 to be the fail over connection.

So autha11 is the primary and autha12 is the failover.

Hi everyone,

First, thanks for your help. I have been trying to use a VeraLite for several days, and I must admit that the doc is quite hard to find.

I still can achieve the first step of this long process. My controller runs the last version of the firmware. I am trying to connect to : (my username is only lowercase)

https://vera-us-oem-autha11.mios.com/autha/auth/username/myUsername?SHA1Password=sha1(myUserName myPassword oZ7QE6LcLJp6fiWzdqZc)&PK_Oem=1

I am always getting the answer “ERROR:No data”
I used my browser and also tried with the php and the python libraries shared in previous answers (thanks again for these).

I know it is a bit vague, but do you have an idea about where the problem could come from?

Please ask for all the details I didn’t mentioned, I don’t really know what could be important.

Thanks (you would really make my day, maybe even my week),
Victor

I am afraid it’s much more complicated than you understand.
Most of the document is Pseudo code … you need to implement the pseudo code in the language/tools of your choice.

SHA1()

Is pseudo code … you will have to more reading to find out how to actually create an SHA1 hash of the string concatenation of the 3 specified strings.

If you read my notes carefully this will be a string that looks like:
b30bcbdd4408c8bec91c1c03b7801efc0c4733db

Of course it will be a different/unique value for every user!

Yes I understood. I didn’t specified, but in my url :
https://vera-us-oem-autha11.mios.com/autha/auth/username/myUsername?SHA1Password=sha1(myUserName myPassword oZ7QE6LcLJp6fiWzdqZc)&PK_Oem=1
“myUsername” and “sha1(myUserName myPassword oZ7QE6LcLJp6fiWzdqZc)” are in fact replaced by their values. I just didn’t want to put them on the forum.

Your notes are extremely clear. I used the openssl command to create the hash. I also tried with the php library, which uses the sha1 php function.

Sorry you will have to figure this out on your own … unless you want to create a public account and share the account name and password … and the actual SHA1 you computed.

Do you have any white space (i.e. CRLF) in your SHA generation ?

Just wanted to pop in and say that this info was still very helpful in 2017 for UI7. Thank you.

Here is an example bash script (using curl and jq) that authenticates, gets a session token, and retrieves devices:

1 Like

Hi,

I am pretty new with Vera, but it is little bit confusing when I want to configure access to Vera remotely through the MiOS servers.

The idea of access described on the wiki http://wiki.micasaverde.com/index.php/Luup_Requests#device sound very simple, but as I can see, comment says that proposed method is obsolete…

Accessing Vera remotely through the MiOS servers * Obsolete on UI7

The MiOS servers provide a secure way to remotely access and control your Vera system using the HTTP interface. Everything you can do locally with Vera on port 3480, you can do remotely with MiOS using the exact same syntax. You only need to pass the MiOS account username and password on the URL to the remote access server, along with the serial number of the unit (ie. 30012345). For example, the user_data request syntax over the Internet through the MiOS servers is:

https://fwdX.mios.com/demovera/myvera123/30012345/data_request?id=user_data

assuming demovera is the MiOS account username and myvera123 is the password. Note that since the request is https, the username and password are encrypted because https encrypts the URL’s as well as the contents of the page.


It seems that this wiki is not updated for a while.

I have tens of Vera Edges with latest firmware, and I would like to find as simple as it is possible way to do remote Luup Requests. Security is not my issue at this moment. Is there any wiki or tutorial that simplifies this? After all, is it possible just to execute few scenes remotely calling a web URL remotely?

Requests are NOT simple … You need to authenticate first … The notes for this post are still accurate.

Digging this up wondering if something has changed recently.

I’m having issues with using the “/locator/locator/locator” service to get local device information. It seems that the MMSSession is not valid for the us-authd11.mios.com.

I’m asking if something has changed as I can access us-autha11 to authenticate and then use that information to then auth against us-authd11 to get the Session Token but then the Token doesn’t work against the same server but with the locator URL.

For fully remote systems I have unpacked the AuthToken and I can auth and get devices and relay servers through the Server_Account servers and that all works fine.

Since I can access the relay server to get the device list then my auth is working fine. I’m just needing to the local locator working to have the local IP to do a check if local or remote and which way to communicate. I’m going to go through my code again and again to re-check but it’s odd where hitting one server and the tokens and session token are good but against another they are not. I’m probably missing something really simple.

From querying https://vera-us-oem-autha11.mios.com I get the Server_Account and PK_Account … at the same time as I get the Identity and IdentiySignature

I query the Server_Account with /account/account/account/{{PK_Account}}/devices"
From there I get the Remote Gateway AND LOCAL IP Addresses of all of the devices.

I have used the Locator in the past … but since I do not use it … I never wrote down the tricks.