0

So i have this project to access my ip cam stream through a website, but my camera interface has a header basic authentication.

I tried to use user credentials in my url but it doesnt work :

http://username:password@192.168.my-ip/

Also my password contains "@" so i encoded them with %40 and tried %2540 (for the encoding of %) too, doesnt work either.

I saw that maybe a JS post request like this could do the trick but i don't know where to find the clientSecret :

var clientId = "MyApp";
var clientSecret = "MySecret";

// var authorizationBasic = $.base64.btoa(clientId + ':' + clientSecret);
var authorizationBasic = window.btoa(clientId + ':' + clientSecret);

var request = new XMLHttpRequest();
request.open('POST', oAuth.AuthorizationServer, true);
request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
request.setRequestHeader('Authorization', 'Basic ' + authorizationBasic);
request.setRequestHeader('Accept', 'application/json');
request.send("username=John&password=Smith&grant_type=password");

request.onreadystatechange = function () {
    if (request.readyState === 4) {
       alert(request.responseText);
    }
};
Alex Prost-romand
  • 1
  • 1
  • 2
    clientId and clientSecret would be your username and password, respectively, in this case. (The code appears to be from some OAuth login flow, where a client/app ID and secret are commonly used.) All this part does is concatenate them together with a colon in the middle, and then base64-encoding the result, so that this value can then be used in the Authorization header. – CBroe Jun 01 '21 at 09:18
  • yes, i tried to use my username and password in those fields, it does the same thing as above (writing directly the credentials in the url), but it does not disable the basic authentication window, how can i get the basic authentication fields to send a request ? – Alex Prost-romand Jun 01 '21 at 09:29
  • If the browser still presents you with the authentication window, then you have not provided _correct_ credentials so far. _“Also my password contains "@"”_ - although that should not be part of the problem here, you should be aware that what you are trying to do here, requires you to _expose_ those credentials in client-side code, meaning everyone visiting your site could _find_ them. So using a “complex” password will hardly have any added benefits over a simple one here. (And if this was one of your “default” passwords you use for other stuff as well, then it would actually be a bad _leak_) – CBroe Jun 01 '21 at 09:34
  • yes, i am aware of it, but it is for educational purpose so security isn't an issue. – Alex Prost-romand Jun 01 '21 at 09:40
  • Does your IP cam require an oAuth login? That's completely different to basic http auth. Unless the docs or info for your IP cam say oAuth is required, all that Javascript is completely irrelevant and will not work. For basic auth, [encoding the `@` in your password](https://stackoverflow.com/questions/6718471/escaping-username-characters-in-basic-auth-urls) is all you need to do. – Don't Panic Jun 01 '21 at 12:51

0 Answers0