FauxAPI, a REST based API for pfSense
-
I would absolutely love to start using this…but after an hour of trying, I cannot get the authentication to work! Im using powershell to communicate so the methods are different but I think its my understanding of the authentication that appears to be the issue.
The following response is received by powershell:
"callid":"5aafcdce2c7cf","message":"authentication failed"}----REMOVED----
----REMOVED----
Can you see if I am doing anything wrong here? If this all seems correct then I will do further digging into the powershell.
Thanks!
-
Have you taken a look at the debug logging output by adding the _debug parameter (see docs) ?
Pretty sure you’ll find the issue is with the SHA256 value expressed in uppercase, try using lowercase characters - if you still have issues post the debut output
-
Thanks for the reply.
Iv tried changing the hash output to lowercase but that hasnt worked.
I have tried adding all of the below to the URL but the output does not change or give me more info (maybe because its not authenticated?):
&debug=true
&_debug=true
&__debug=trueany other ideas?
-
actually I think I have it working. I changed my random length from 5 to 8 and this seems to have done the trick. might be worth adding this requirement to the documentation :)
-
Generally &__debug=true is your friend and provides helpful debugging log information - if you are having trouble check this first, the log messaging will (or should) provide clear pointers to any FauxAPI issues.
You are correct about the nonce length, reading the code it needs to be >= 8 chars and <= 40 chars - however you should have received an error response with message somewhere in the JSON response:-
“length of nonce value is out-of-bounds”
If you have an interface in PowerShell that you’d be willing to contribute I’d be happy to accept the pull-request
N
-
Thanks for your help. I cant explain why the __debug=true wasnt displaying any more output other than that which I posted.
Everything is working now.
In terms of a powershell interface im afraid all that I have done is to replace the CURL and the hash command and parameters with the powershell alternatives. Im happy to send these over to you but im afraid iv never used github so I dont even know what a "pull" is let alone how to do one! haha!
-
Thanks ndj for this application. I just got it working with Home Assistant for stat monitoring. Your authentication method made getting it hooked up a little bit of a challenge, but I do like that it makes it much more difficult to hack in.
I posted a how to on the HA Community Forums: https://community.home-assistant.io/t/pfsense-stat-monitor/61070
-
Hi @garethrobson - that's awesome, I added a link to your post here - https://nicholasdejong.com/fauxapi-for-pfsense/
-
Hi, I recently installed the FauxAPI module, but in the Package Manager it appears in the status "Package is configured but not installed (fully) installed or deprecated", comemai? I followed all the instructions.
-
Hi @saveriozagaria - thanks for reporting.
I believe you are describing the fact that FauxAPI is not yet part of the pfSense plugins and as such it gets flagged with a ! mark which when you hover across it gives a message "Package is installed, but is not available on remote repository"
This is warning message unlikely to change until the pfSense (Netgate) team are able to find time to review and accept the fauxapi into their repo - I resubmitted a Pull Request back in July 2018:-
- https://github.com/pfsense/FreeBSD-ports/pull/531
Because I am here, a few things to mention:-
- there was also a new point release (1.3.2) last week to address an issue with non-standard ports
- the package passes all tests etc and has been tested up to 2.4.3-RELEASE-p1
- some nice new Python example code managing user and groups available
- https://github.com/ndejong/pfsense_fauxapi/tree/master/extras/examples
-
@garethrobson I have been trying to make PowerShell work with the FauxAPI but without success so far, I always get a 401 authentication failure. Would you mind sharing your code? I suspect the way I create my fauxapi-auth is wrong, thanks
-
@garethrobson I finally got it work using the following code:
$pfsense = "192.168.1.1" # Creation of the header $headers = @{} $TimeNow = (Get-Date).ToUniversalTime() $timestamp = Get-Date $TimeNow -UFormat "%Y%m%dZ%H%M%S" $apikey = "PFFAxxxxxxxxxxxx" $apisecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" $nonce = (Get-Date).Ticks $string = $apisecret + $timestamp + $nonce Function Get-StringHash([String] $String,$HashName = "MD5") { $StringBuilder = New-Object System.Text.StringBuilder [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{ [Void]$StringBuilder.Append($_.ToString("x2")) } $StringBuilder.ToString() } $hash = Get-StringHash $string "SHA256" $fauxapiauth = $apikey + ":" + $timestamp + ":" + $nonce + ":" + $hash $headers["fauxapi-auth"] = $fauxapiauth # Added these lines to avoid the error: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." # due to an invalid Remote Certificate add-type -TypeDefinition @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $response = Invoke-WebRequest -Uri "https://$pfsense/fauxapi/v1/?action=config_backup_list" -Headers $headers -Method GET $request = ($response.content | Convertfrom-Json).data.backup_files -
Hi @jullienl - could you add a
__debug=trueas a URL parameter and provide the response message in this thread - authentication failures have plenty of logging and messages around them to help identify where problem(s) might be coming from - should be fairly easy to resolve - N