Security of DVR Remote Feature

DisneyFanatic4 · June 26, 2019, 9:36pm

I’d like to understand the security surrounding the remote DVR access feature. From what I can gather, setting up the access is as follows.

Open mobile app and start remote access pairing
Login with Channels community login
Oauth request is generated and sent to my local DVR installation which must have port 8089 forwarded
Oauth request is accepted and generated and my device can connect

Is this correct? How do I manage my connected devices and revoke a token?

Also, why if I hit my DVR page externally on port 8089 am I presented with an access token form field? Shouldn’t it just redirect to the Channels community login?

tmm1 · June 26, 2019, 10:25pm

Yes your overview of the auth process is correct.

The automatic oauth flow only occurs when you use your xxx.channelsdvr.net domain name. If you access the server via any other hostname or IP, you have to perform the authentication manually via your token.

We don't currently show a list of granted tokens but I can see how that would be nice to have.

DisneyFanatic4 · June 29, 2019, 11:44am

Thanks for the confirmation of the authentication flow.

So just to be clear, for an attacker to successfully compromise the manual token page on my installation of Channels DVR, they would have to successfully guess one of my Client ID and secret key pairs?

I do think a good feature to add would be to include in my Channels DVR server the ability to view my apps that have paired and be able to revoke access.

DemonLourde · June 18, 2024, 2:26pm

How to force token change... That is the question...