WD Addon SDK 5 - security and notifications

My Cloud OS 5 Personal & Network Attached Storage Community Developed Apps
1

Hi,

Since OS5 there have been some quite significant changes to SDK without a notice to the developers.
In particular the “login_check()” function is no longer used. I think it’s a big security risk, that developers are not aware of these changes to the way the authentication and authorization works.

@SBrown: Cay you or your colleagues confirm or deny my understanding how security for addons works right now?

  1. Authentication for Web GUI
    Currently the authentication has been moved from application layer to application server configuration. You need to place your app in the /var/www/apps/ to allow only authenticated user to access.

  2. Auhorization for Web GUI and UserControl option in apkg.rc
    Currently there is only admin user. UserControl is a dead option and there are no roles that can be used for authorization even though SDK documentation still suggest otherwise:

image
image1163×485 31.7 KB

  1. Notifications
    There used to be an option to send alerts using “sendAlert.sh” script but now it’s disabled. Is there any other API that can be used for notifications from an Addon app?
3

Hi,

Thank you for your replay.

All that you have written is true. I wasn’t precise with my question. Here are few additional details:

My goal is to:

  • To have a simple configuration screen (using CenterType: 1)
  • To leverage myCloud session to control access to the screen (if user is authenticated as an admin, he can enter and use the screen)

As I understand:

  • Authentication is done via /nas/v1/auth
  • On the application side session data can’t be really used to check if user is logged in.
  • There used to be functions such as login_check() but they are not valid anymore.

Do you know how can I explicitly check if session belongs to an authenticated user?
Can I check if user is a myColoud admin? (I believe that access to the console for non-admin users has been disabled in OS5)

5

I also understand this the same way. Thank you for confirming.

I did and I have found out that for CenterType: 1 application is served from protected path on a server. If you don’t request from the authenticated session, you get 403 even for static content. I’ll check the OAuth2 scheme to check if I can make a second layer of protection in case WD changes something in approach.

7

App for backups using rclone. With GUI for more convenient configuration.