10 Mar 25 TADO ™ unofficial REST API device code flow

If you’re a developer working with Tado’s unofficial REST APIs, you may have recently come across an important update from Tado regarding authentication. In a recent support article, Tado has requested that developers modify their authentication mechanisms to ensure secure and compliant access to their APIs: https://support.tado.com/en/articles/8565472-how-do-i-authenticate-to-access-the-rest-api

This change is critical for maintaining the integrity of Tado’s systems and protecting user data. I’ll break down what this means for developers and how to adapt to the new requirements.

Why the Change?

Tado’s REST APIs have been a popular tool for developers looking to integrate smart home functionality into their applications. However, as with any system, security is an ongoing concern. Tado has identified potential vulnerabilities in the way some developers are handling authentication, particularly when using unofficial APIs. To address these concerns, Tado is now enforcing stricter authentication protocols to prevent unauthorized access and ensure that only legitimate requests are processed.

This move is not uncommon in the tech world. As APIs become more widely used, companies often need to tighten security measures to protect their infrastructure and users. For developers, this means staying up-to-date with these changes and adapting their code accordingly.

What’s Changing?

The primary change revolves around how developers authenticate with Tado’s APIs. Previously, some developers may have relied on less secure methods, such as hardcoding credentials or using outdated authentication flows. Tado is now requiring developers to implement a more robust and secure authentication mechanism.

While the specifics of the new authentication process may vary depending on your implementation, here are some general guidelines to follow:

Use OAuth 2.0: Tado requires using OAuth 2.0 device code flow for authentication, which is a widely adopted standard for secure API access. OAuth 2.0 provides a secure way to handle tokens and ensures that credentials are not exposed in requests.

Avoid Hardcoding Credentials: Hardcoding usernames, passwords, or tokens in your code is a significant security risk. Instead, use environment variables or secure credential storage solutions to manage sensitive information.

Implement Token Refresh: Access tokens typically have a limited lifespan. Make sure your application can handle token expiration by implementing a token refresh mechanism. This ensures uninterrupted access to the API without requiring manual intervention.

How to Update Your Implementation

If you’re currently using Tado’s unofficial APIs, it’s time to review your authentication process and make the necessary changes to implement device code flow. This flow is designed for devices that lack a keyboard or easy input method, such as smart thermostats or mobile apps. Here’s how it works:

The device requests a device code and user verification URL from the authorization server

$response = $this->client->post('https://login.tado.com/oauth2/device_authorize',
[ 'form_params' => [ 'client_id' => '1bb50063-6b0c-4d11-bd99-387f4a91cc46‘,
'scope' => 'offline_access', ], ]);

{"device_code":"ftcrinX_KQaXUNI1wkh-5zxFmmYOUug43SAYWORs1AU","expires_in":300,
"interval":5,"user_code":"9HAZP1",
"verification_uri":"https://login.tado.com/oauth2/device",
"verification_uri_complete":"https://login.tado.com/oauth2/device?user_code=9HAZP1"}

The user visits the URL on a secondary device (e.g., a smartphone or computer) and enters the device code, in this case: https://login.tado.com/oauth2/device?user_code=9HAZP1
Once the user approves the request with its tado credentials, the device polls the authorization server for an access token

$response = $this->client->post('https://login.tado.com/oauth2/token', ['form_params' => ['client_id' => '1bb50063-6b0c-4d11-bd99-387f4a91cc46',
'grant_type' => 'urn:ietf:params:oauth:grant-type:device_code',
'device_code' => $device_code]]);

[access_token] => eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImd0eSI..............................KcYbYQ
[expires_in] => 599
[refresh_token] => 6Vu1vQadysY-1G6naR8gdp_y-AgFtakb75C7KVK5-uUxgbM3EWHTza2e2D6ZD81W
[refresh_token_id] => 9fa5bb86-8d55-4178-9268-f13bbd1bc1a5
[scope] => offline_access
[token_type] => Bearer
[userId] => 595e1511-078f-8010-332a-0adc13930002

Access tokens have a limited lifespan (10 minutes). Make sure your application can handle token expiration by implementing a token refresh mechanism.

$response = $this->client->post('https://login.tado.com/oauth2/token', ['form_params' => ['client_id' => '1bb50063-6b0c-4d11-bd99-387f4a91cc46','grant_type' => 'refresh_token','refresh_token' => $refresh_token]]);

You can take a look at my working implementation here: https://github.com/dam2k/tadoapi

Enjoy your smart home!

Tags: api, oauth2, opensource, php, server, tado
Filed in Open source, What I'm doing, What's hot with 0 Comments

06 Mag 16 How to convert URI to query string parameters with mod_rewrite

You may need to convert URI levels to query string parameters, for example if want to be RESTful compliant with PHP.

Try this one:

RewriteEngine on
RewriteRule ^/(\w+)/(\w+)$ /path_of_index.php?lev1=$1&lev2=$2 [QSA,L]

In this case the first URI level will be converted to a query string parameter called lev1, while the second will be converted to a query string parameter called lev2, each one with the respective values.

For example, the uri /user/list will be passed to index.php and will become index.php?lev1=user&lev2=list

An eventual query string will be passed, eventually overriding lev1 and lev2 parameters.

Tags: apache, code, http, https, Linux, php, rewrite, server, sysadmin
Filed in Linux OS, Open source with 0 Comments

03 Mar 13 How to install php 5.2 on debian squeeze (6.0.x), the debian way

You may know that the PHP version coming with debian squeeze is 5.3. Since the 5.3 version of PHP breaks some compatibility with 5.2 you may find that an old PHP application is no longer working with the new version of PHP on squeeze.
The steps required to install PHP 5.2 on debian squeeze are very simple, you just need to setup APT to install the PHP packages coming with debian lenny.

The first thing to do is to add the lenny repository to the end of /etc/apt/sources.list:

deb http://archive.debian.org/debian lenny main contrib non-free

Then you need to make sure that your favourite PHP packages will be downloaded from lenny instead of squeeze. You can do this creating the file /etc/apt/preferences.d/lenny, with this stuff inside:

Explanation: choose Lenny as installation source if the package is not already installed and not available from Squeeze
Package: *
Pin: release n=lenny*
Pin-Priority: 100

Explanation: choose Lenny as installation source for those packages
Package: libapache2-mod-php5 php5-common php5-curl php5-gd php5-mcrypt php5-mysql php5-cli php5-mhash php5-xsl php5-imap php5-xmlrpc php5-sqlite
Pin: release n=lenny*
Pin-Priority: 999

After that, remove any previously installed PHP 5.3 package, for example with the command

apt-get remove –purge php5\*

and then install the PHP 5.2 packages from lenny:

apt-get update
apt-get clean
apt-get install libapache2-mod-php5 php5-common php5-curl php5-gd php5-mcrypt php5-mysql php5-cli php5-mhash php5-xsl php5-imap php5-xmlrpc php5-sqlite

That procedure saved my life twice, I hope it will save yours too!

Tags: debian, Linux, php, server, sysadmin
Filed in General, Linux OS, Open source, Sysadmin pills with 3 Comments

03 Set 12 apache2 + mod_fastcgi + php 5.3 + PHP-FPM

This is a very quick guide to get your feet wet with PHP 5.3 + PHP-FPM fastcgi support and apache webserver.
The PHP-FPM is basically a fastcgi compliant pool of PHP processes spawned on the system, ready to quickly accept connections, for example via TCP. It’s generally used to greatly improove PHP scalability, security and performance.

Start by installing apache, no matter if it’s a binary installation or if it’s compiled from source code (I assume this step is already done).

Once you have a valid apache installation, you need to compile the mod_fastcgi module.
NOTE: don’t use mod_fcgid or any other fastcgi provider but mod_fastcgi: it’s proved to be stable and to work well with PHP-FPM.

To install mod_fastcgi you have to:

download mod_fastcgi: http://www.fastcgi.com/dist/mod_fastcgi-2.4.6.tar.gz
untar the package, then compile the apache module with: /your_apache_path/bin/apxs -o mod_fastcgi.so -c *.c
install the module with: /your_apache_path/bin/apxs -i -a -n fastcgi .libs/mod_fastcgi.so

Now, compile PHP with the fpm support, or install a already compiled PHP binary package.

Here I’ll cover how to compile it from source.

Start by downloading the latest php 5.3 version from http://www.php.net/downloads.php

When you have done, untar the PHP source package and enter into the extracted php-5.3.x directory.
Now create a file called conf.sh and put this stuff inside it:

./configure \
–prefix=/usr/local/php53 \
–with-libdir=lib64 \
–enable-pcntl \
–enable-mbstring=shared \
–enable-mbregex \
–with-gd=shared \
–enable-bcmath=shared \
–with-xmlrpc=shared \
–with-mysql=shared,/usr \
–with-mysqli=shared,/usr/bin/mysql_config \
–enable-dom=shared \
–enable-soap=shared \
–with-xsl=shared,/usr \
–enable-xmlreader=shared –enable-xmlwriter=shared \
–with-pdo-mysql=shared,/usr \
–enable-json=shared \
–enable-zip=shared \
–with-readline \
–with-jpeg-dir=/usr \
–with-png-dir=/usr \
–with-pear \
–with-ldap=shared \
–enable-fpm \
–with-fpm-user=apache \
–with-fpm-group=apache

Your mileage may vary here, so please double check row by row if you need to modify something. The FPM part are the last 3 lines.

NOTE: you cannot compile PHP as FPM and SAPI at the same time.

Now, make the file executable with: chmod 755 conf.sh
and run the executable with: ./conf.sh

Wait that the configure script is done. If no errors are encountered you can proceed with make and make install as usual.
Remember to create the php.ini configuration file if you need it.
You should now end up with a fresh PHP installation into /usr/local/php53 (or any other path you given to the prefix configure attribute).

Ok, now it’s time to configure the php-fpm (change /usr/local/php53 with your path if it’s different):

cd /usr/local/php53/etc
cp php-fpm.conf.default php-fpm.conf
vi php-fpm.conf

You generally don’t need to modify anything here, but if you want you can touch something.
Now start the php-fpm process pool by running this command by the root user: /usr/local/php53/sbin/php-fpm

If anything gone ok you should have some process up and running, something like this:

25976 ?        Ss     0:00 php-fpm: master process (/usr/local/php53/etc/php-fpm.conf)
4945 ?        S      0:00 \_ php-fpm: pool www
4946 ?        S      0:00 \_ php-fpm: pool www
4947 ?        S      0:00 \_ php-fpm: pool www

If you didn’t modify the php-fpm.conf, the process pool listen for fastcgi requests to TCP 127.0.0.1:9000.

It’s time to configure a apache virtualhost with PHP support using this brand new fpm.

Edit the httpd.conf apache configuration file (or another included file where you store the virtualhost) and append this stuff (I assume that apache is installed into /opt/apache2):

<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot “/opt/apache2/htdocs”
ServerName “your_servername.com”
ErrorLog “logs/your_servername-error_log”
CustomLog “logs/your_servername-access_log” common

FastCgiExternalServer /opt/apache2/htdocs/php5.sock -host 127.0.0.1:9000
AddHandler php5-fcgi .php
Action php5-fcgi /tmp/php5.sock
Alias /tmp /opt/apache2/htdocs

<Directory “/opt/apache2/htdocs”>
Options FollowSymLinks
AllowOverride All
Order deny,allow
Allow from all
</Directory>
</VirtualHost>

Any file whose name ends for “.php” into your document root should now be associated to the PHP fastcgi handler and the requests should be routed to the php-fpm process pool. Each php-fpm process is reused according to the php-fpm.conf configuration file.

Restart apache and enjoy (any comment are welcome).

Tags: apache, http, Linux, php, server, sysadmin
Filed in General, Linux OS, Open source, Sysadmin pills with 0 Comments

08 Mar 12 How to execute a HTTP/Rest Query to NuvolaBase distributed database with PHP

As previously said, nuvolabase.com is a great service that permits you to have a distributed nosql document database in the cloud. This is very cool: think each time you would had the need of a database always available in the cloud that you would access via simple HTTP/Rest queries. The possibilities are endless.

Here is a very simple but powerful PHP curl agent to submit commands (queries) to nuvolabase via HTTP.

<?php
/*
* Author: Dino Ciuffetti <dino@tuxweb.it>
* Object: Execute a remote query to a distributed database on nuvolabase.com (free account) using HTTP (OrientDB REST API)
*/

/* user configurable parameters */
$nuvolabasedb = ‘db$free$youruser$yourdb’;
$command = ‘select from yourclass’;
$user = ‘admin’;
$password = ‘qwerty’;
$useragent = “NuvolaBase PHP REST agent/v0.8 (compatible; Mozilla 4.0; MSIE 5.5; http://www.nuvolabase.com/)”;
/* END of user configurable parameters */

$nuvolabasehost = ‘studio.nuvolabase.com’;
$url = ‘http://’.$user.’:’.$password.’@’.’studio.nuvolabase.com/command/’.$nuvolabasedb.’/sql/’;

$ch = curl_init();

// set user agent
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);

// return the result or false in case of errors
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

// set the target url
curl_setopt($ch, CURLOPT_URL, $url);

// do basic login authentication
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);

// howmany parameter to post
curl_setopt($ch, CURLOPT_POST, 1);

// the post data to send
curl_setopt($ch, CURLOPT_POSTFIELDS, $command);

// execute curl,fetch the result and close curl connection
$res = curl_exec ($ch);
curl_close ($ch);

// display result
if ($res !== FALSE);
print_r (json_decode($res));

?>

Please use the attached file.

test.php

Tags: http, Linux, NuvolaBase, orientdb, php, rest, server, sysadmin
Filed in General, General news, Linux OS, Notes, Open source, Sysadmin pills, What I'm doing, What's hot with 2 Comments

16 Set 11 How to change drupal 6 admin password

Changing the password of the “admin” user on drupal 6 it’s as simple as to run this mysql query:

UPDATE users SET pass = md5(‘YOUR__NEW_PASSWORD‘) WHERE uid = 1;

Hope to help someone in big problems because of a unknown/lost drupal password.

Ciao, Dino.

Tags: drupal, mysql, php, server, sysadmin
Filed in Notes, Open source, Sysadmin pills with 0 Comments

02 Mar 11 ajax_proxy cross domain php in bundle with orientdb

I’m very happy that my simple proxy php script is now in bundle with a great product: orientdb.
Now, I’m going to take two beers!! Cheers!!!!

Tags: ajax, orientdb, php, proxy
Filed in General, General news, Open source, What I'm doing, What's hot with 0 Comments

26 Mar 10 Il tuo server linux personale

Se quello che hai sempre cercato e’ avere il tuo personalissimo server linux up and running 24 ore su 24, SliceHost e’ l’opzione giusta per te.

Questa meravigliosa azienda americana (in Italia purtroppo certe cose ce le sogniamo alla grande!) ha sviluppato un sistema automatico con interfaccia web in grado di fornirti in tempo reale per pochi dollari al mese una tua personalissima macchina virtuale con cui potrai realizzare e gestire il tuo server linux in tutta tranquillita’.
Banda e connettivita’ internazionale a internet non sono un problema e potrai scegliere tra vari tagli di offerte pronte per te.

Se sei interessato, dai un’occhiata al sito https://manage.slicehost.com/customers/new?referrer=af57db3020e04bb27352e271753a7a18 e affiliati anche tu.

Avrai la possibilita’ di scegliere la distribuzione linux che piu’ ti aggrada e il tuo server linux personale sara’ in piedi in pochi secondi.

Noi di TuxWeb lo stiamo utilizzando con successo per gestire i siti internet di alcuni nostri clienti.

Ciao, Dino – http://www.tuxweb.it/