Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem adding valid user to API handshake URL #41

Closed
nearwood opened this issue Jun 18, 2013 · 10 comments

Comments

Projects
None yet
4 participants
@nearwood
Copy link

commented Jun 18, 2013

I can't seem to narrow this down any further. When I attempt to use the API via Java, I have no problem getting an error response when I request an invalid user:

"http://server/ampache/server/xml.server.php?action=handshake&auth=" + 
URLEncoder.encode(keyHash.toString()) + "&timestamp=" + timestamp + 
"&version=350001&user=nobody"

returns:

Response: 200
Content-type: text/xml; charset=UTF-8
Content-length: 141
<?xml version="1.0" encoding="UTF-8" ?>
<root>
    <error code="403"><![CDATA[Unauthorized access attempt to API - ACL Error]]></error>
</root>

But adding anyone that has an API in the ACL added gives:

"http://server/ampache/server/xml.server.php?
action=handshake&auth=%5BB%40124022f3&
timestamp=1371575882&version=350001&user=nick"
Response: 200
Content-type: text/xml; charset=UTF-8
Content-length: 0

My ACL is as follows:
jampache 0.0.0.0 255.255.255.255 All nick (nick) API/RPC

I've tried it for all admin, and all users which give the same symptoms. ACL is enabled in my config. The response code is always 200. Am I missing something?

@RyanCopley

This comment has been minimized.

Copy link
Contributor

commented Jun 18, 2013

Can you post more of the java code? including the hash generation, etc? Your example is of poor quality

@nearwood

This comment has been minimized.

Copy link
Author

commented Jun 18, 2013

Sure, see below. But I can remove the hash, timestamp, and I'm willing to bet all of the other arguments save for the user. As soon as I specify a valid user, there's no content returned.

Charset ch = Charset.forName("UTF-8");

String user = "nick";
String password = "password";
String timestamp = Long.toString(System.currentTimeMillis() / 1000);
MessageDigest md = MessageDigest.getInstance("SHA-256");

md.update(password.getBytes(ch));
byte[] pwHash = md.digest();

int size = timestamp.length() + pwHash.length;
byte[] key = new byte[size];

int c;
byte[] timestampBytes = timestamp.getBytes(ch);
System.out.println("key size: " + size);
System.out.println("timestamp: " + timestamp);
for (c = 0; c < timestamp.length(); c++) key[c] = timestampBytes[c];
for (c = timestamp.length(); c < pwHash.length + timestampBytes.length; c++) key[c] = pwHash[c - timestampBytes.length];

md.update(key);
byte[] keyHash = md.digest();
String hashString = keyHash.toString();

//String urlString = new String("http://www.google.com/humans.txt");
System.out.println("Attempting to connect with: " + user + ", " + URLEncoder.encode(keyHash.toString()));
String urlString = new String("http://server/ampache/server/xml.server.php?action=handshake&auth="
    + URLEncoder.encode(keyHash.toString()) + "&timestamp=" + timestamp + "&version=350001&user=" + user);
System.out.println(urlString);


URL url = new URL(urlString);
HttpURLConnection con = (HttpURLConnection)url.openConnection();
con.connect();
BufferedReader br = new BufferedReader(new InputStreamReader(con.getInputStream()));
String line;

System.out.println("Response: " + con.getResponseCode());
System.out.println("Content-type: " + con.getContentType());
System.out.println("Content-length: " + con.getContentLength());

while ((line = br.readLine()) != null)
    System.out.println(line);

To be sure, I just tested:
String urlString = new String("http://server/ampache/server/xml.server.php?action=handshake&user=nick");

vs:

String urlString = new String("http://server/ampache/server/xml.server.php?action=handshake&user=nic");

The results are the same: response code 200 in both cases, but the former doesn't have any content.

@RyanCopley

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2013

Have you tried taking the URL generated by this and pasting it into Firefox? Perhaps you have a bum install of Ampache, I don't see anything that is wrong. Just to be sure though, you redacted your server URL, correct?

@nearwood

This comment has been minimized.

Copy link
Author

commented Jun 19, 2013

Yes I redacted it. I just tried the two last lines in Firefox from my last comment. Same thing, returns XML file in both cases, but the one where my username matches is empty.

I'm running: Ampache 3.6-alpha6+FUTURE

@flowerysong

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2013

I see a distinct lack of log info in this exchange.

https://github.com/ampache/ampache/wiki/Troubleshooting#enable-logging

@nearwood

This comment has been minimized.

Copy link
Author

commented Jun 19, 2013

2013-06-19 00:14:04 [ampache] (i18n) -> Setting locale to en_US.UTF-8
2013-06-19 00:14:04 [ampache] (i18n) -> gettext is native
2013-06-19 00:14:04 [ampache] (API) -> Handshake Attempt, IP:1.1.1.190 User:nick Version:350001
2013-06-19 00:14:04 [ampache] (API) -> Login Failed: timestamp out of range
2013-06-19 00:15:35 [ampache] (i18n) -> Setting locale to en_US.UTF-8
2013-06-19 00:15:35 [ampache] (i18n) -> gettext is native
2013-06-19 00:15:35 [ampache] (API) -> Handshake Attempt, IP:1.1.1.190 User:nick Version:
2013-06-19 00:15:35 [ampache] (API) -> Login Failed: version too old
2013-06-19 00:16:09 [ampache] (i18n) -> Setting locale to en_US.UTF-8
2013-06-19 00:16:09 [ampache] (i18n) -> gettext is native
2013-06-19 00:16:09 [ampache] (API) -> Handshake Attempt, IP:1.1.1.190 User:nick Version:350001
2013-06-19 00:16:09 [ampache] (API) -> Login Failed: timestamp out of range
2013-06-19 00:16:29 [ampache] (i18n) -> Setting locale to en_US.UTF-8
2013-06-19 00:16:29 [ampache] (i18n) -> gettext is native
2013-06-19 00:16:29 [ampache] (Access Denied) -> Unauthorized access attempt to API [1.1.1.190]

Only the last messages (:29) are referring to an instance where XML was returned. The others were run with various arguments missing. It looks like part of the problem is the time output by ampache is off, my server time was reported as Tue Jun 18 23:17:04 CDT 2013 right after those log entries. Looks like PHP might have the wrong timezone.

@nearwood

This comment has been minimized.

Copy link
Author

commented Jun 19, 2013

I fixed my server's timezone, but I'm not sure that helped. Still no XML error indication, but the logs shows:

2013-06-18 11:39:04 [ampache] (i18n) -> Setting locale to en_US.UTF-8
2013-06-18 11:39:04 [ampache] (i18n) -> gettext is native
2013-06-18 11:39:04 [ampache] (API) -> Handshake Attempt, IP:1.1.1.190 User:nick Version:350001
2013-06-18 11:39:04 [ampache] (API) -> Login Failed: timestamp out of range
2013-06-18 11:39:07 [admin] (session) -> i9s0i0tfj5oqngeu4v9tfnu0q1 has been extended to Tue, 16 Jul 2013 11:39:07 -0400 extension length 2419200
2013-06-18 11:39:07 [admin] (i18n) -> Setting locale to en_US.UTF-8
2013-06-18 11:39:07 [admin] (i18n) -> gettext is native
2013-06-18 11:39:07 [admin] (session) -> Session created:5cd91c85dd7b7609366061f407ae36c1

(I'm also logged into the web interface as 'admin' if that's what the extra output is for.) Perhaps the incorrect timestamp (I will verify the timestamp tomorrow) is what is causing the lack of output. Judging from the logging I've seen, log messages tagged with "API" don't seem to produce XML output, where the "Access Denied" ones do.

@nearwood

This comment has been minimized.

Copy link
Author

commented Jun 19, 2013

So, my hash calculations were whack, and that's what was causing me not to be able to log in. I am able to now. However, it seems like there's a lack of error responses when you don't provide all the details, and that's what I was getting at with this issue. I looked over the PHP briefly, and nothing stood out. Perhaps this is by design to reduce abuse potential?

@flowerysong

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2013

The API could probably be friendlier on failure, but that has to wait until someone has time to dig in and work on it.

@flowerysong flowerysong closed this Jul 3, 2013

@meandor

This comment has been minimized.

Copy link
Contributor

commented Nov 2, 2013

@nearwood do you mind sharing your hash calculation and connect to api code?

i tried to connect to ampaches api with android but i always get this error while connecting:
"Login Failed, unable to match passphrase"

I guess my auth key hash is wrong.

i found the mistake myself, the hash calculations are case sensitive for the server (lowerCase)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.