Page 1 of 1
Picture notification now supported via event server (Android only)
Posted: Sat Oct 13, 2018 12:21 pm
by asker
One of the things I did in ES 2.0, in addition to support machine learning was to introduce picture messaging.
This currently only works for Android as the push plugin I use doesn't yet support rich notifications for iOS.
Note that to get pictures as part of push notifications, you can't use self signed certificates. Android rejects them with a "cannot find trust anchor" error message. So this will only work if you use a trusted CA chain, like the free
LetsEncrypt
To upgrade your ES make sure you download the latest server and configuration files. instructions on enabling picture messaging are
here.
When you get everything working, your notifications will look like this. Enjoy.
Re: Picture notification now supported via event server (Android only)
Posted: Mon Nov 19, 2018 6:18 pm
by nrbell
This is a wonderful feature, thanks for implementing it. I was wondering, though, about the security implications. Your recommendation for a picture URL is:
Code: Select all
picture_url = https://yourserver/zm/index.php?view=image&eid=EVENTID&fid=alarm&width=600&username=admin&password=yourpassword
I realize that all paths are encrypted, but this still exposes a full Zoneminder login to
someone. You can lock down the login somewhat, but they could still use it to view any of your recorded events.
I mitigated this somewhat partially due to my unusual setup. I don't expose my Zoneminder interface to the wider Internet. I do have a VPS, however, that sports Let's Encrypt certificates. I use my VPS to proxy the picture request to a local proxy that finally makes the request to Zoneminder. The only information passed over the Internet is the event ID. It's a little Rube-Goldbergian, but it works. This still allows someone to view event snapshots, since the IDs are easily guessable.
Have you considered making the event ID information more opaque? Perhaps it could be a time-limited random cookie that gets mapped to the event ID. This would prevent event ID guessing.
Re: Picture notification now supported via event server (Android only)
Posted: Sat Nov 24, 2018 12:55 am
by asker
You're right. This is the easiest format, but most susceptible as well. Oddly, I've found most ZM users run their system behind a VPN and don't seem worried. That doesn't justify its use, of course.
There are however other options:
Option 1 (not really sure what will happen after 60m):
Code: Select all
picture_url = https://yourserver/zm/index.php?view=image&eid=EVENTID&fid=alarm&width=600&auth=token
Where you can get token from using the
new login API (ZM 1.32.x) . The token expires every hour (ZM PHP session period) so I don't really know what will happen if you see the notification 2 hours later
Option 2:
Write a script to fetch the alarmed image and upload to S3/Dropbox and use that link
Have you considered making the event ID information more opaque? Perhaps it could be a time-limited random cookie that gets mapped to the event ID. This would prevent event ID guessing.
No. (As in I haven't considered - these are all good ideas and if you are a coder, would be happy to receive code contributions)