alexa: close potential security hole if scrypted is exposed to the internet directly (ie, user is not using the cloud plugin against recommendations)

2026-05-04 21:30:30 +01:00 · 2022-10-06 20:10:20 -07:00
parent 3706cd2238
commit 6a96cdc1d9
5 changed files with 27 additions and 7 deletions
--- a/plugins/alexa/.vscode/settings.json
+++ b/plugins/alexa/.vscode/settings.json
@@ -1,4 +1,4 @@

 {
-    "scrypted.debugHost": "127.0.0.1",
+    "scrypted.debugHost": "koushik-ubuntu",
 }
--- a/plugins/alexa/package-lock.json
+++ b/plugins/alexa/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@scrypted/alexa",
-   "version": "0.0.16",
+   "version": "0.0.17",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
      "": {
         "name": "@scrypted/alexa",
-         "version": "0.0.16",
+         "version": "0.0.17",
         "hasInstallScript": true,
         "dependencies": {
            "@types/node": "^16.6.1",
--- a/plugins/alexa/package.json
+++ b/plugins/alexa/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@scrypted/alexa",
-   "version": "0.0.16",
+   "version": "0.0.17",
   "scripts": {
      "scrypted-setup-project": "scrypted-setup-project",
      "prescrypted-setup-project": "scrypted-package-json",
--- a/plugins/alexa/src/main.ts
+++ b/plugins/alexa/src/main.ts
@@ -1,6 +1,6 @@
 import axios from 'axios';
 import sdk, { HttpRequest, HttpRequestHandler, HttpResponse, MixinProvider, ScryptedDevice, ScryptedDeviceBase, ScryptedDeviceType, ScryptedInterface } from '@scrypted/sdk';
-import { StorageSettings } from '@scrypted/common/src/settings';
+import { StorageSettings } from '@scrypted/sdk/storage-settings';
 import { AutoenableMixinProvider } from '@scrypted/common/src/autoenable-mixin-provider';
 import { isSupported } from './types';
 import { DiscoveryEndpoint, DiscoverEvent } from 'alexa-smarthome-ts';
@@ -26,6 +26,7 @@ class AlexaPlugin extends AutoenableMixinProvider implements HttpRequestHandler,

    handlers = new Map<string, AlexaHandler>();
    accessToken: Promise<string>;
+    validAuths = new Set<string>();

    constructor(nativeId?: string) {
        super(nativeId);
@@ -335,6 +336,25 @@ class AlexaPlugin extends AutoenableMixinProvider implements HttpRequestHandler,
    }

    async onRequest(request: HttpRequest, response: HttpResponse) {
+        const { authorization } = request.headers;
+        if (!this.validAuths.has(authorization)) {
+            try {
+                await axios.get('https://home.scrypted.app/_punch/getcookie', {
+                    headers: {
+                        'Authorization': authorization,
+                    }
+                });
+                this.validAuths.add(authorization);
+            }
+            catch (e) {
+                this.console.error(`request failed due to invalid authorization`, e);
+                response.send(e.message, {
+                    code: 500,
+                });
+                return;
+            }
+        }
+
        try {
            const body = JSON.parse(request.body);
            const { directive } = body;
--- a/plugins/alexa/tsconfig.json
+++ b/plugins/alexa/tsconfig.json
@@ -1,8 +1,8 @@
 {
    "compilerOptions": {
        "resolveJsonModule": true,
-        "moduleResolution": "node",
-        "target": "esnext",
+        "moduleResolution": "Node16",
+        "target": "ES2016",
        "esModuleInterop": true,
    },
    "include": [