Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a “protocol auth” layer (token + Hawk-style MAC) backed by the persisted cloud snapshot, and reuses that auth state both for HTTP route protection and MQTT TLS proxy CONNECT authorization.
Changes:
- Add a shared
ProtocolAuthStore+ Hawk authorization helper and wire it into the HTTPS request handler to require token auth for/api/*and Hawk auth for/user/*routes (with explicit public/login-path exceptions). - Reuse the same snapshot-derived credentials in the MQTT TLS proxy to authorize incoming MQTT CONNECT packets (user-hash creds) alongside existing bootstrap credentials.
- Update/extend tests and contracts to seed snapshot auth state and supply required auth headers; tighten standalone admin UI endpoints to require admin auth.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/test_protocol_auth.py | New tests validating token vs Hawk protection, snapshot-required behavior, and code-login route behavior. |
| tests/test_mqtt_tls_proxy.py | Adds snapshot/runtime-credential seeding and tests for MQTT CONNECT authorization paths. |
| tests/test_home_data_online.py | Updates user-facing routes to include Hawk auth headers and seeds cloud snapshot user_data. |
| tests/test_admin_api.py | Requires admin auth for /ui/api/* and adds Hawk headers for protected protocol routes. |
| tests/contracts/test_ios_app_init_contract.py | Seeds protocol user_data into the cloud snapshot and injects Hawk auth for /user/* contract requests. |
| src/roborock_local_server/server.py | Adds protocol auth enforcement, protocol login route handling, and admin auth requirement for UI endpoints; passes snapshot path to MQTT proxy. |
| src/roborock_local_server/cloud.py | Adds find_pending_session_id helper for code-login flows. |
| src/roborock_local_server/bundled_backend/shared/protocol_auth.py | New shared module implementing token/Hawk verification and deriving MQTT credentials from snapshot user_data. |
| src/roborock_local_server/bundled_backend/mqtt_tls_proxy_server/server.py | Reads/authorizes MQTT CONNECT before relaying; adds snapshot-backed auth and CONNECT parsing helpers. |
| src/roborock_local_server/bundled_backend/mqtt_broker_server/server.py | Binds broker listener explicitly to 127.0.0.1. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 22 out of 22 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 47 out of 48 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #11
Users will have to reauth with existing logins
Closes #13
Will build docker releases
Relates to #16
Need to actually do a real test of this.