Lock down the webui

raph · September 24, 2022, 9:49pm

Not sure if it’s intentional, but i never have to login to the diyhue webui - it always auto-logins. Is there a way to disable this, and change the default password? thank you so much.

I’m running diyhue addon on homeassistant, if that makes any different.

mariusmotea · September 27, 2022, 12:31pm

You can change the password with a complicated method currently. Any failed login attempt will log the inserted password hash. You can copy that hash and update that in config.yaml file. You can logoff by clicking Logout in the main menu.

raph · September 27, 2022, 1:30pm

thanks for the reply! so if i click ‘logout’ it redirects to the login page, but doesn’t actually log out - if refresh, or open the url on the same (or totally different) browser, it auto-logins. never asks to type in anything…

what is the complicated method to change the pass? i dont mind generating a new hash and changing it in the .yaml file, just not sure what hashing method to use specifically. thanks again!

mariusmotea · September 27, 2022, 2:01pm

You are right, the session is not destroyed, this is a bug. To change the password simply try to login with the new password and monitor diyhue docker container output.
Sample for password 123456:

2022-09-27 16:58:01,021 - werkzeug - INFO - 172.17.0.1 - - [27/Sep/2022 16:58:01] “GET /api/8fd651a05e7911eca3d1dca632fe78b6/lights HTTP/1.1” 200 -
2022-09-27 16:58:01,023 - werkzeug - INFO - 172.17.0.1 - - [27/Sep/2022 16:58:01] “GET /api/8fd651a05e7911eca3d1dca632fe78b6/sensors HTTP/1.1” 200 -
pbkdf2:sha256:260000$P02ztghVqGxymKwh$8abfd6095349bae6be9e31539ddd583803132ab737d9e92f43122948d2d012a9
2022-09-27 16:58:02,158 - werkzeug - INFO - 172.17.0.1 - - [27/Sep/2022 16:58:02] “POST /login HTTP/1.1” 200 -
2022-09-27 16:58:02,392 - werkzeug - INFO - 172.17.0.1 - - [27/Sep/2022 16:58:02] “GET /favicon.ico HTTP/1.1” 200 -

the hash to have the password 123456 is pbkdf2:sha256:260000$P02ztghVqGxymKwh$8abfd6095349bae6be9e31539ddd583803132ab737d9e92f43122948d2d012a9

In config.yaml file you have by default this:

users:
  admin@diyhue.org:
    password: pbkdf2:sha256:150000$bqqXSOkI$199acdaf81c18f6ff2f29296872356f4eb78827784ce4b3f3b6262589c788742

Just replate the long hash and restart the docker container.

raph · March 2, 2024, 10:00pm

still can’t seem to get this to work… any guide to creating the hash and having the GUI respect the logoff? clicking log off does not lock the GUI. Otherwise, is there a way to disable to GUI altogether?

hendriksen-mark · March 5, 2024, 9:07pm

Hi Raph,
i made some changes, please update diyhue and give feedback if its works and if this is what you want.

Topic		Replies	Views
Home assistant + diyhue losing groups on reboot, specified 'rooms' not auto-created Support	0	240	September 13, 2022
Problem with HA Integration - Offline if off Support diyhue	6	163	December 12, 2023
Exclude Tasmota devices from autoscan Support	1	247	December 14, 2021

Lock down the webui

Related Topics