info-beamer

API key security improvement and new configuration features

Another day with some newly added features to the dashboard website:

Download device configuration

We’ve received the request to check if there might be an easier way to set up multiple devices based on a “template” device. There are now two new options for that. If you go to a device details page and the configuration section, you’ll see a new dropdown next the the Edit Configuration button:

The first download will generate a ZIP file containing the configuration. You can apply those configuration settings to another device by exacting these files into its /config directory.

The second download option will create a customized OS download with all settings included. Just extract the custom generated install.zip file to an empty SD card and the new device will be configured exactly the same.

Static network verification

The static network settings editor now verifies the provided values. It will check that the IP, netmask and gateway value are properly formatted. Additionally it will check if the gateway given is reachable from the specified IP/netmask. This should prevent more configuration errors when using the manual network configuration option.

image

API key security improvements

Right now the info-beamer API is hosted on info-beamer.com itself. API endpoints use the https://info-beamer.com/api/ Url prefix. For various reasons, plain text http is also still reachable on the same hostname. This might result in accidental insecure calls when using the API: If you use http://info-beamer.com/api instead of https://info-beamer.com/api, the API key will be sent unencrypted over the network. As such, API keys used in this way should be considered potentially compromised and should be renewed.

info-beamer now detects this by marking all API keys used on unencrypted connection as potentially compromised. The API call will return a 400 error status with the following response in that case:

{"error":"API key used on insecure connection. It should be considered compromised."}

The API key will also be marked as compromised internally and the permissions dashboard will show a warning:

image

Clicking into the API key list you’ll see the following line:

You can fix this issue by renewing the API key using the renewal option in the Access action menu.

info-beamer - Digital Signage for the Raspberry Pi community forum - Imprint