nuki_hub: OTA update attempt makes web server return 401

When I try to update via the OTA mechanism, I get the page indicating that it will automatically reload when the update is ready. A few seconds later, the browser tries to reload, but the authentication credentials are not accepted (so I’m getting the popup to enter different ones).

This happens sometimes randomly, but with OTA updates, it is reproducible for me. Here’s two simulated requests using telnet:

Normal:

$ telnet <hostname> 80
Trying <IP>...
Connected to <hostname>.
Escape character is '^]'.
GET / HTTP/1.1
HOST: nukihub.local
Authorization: Basic <base64-encoded-credentials>
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1034
Connection: close

<HTML><HEAD><meta name='viewport' content='width=device-width, initial-scale=1'><link rel='stylesheet' href='/inter.css'><link rel='stylesheet' href='/new.css'><TITLE>NUKI Hub</TITLE></HEAD><BODY><br><h3>Info</h3>
<table><tr><td>Hostname</td><td>nukihub</td></tr><tr><td>MQTT Connected</td><td>Yes</td></tr><tr><td>NUKI Lock paired</td><td>Yes</td></tr><tr><td>NUKI Lock state</td><td>locked</td></tr><tr><td>Firmware</td><td>5.2</td></tr></table><br><br><h3>MQTT and Network Configuration</h3><form method="get" action="/mqttconfig"><button type="submit">Edit</button></form><BR><BR><h3>NUKI Configuration</h3><form method="get" action="/nukicfg"><button type="submit">Edit</button></form><BR><BR><h3>Credentials</h3><form method="get" action="/cred"><button type="submit">Edit</button></form><BR><BR><h3>Firmware update</h3><form method="get" action="/ota"><button type="submit">Open</button></form><br><br><h3>WiFi</h3><form method="get" action="/wifi"><button type="submit">Restart and configure wifi</button></form></BODY></HTML>Connection closed by foreign host.

After update attempt:

$ telnet <hostname> 80
Trying <IP>...
Connected to <hostname>.
Escape character is '^]'.
GET / HTTP/1.1
HOST: nukihub.local
Authorization: Basic <base64-encoded-credentials>
HTTP/1.1 401 Unauthorized
Content-Type: text/html
WWW-Authenticate: Basic realm="Login Required"
Content-Length: 0
Connection: close

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 22 (10 by maintainers)

Most upvoted comments

Can you check with Version 5.4? There was a nasty buffer overflow bug in the authentication code which can lead to undefined behavior which leads to bugs like yours.

+1
technyon on Jul 17, 2022
Read more comments on GitHub
← nuki_hub: Nuki 3.0 stopped working since 6.2+
nuki_hub: Using "Lock'n'go" does not change the lock state →