Skip to content

Commit 74d627e

Browse files
bwp91claude
andcommitted
fix(ui-api): send correct instanceId so JWTs pass UI auth on v5.24.0+
homebridge-config-ui-x v5.24.0 added an `instanceId` check to its JWT strategy that rejects any token whose `instanceId` doesn't match the server's own (sha256 of the UI `secretKey`). The plugin was signing its self-minted token with a sentinel `instanceId: 'xxxxxxx'`, so every API call returned 401, surfacing as "undefined error connecting to ..." in the logs. Compute the same `sha256(secretKey)` value the server derives. Older UI versions ignore `instanceId`, so this is safe across all versions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent bdce640 commit 74d627e

1 file changed

Lines changed: 3 additions & 2 deletions

File tree

src/ui-api.ts

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import type {
99
} from 'homebridge'
1010

1111
import { spawn } from 'node:child_process'
12+
import { createHash } from 'node:crypto'
1213
import { readFileSync } from 'node:fs'
1314
import https from 'node:https'
1415
import path from 'node:path'
@@ -68,7 +69,7 @@ export class UiApi {
6869

6970
const MAX_TTL_SEC = 86400; // limit TTL to 24 hours
7071
this.cacheable = new CacheableLookup({ maxTtl: MAX_TTL_SEC });
71-
72+
7273
const configPath = path.resolve(hbStoragePath, 'config.json')
7374
const hbConfig = JSON.parse(readFileSync(configPath, 'utf8')) as HomebridgeConfig
7475
const config = hbConfig.platforms.find((config: { platform: string }) =>
@@ -589,7 +590,7 @@ export class UiApi {
589590
username: '@homebridge-plugins/homebridge-updater',
590591
name: '@homebridge-plugins/homebridge-updater',
591592
admin: true,
592-
instanceId: 'xxxxxxx',
593+
instanceId: createHash('sha256').update(this.secrets!.secretKey).digest('hex'),
593594
}
594595

595596
this.token = jwt.sign(user, this.secrets!.secretKey, { expiresIn: '1m' })

0 commit comments

Comments
 (0)