Sia 1.3.6 API Password Integration

New version of Sia needs an API in order to upload. Is there a way to add this via command? Sia server password does not work.

If you’re following along from a search, you can bypass the api password using
siad.exe --authenticate-api=false
or if you are using the gui, start siad.exe with:
siad.exe --sia-directory “C:\Users\User\AppData\Roaming\Sia-UI\sia” --authenticate-api=false

1 Like

Hello @evlvd, welcome to the forum!

I don’t use Sia so am a little confused, how does this apply to Duplicati - are you saying it needs to be updated to support the new API?

Yes, that’s correct. The current Sia integration doesn’t have an API password option.

I don’t run Sia either, but 1.3.6 was released 9 days ago without mention of such change (seemingly the ASIC hardfork was the main point), and a Google search going a week back for “sia” “1.3.6” “api” “password” didn’t give me clues. There were 8 results, one of them this topic. Do you have any links or other history about this?

Siad API doesn’t say that there are two passwords involved, just one for the API, but only sometimes required. Without fully checking, it looks like this code is trying to setup for the Basic Authentication that Sia might need.

It’s conceivable that the their default for --authenticate-api changed to true. There’s 2016 talk about that here. Have you used any older version of siad with authentication turned on? Maybe nobody was using that before?

Duplicati offers an Advanced option --sia-password you could try, but it might work just like “Server password”

1 Like

It looks like it has already been an option for a while, but only in 1.3.6 did it become the default configuration.

See this: Enforce API authentication by default (!3239) · Merge Requests · NebulousLabs / Sia · GitLab

I just updated to SIA 1.3.7 myself (as well as the newest Duplicati canary), and while I don’t get any password issues, when Duplicati goes to download the “dlist” file from Sia during “verify files”, no download ever begins per anything I can see within the Sia client (and past experience tells me I’d see it in there). So something appears to have potentially gotten broken.

This is because it isn’t able to download or upload without the API. See my suggestion above to test by starting without API authentication.

The weird part is, it downloads the file list fine; just never starts to download the dlist file.

That seems to have done the trick, thanks. I wonder if there’s a less clunky way to start SIA with api password authentication disabled? I had to do the command line command and then manually launch SIA UI, which felt wrong somehow.

So it’s confirmed that a siad (the daemon) defaults change makes it no longer work with Duplicati unless the default is overwritten b to the previous setting?

Has any body checked GitHub for this yet?

One of the devs messaged me that he’s going to put an option in the GUI to disable the authentication, but I’d rather have duplicati have the authentication as an option to keep everything secure.

1 Like

For those who don’t like the new autogenerated password mentioned in the GitLab issue, does anyone know how one used to set a password? The 2016 article says it was at the time interactively typed into siad (which sounds very much like --temp-password mode in the GitLab issue). If you do that, can Duplicati get in with it? Hearing “yes” means Duplicati is feeding in password correctly. Hearing “no” means there may be more work beyond just grabbing the password from the file (and I wonder whether the password file has any security…).

1 Like