Local Admin API Authentication rejects valid tokens

[dinvlad]

• I confirm that this is an issue rather than a question.

Bug report

Currently, it appears we can use Admin API calls over JSON RPC/HTTP requests only if we disable "Local Admin API Authentication". Enabling it results in rejected calls with "No Authorization", even if we supply a valid token.

Steps to reproduce

1. Enable "Local Admin API Authentication" in the UI (http://<hyperion-ip>:8090/#conf_network)
2. Submit an Admin API request, e.g.

curl -X POST 'http://<hyperion-ip>:8090/json-rpc' \
-H 'Authorization: token <valid-token>' \
-H 'Content-Type: application/json' \
-d '{
    "command": "config",
    "subcommand": "getconfig"
}'

which results in

{
    "command": "config",
    "error": "No Authorization",
    "success": false,
    "tan": 0
}

3. Disable "Local Admin API Authentication"
4. Restart the service, e.g.:

sudo systemctl restart hyperiond@pi.service

5. Submit the same request (with or without the token) and it succeeds.

What is expected?

When "Local Admin API Authentication" is enabled, Admin API calls should:

1. Reject calls without a token
2. Succeed if the token is valid.

What is actually happening?

When "Local Admin API Authentication" is enabled, Admin API rejects all requests, regardless of if the token is present or not, and if it's done over local network (or even localhost).

The current behavior seems to be hard-coded to set Admin auth state at the start of the service:

hyperion.ng/libsrc/api/API.cpp

Line 86 in a4d98fd

// admin access is allowed, when the connection is local and the option for local admin isn't set. Con: All local connections get full access

System

Hyperion Server: 
- Build:           (HEAD detached at 83338dc3) (Paulchen Panther-ca50487e/83338dc3-1605733041)
- Build time:      Nov 18 2020 21:34:12
- Git Remote:      https://github.com/hyperion-project/hyperion.ng
- Version:         2.0.0-alpha.9
- UI Lang:         auto (BrowserLang: en-US)
- UI Access:       expert
- Avail Capt:      dispmanx,v4l2,framebuffer,qt
- Database:        read/write

Hyperion Server OS: 
- Distribution:   Raspbian GNU/Linux 10 (buster)
- Architecture:   arm
- CPU Model:      ARMv7 Processor rev 4 (v7l)
- CPU Type:       Raspberry Pi 3 Model B Plus Rev 1.3
- CPU Revision:   a020d3
- CPU Hardware:   BCM2835
- Kernel:         linux (5.10.17-v7+ (WS: 32))
- Qt Version:     5.7.1
- Python Version: 3.5.3
- Browser:        Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 

[Thinner77]

Hi,

same problem here.

JsonAPI::handleConfigCommand checks for _adminAuthorized but _adminAuthorized isn't set in API::isTokenAuthorized()
So maybe simple fix is set _adminAuthorized = _authorized; at the end of API::isTokenAuthorized()

wbr