Replace api_password in Camera.Push

[dgomes]

Description:

Remove api_password, and changes to using access_token/user provided token accordingly to #15376 (comment)

This is a breaking change for most users pushing camera images through cURL scripts

Related issue (if applicable): #15376

Pull request in home-assistant.github.io with documentation (if applicable): home-assistant/home-assistant.io#6130

Example entry for configuration.yaml (if applicable):

camera:
  - platform: push
    name: cam1
    timeout: 10
    cache: 5
    token: 12345678

Checklist:

• The code change is tested and works locally.
• Local tests pass with tox. Your PR cannot be merged unless tests pass

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated in home-assistant.github.io

If the code communicates with devices, web services, or third-party tools:

• New dependencies have been added to the REQUIREMENTS variable (example).
• New dependencies are only imported inside functions that use them (example).
• New or updated dependencies have been added to requirements_all.txt by running script/gen_requirements_all.py.
• New files were added to .coveragerc.

If the code does not interact with devices:

• Tests have been added to verify that the new code works.

[awarecan]

Should add note in PR description regarding breaking changes

[awarecan]

Since you accept bearer token, CONF_TOKEN should be optional.

[awarecan]

Cannot find test case to test return HTTP status 401, i.e. wrong token or missed token scenario

[awarecan]

Did I missed something? How this be authenticated user? I didn't find the code to set Authorization header.

[dgomes]

client always makes authenticated requests... how can I disable it ?

[awarecan]

https://github.com/home-assistant/home-assistant/blob/a5d95dfbdcf0d9ca3da93f44e2cbb5d162ac3272/tests/components/http/test_auth.py#L158-L163

https://github.com/home-assistant/home-assistant/blob/a5d95dfbdcf0d9ca3da93f44e2cbb5d162ac3272/tests/components/conftest.py#L43-L44

[dgomes]

tests added 👍

[pvizeli]

Maybe we should wait until the long time tokens are implemented and we can switch to this common version. Otherwise it going to a edge case for handling auth.

[dgomes]

I'm all in favor of using long time tokens.

But I was under the impression from #15376 (comment) that long time tokens would not become an option and that the current api_password would be dropped soon.

[balloob]

This should be required

[dgomes]

I made it optional, since the implementation allows the use of the normal authentication.

[balloob]

@pvizeli we don't want to use long lived access tokens for this because an access token would allow full access. For these one off access, just allowing an auth token to be hard coded is fine.

[balloob]

This is ok to merge once the token has been changed in the schema to be required.

[dgomes]

I see this PR as a stop-gap, what we need are long lived access tokens that are limited to given API's

The preferred authentication and authorisation method should be that of HA, and that is why I keep the option of uploading the camera images using HA auth.

[balloob]

This expects the CONF_TOKEN to be always set, which is not the case as it can be optional.

[balloob]

Not setting a token will result in token being None, so then not passing a token means we're checking None == None, allowing user to always access it.

[balloob]

Putting this in the 0.78 release as example how to do auth both ways.

As far as I can see, this is not a breaking change as people can still authenticate with API password via legacy API password provider, or even use new auth.

[dgomes]

It you don't remove legacy_api that is true :)

I was afraid that it was going out in 0.78 already...

[balloob]

Oh no, that beast will probably be around for a looooooooong time. Eventually it will become opt-in instead of opt-out.

[balloob]

But first we need long lived access tokens, which will come this release.