URL login documentation

Nyx · June 3, 2019, 10:17am

I'm having trouble finding documentation regarding URL login feature of LUCI. I read about it on some forum somewhere on the internet around 3 years ago, and based on that created some code that relies on the feature. But as the feature documentation is hard to find, I came here to ask if someone knows where this feature is managed (in either documentation or lua code files/rows).

From what I know, the feature works by adding:
"luci_username=root&luci_password=pass"
To the end of url (default case). But there are some kinks that are weird behavior at best etc. So I'd like to know more about this feature.

lleachii · June 3, 2019, 4:55pm

Can you describe the weird behavior?

Nyx · June 4, 2019, 10:41am

I found out that older versions (OpenWRT 14.07 tested) don't support this, or don't work with the variable names as I wrote them. In newer versions (17.01.4 tested) they seem to work fine. I'm just interested in documentation of this feature, and/or changelog to it when it was changed and/or other information relating to this feature.

lleachii · June 5, 2019, 12:30am

Likely because it wasn't added then...you are aware that version is EOL and not supported, great security vulnerabilities in 2019, etc. - correct?

https://git.openwrt.org/?p=openwrt/openwrt.git;a=shortlog

Hope this helps, although I don't think it goes back to 2014.

BTW, welcome to the community!

slh · June 5, 2019, 12:44am

It actually goes back to the humble beginnings in 2004 (converted over from svn).

jeff · June 5, 2019, 12:59am

?parameter=value[&parameter=value] is standard notation for GET-ing parameters to a web server.

Similarly https://username:password@host.name/ is standard notation for the old "auth" mechanisms associated with HTTP.

The LuCI repo would probably be the one to check as to when the old "auth" approach was replaced by the "modern", session-based approach.

modules/luci-base/luasrc/view/sysauth.htm goes back to at least 2014.

$ git log --pretty='%ad %cd %s' --date=short  modules/luci-base/luasrc/view/sysauth.htm
2018-06-19 2018-06-23 luci-base: globally cleanup markup
2018-05-31 2018-05-31 luci-base: use common alert message markup
2018-04-04 2018-04-04 luci-base: use FULL_REQUEST_URI on login form templates
2016-08-18 2016-08-18 luci-base: properly style login alert message
2015-10-06 2015-10-06 Globally convert headline anchors into name attributes.
2015-01-16 2015-01-16 Update my email addresses in the license headers
2015-01-16 2015-01-16 Globally reduce copyright headers
2014-12-03 2015-01-08 Rework LuCI build system

There is also an RPC system intended for this kind of thing. That is probably a better match, as it doesn’t involve screen scraping. I believe, but have not used it myself, that it supports non-root users. See, for example https://github.com/openwrt/luci/wiki/JsonRpcHowTo and https://openwrt.org/docs/techref/rpcd

Nyx · June 13, 2019, 9:38am

Yes, I am aware of that. Fortunately these routers we use are not in public networks, and are used for internal process management etc. Unfortenately upgrading to newer versions is sometimes impossible due to different reasons (client software or access to hardware etc).

Thank you very much! I'll check those out.

And thank you Jeff for the links, looks promising for creating more stuff on the platform!