Teslamate: Token instead of Username/PW

Note that the account credentials aren't be stored; just the tokens. So from a security standpoint it wouldn't make a difference. Is there another reason?

Note that the account credentials aren't be stored; just the tokens. So from a security standpoint it wouldn't make a difference. Is there another reason?

I mean absolutely no offense by this statement and appreciate all the amazing work you've put into it, but unless you are familiar with code there's a lot of trust there. Security wise it makes more sense to allow people to gather the API key/token themselves (easily accomplished with a curl command) and avoid unnecessarily exposing their account credentials.

Are you 100% certain that nothing gets logged locally or cached when this process kicks off in the various possible configurations? (Docker, local install, etc)?

It definitely makes sense not to expose the credentials unnecessarily. I certainly wouldn't supply my credentials to a commercial logger. However, I do not believe it is of equal importance to open source loggers.

I agree that's it boils down to trusting the code and environment. But that's exactly why this is an open source project. Feel free to read the respective lines of code [1, 2], compile the project yourself and run it in a trusted environment. If you don't trust any of these, supplying the tokens yourself doesn't make much of a difference IMO. A potential attacker can still do whatever they want if they have your tokens (e.g. find your car and unlock it) until you change your account password or manually revoke the tokens. So keeping the tokens safe must be a top priority whether you supplied them yourself or not.

(1): https://github.com/adriankumpf/teslamate/blob/baada9c5455da2d3c400bf916ab29834772f6a88/lib/teslamate/api.ex#L94-L106
(2): https://github.com/adriankumpf/teslamate/blob/baada9c5455da2d3c400bf916ab29834772f6a88/lib/tesla_api/auth.ex#L11-L20

I don't agree that the Tesla user account password and the vehicle API key are the same impact, but I agree that both need to be protected. The account password gives you access to written vehicle agreements, purchase histories, upgrades, shop purchases, etc... I don't particularly trust any environment and prefer to reduce risk where I can. Regardless, it sounds like this feature isn't something you're interested in. I do appreciate the thorough responses and I'll close this out.

There is an important difference between the token and the account password. Using the token, you can locate and unlock the car, but you can't drive it away - you need to re-confirm the password for that. So if your full credentials were to leak from server logs, a MITM attack or a similar source outside of TeslaMate itself, that would have a more severe impact than a token.

Regardless, it sounds like this feature isn't something you're interested in. I do appreciate the thorough responses and I'll close this out.

I haven't decided yet. It would be nice to have. At the moment it is certainly a good idea to put some effort into other features first.

For those reading this at a later date: it's possible to insert the API tokens directly into the database (table: tokens). This bypasses the user name and password view at the first startup.

There is an important difference between the token and the account password. Using the token, you can locate and unlock the car, but you can't drive it away - you need to re-confirm the password for that. So if your full credentials were to leak from server logs, a MITM attack or a similar source outside of TeslaMate itself, that would have a more severe impact than a token.

I was not aware of the reconfirmation. That's good to know!

For those reading this at a later date: it's possible to insert the API tokens directly into the database (table: tokens). This bypasses the user name and password view at the first startup.

I was going to mention that, if I can get my docker to work (hate how it mangles iptables) then I am more than happy to write up a quick howto on how to populate the tokens table manually. Is it a direct map from the API return fields?

That would be great! Maybe it would fit into the FAQ? It is almost a direct map, the naming is slightly different:

| json | column |
| ------------- |:-------------:|
| access_token |access |
| refresh_token | refresh |

I got this working it was pretty simple. Here are the basics. Do you want me to edit the FAQ directly?

Run curl command to capture token
connect to docker container with POSTGRES db - I used current_timestamp for the two timestamps, I wasn't sure what those were for?
use CLI to insert token values into db directly
restart teslamate

Happy to write out something more comprehensive, just let me know where you want it.

Here is more detail, not beautified:
Run the following command on any linux/unix console that has curl installed:
curl -X POST -H 'Content-Type: application/json' -d '{"grant_type": "password", "client_id": "81527cff06843c8634fdc09e8ac0abefb46ac849f38fe1e431c2ef2106796384", "client_secret": "c7257eb71a564034f9419ee651c7d0e5f7aa6bfbd18bafb5c5c033b093bb2fa3", "email": "[email protected]","password": "YOURPASSWORD"}' 'https://owner-api.teslamotors.com/oauth/token'

returns:
{"access_token":"YOURACCESSTOKEN","token_type":"bearer","expires_in":3888000,"refresh_token":"YOURREFRESHTOKEN","created_at":1579971894}

Spawn a shell in the database docker
docker exec -it teslamate_db_1 psql -U teslamate

connect to the teslamate database:
\c teslamate
Insert values from curl into table tokens:
INSERT INTO tokens VALUES(DEFAULT, 'YOURACCESSTOKEN','YOURREFRESHTOKEN',current_timestamp,current_timestamp);
Verify that the insert ran correctly
SELECT * FROM tokens;
Exit out of PSQL
\q
Restart teslamate to pick up new values
docker-compose restart
OR if running in forground
CTRL-C docker-compose up

Login to teslamate and it should bypass the tesla login screen and show your vehicle automatically, if it does not look for errors in docker output.

Looks good to me. Thanks!

It would fit well into the FAQ, I think. Would you like to create a PR?

Sure. Looks like you moved the faq to that doc site though? I can update the faq file but does that auto push to there? (Faq.md)

It is not updated automatically. I'll trigger it manually after you've updated the markdown file.

Submitted a PR, should eventually show up in the FAQ for anyone reading this for historical purposes.