senec 0.21.0 → 0.22.0

data/lib/senec/cloud/connection.rb

@@ -1,4 +1,5 @@
 require 'oauth2'
+require 'rotp'
 
 module Senec
   module Cloud
@@ -16,13 +17,14 @@ module Senec
     class Connection
       DEFAULT_USER_AGENT = "ruby-senec/#{Senec::VERSION} (+https://github.com/solectrus/senec)".freeze
 
-      def initialize(username:, password:, user_agent: DEFAULT_USER_AGENT)
+      def initialize(username:, password:, user_agent: DEFAULT_USER_AGENT, totp_uri: nil)
         @username = username
         @password = password
         @user_agent = user_agent
+        @totp_uri = totp_uri
       end
 
-      attr_reader :username, :password, :user_agent
+      attr_reader :username, :password, :user_agent, :totp_uri
 
       def authenticate!
         code_verifier = SecureRandom.alphanumeric(43)
@@ -81,30 +83,36 @@ module Senec
       def fetch_login_form_url(auth_url)
         response = http_request(:get, auth_url)
         store_cookies(response) # Required for Keycloak CSRF protection
-        extract_form_action_url(response.body)
+        extract_login_form_action_url(response.body) || raise('Login form not found')
       end
 
-      def extract_form_action_url(html)
-        forms = html.scan(%r{<form[^>]*action="([^"]+)"[^>]*>(.*?)</form>}mi)
-
-        forms.each do |action_url, form_content|
-          has_username = form_content.match(/name=["']?username["']?/i)
-          has_password = form_content.match(/name=["']?password["']?/i)
+      def submit_credentials(form_url)
+        credentials = { username:, password: }
+        response = http_request(:post, form_url, data: credentials)
 
-          return CGI.unescapeHTML(action_url) if has_username && has_password
+        if response.status == 200
+          # Check if MFA is required
+          if (totp_form_url = extract_totp_form_action_url(response.body))
+            unless totp_uri
+              raise 'MFA required but no TOTP URI provided'
+            end
+
+            response = submit_totp_form(totp_form_url)
+          else
+            # No OTP form found, assume login failed
+            raise 'Login failed - invalid credentials or unexpected response'
+          end
         end
 
-        # :nocov:
-        raise 'Login form not found'
-        # :nocov:
+        # Handle final redirect (same for both MFA and non-MFA flows)
+        handle_redirect_response(response)
       end
 
-      def submit_credentials(form_url)
-        credentials = { username:, password: }
-        response = http_request(:post, form_url, data: credentials)
-        raise 'Login failed' unless response.status == 302
+      def submit_totp_form(form_url)
+        totp = build_totp_from_uri(totp_uri)
 
-        response.headers['location'] || raise('No redirect location')
+        totp_data = { otp: totp.now }
+        http_request(:post, form_url, data: totp_data)
       end
 
       def extract_authorization_code(redirect_url)
@@ -116,6 +124,51 @@ module Senec
         params['code'] || raise('No authorization code found')
       end
 
+      def extract_login_form_action_url(html)
+        find_form_action_url(html) do |form|
+          # Look for a form with username and password fields
+          form.match(/name=["']?username["']?/i) &&
+            form.match(/name=["']?password["']?/i)
+        end
+      end
+
+      def extract_totp_form_action_url(html)
+        find_form_action_url(html) do |form|
+          # Look for a form with an OTP field
+          form.match(/name=["']?otp["']?/i)
+        end
+      end
+
+      def find_form_action_url(html)
+        forms = html.scan(%r{<form[^>]*action="([^"]+)"[^>]*>(.*?)</form>}mi)
+
+        forms.each do |action_url, form_content|
+          return CGI.unescapeHTML(action_url) if yield(form_content)
+        end
+
+        nil
+      end
+
+      def build_totp_from_uri(uri_string)
+        params = URI.decode_www_form(URI.parse(uri_string).query).to_h
+        secret = params['secret'] || raise('Missing secret in TOTP URI')
+
+        ROTP::TOTP.new(
+          secret,
+          digits: params['digits']&.to_i,
+          period: params['period']&.to_i,
+          algorithm: params['algorithm'],
+        )
+      end
+
+      def handle_redirect_response(response)
+        unless response.status == 302
+          raise "Authentication failed, got unexpected response: #{response.status} #{response.body}"
+        end
+
+        response.headers['location'] || raise('No redirect location')
+      end
+
       def ensure_token_valid
         authenticate! unless authenticated?
         return true unless oauth_token.expired?

data/lib/senec/version.rb

@@ -1,3 +1,3 @@
 module Senec
-  VERSION = '0.21.0'.freeze
+  VERSION = '0.22.0'.freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: senec
 version: !ruby/object:Gem::Version
-  version: 0.21.0
+  version: 0.22.0
 platform: ruby
 authors:
 - Georg Ledermann
@@ -65,6 +65,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rotp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Access your local SENEC Solar Battery Storage System
 email:
 - georg@ledermann.dev
@@ -82,7 +96,6 @@ files:
 - ".ruby-lsp/.gitignore"
 - ".ruby-lsp/Gemfile"
 - ".ruby-lsp/Gemfile.lock"
-- ".ruby-lsp/last_updated"
 - ".ruby-lsp/main_lockfile_hash"
 - ".ruby-lsp/needs_update"
 - ".vscode/settings.json"
@@ -150,6 +163,7 @@ files:
 - pkg/senec-0.19.0.gem
 - pkg/senec-0.2.0.gem
 - pkg/senec-0.20.0.gem
+- pkg/senec-0.21.0.gem
 - pkg/senec-0.3.0.gem
 - pkg/senec-0.4.0.gem
 - pkg/senec-0.5.0.gem

data/.ruby-lsp/last_updated

@@ -1 +0,0 @@
-2025-07-29T09:58:37+02:00