Skip to content

Instantly share code, notes, and snippets.

@mitchellrj

mitchellrj/readme.md

Last active April 22, 2021 19:22
Show Gist options
  • Save mitchellrj/f3b79fb628caaaf6276e9d2d2ae0754f to your computer and use it in GitHub Desktop.
Save mitchellrj/f3b79fb628caaaf6276e9d2d2ae0754f to your computer and use it in GitHub Desktop.
Download ZIP
Get snapshot from Unifi Protect
Raw
readme.md

Any commands in this guide are to be run on the CloudKey over SSH.

1. Create a new read-only user

Do this through the web interface, create a local user with username & password (not email address). It doesn't matter what you set the password to, you'll never use it.

2. Set your user to have the right permissions

There's no option to set user permissions through the web interface for local users. We need to find out the ID of the View Only group...

psql -p 5433 -U unifi-protect unifi-protect -c "SELECT id from groups WHERE name='View Only';"

and then assign the new user to that group:

psql -p 5433 -U unifi-protect unifi-protect -c "UPDATE users SET groups='["GROUP ID HERE"]' WHERE \"localUsername\" = 'YOUR NEW USERNAME';"

if you're on a newer version of Protect, this will complain about localUsername not existing, you'll need to get an ID first.

psql -p 5433 -U unifi-protect unifi-protect -c "SELECT id from \"ucoreIdentities\" WHERE email='YOUR NEW USER EMAIL';"

then try assigning again

psql -p 5433 -U unifi-protect unifi-protect -c "UPDATE users SET groups='["GROUP ID HERE"]' WHERE id = 'YOUR NEW USER ID HERE';"

3. Get an auth token for your user

First we need your user's ID

psql -U unifi-protect unifi-protect -c "SELECT id from users WHERE \"localUsername\" = 'YOUR NEW USERNAME';"

Then we need the JWT secret

psql -U unifi-protect unifi-protect -c 'SELECT "jwtSecret" from nvrs;'

Visit jwt.io and scroll down to the debugger. In the payload section, paste:

{"id": "YOUR USER ID"}

in the "verify signature" section, paste the JWT secret in the place of "your-256-bit-secret".

Now copy the contents of the "Encoded" box. This is your secret key.

4. Make requests

You can now make any API requests you need to as your new user using the token, for example, fetching camera snapshots:

curl -kv \
  -H 'Authorization: bearer YOUR_TOKEN_HERE' \
  https://ck-plus:7443/api/cameras/CAMERA_ID/snapshot

5. Getting still images for Home Assistant

One way to achieve this is to use a reverse proxy that will set the URLs for you. For example, I use nginx to reverse proxy Home Assistant already, so added this location directive:

    location /cloudkey/ {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_set_header        Authorization "bearer MY_TOKEN_HERE";

      proxy_http_version 1.1;

      proxy_pass          https://ck-plus:7443/;

    }

I then set the following config for my cameras:

camera:
  - platform: generic
    stream_source: rtsp://ck-plus:7447/STREAM_ID
    still_image_url: https://hassio/cloudkey/api/camera/CAMERA_ID/snapshot
    verify_ssl: false
    name: Camera 1
@ringe
Copy link

ringe commented Jun 11, 2020

Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment