NScriptHelper.dll

[sub]

In the next build, you can use the -service option on NScriptHelper:

dotnet NScriptHelper.dll -service:method=recording.lists&list=pending

[sub]

That seems to work quite nicely, and will give advanced users a lot of flexibility

[mvallevand]

Yes that would ok that is the same as my python script which works ok. I still hope you don't fully implement sid security I do a lot of debugging of the API in the browser and it would real pain in the butt. Maybe you could have a configurable "permanent" sid we could use without a login that is stored in config.xml, many apps provide an api key like that.

Martin

[sub]

The problem is I can't fully trust where I'm told the request is from. I wouldn't want someone to remotely trick it into thinking it's a local request.

[mvallevand]

Can you check if the destination is localhost or 127.0.0.1. I know in v4 this was logged

2019-08-18 20:39:29.219 [DEBUG][16] host_callback: localhost:8866

If I was hacking I'd just try the default PIN anyway so maybe add that to rule if you think it is necessary.

If I really wanted to do something with the API have access to the PC I could just edit config.xml and reset the PIN but I could do more damage than that on the PC

Martin

[sub]

Can you check if the destination is localhost or 127.0.0.1. I know in v4 this was logged

2019-08-18 20:39:29.219 [DEBUG][16] host_callback: localhost:8866

You'd be surprised just how easy it is to set various headers on web apps to make them think the request is from somewhere else. Knowing more about it now, and looking back at v4, I see some glaring flaws to having this remotely accessible.

If I really wanted to do something with the API have access to the PC I could just edit config.xml and reset the PIN but I could do more damage than that on the PC

I'm not at all worried about people that are physically on the machine - there is plenty they can do with NextPVR. Like you, I'd be happy for users on local to make calls without a sid... if I was certain they were on the localhost. At this stage I'm not comfortable that they're definitely on localhost.

[mvallevand]

Ok but if the pin is 0000 what's the point of this security? Users who access remotely won't be able to use debugging in the browser but I can live with that.

Martin

[sub]

Ok but if the pin is 0000 what's the point of this security?

I hear you - but if a user is going to allow remote access to there system, they can at least set the PIN and feel relatively safely.

[sub]

Users who access remotely won't be able to use debugging in the browser but I can live with that.

What do you mean? If they're logged into the web app (local/remote/wherever), they can try urls without needing a sid (it gets it from the session).

[mvallevand]

I mean this kind of post that you and I request a lot https://forums.nextpvr.com/showthread.ph...post538897

Martin