OTA over http request with Bearer token

[Hadatko]

Describe your core improvement

Hello
I would like to make my whole process simpler. Of course the example bellow is tight to my usecase, but i think there can be generic code and some protocol specification so it could be usefull for others.
I can imagine something like:

- ota.http_request.flash:
  token_url: ....
  username: ...
  password: ...
  manifest_url:...
  manifest_bin_path: files.f1  # so manifest.json ["files"]["f1"]["url"] and ["files"]["f1"]["md5"] values would be used for ota. Token would be used also for getting bin files.

Current limitations

I need to get and use token by myself. It would be nice to have ability to set path where in manifest file is specified url and md5 for update

Technical benefits

There are two big: For flashing i would be able to reuse token, so i don't need to use login name and password (i hade to do server exception for this one api to accept login name and password instead of token)
Much smaller code and less potentional mistakes

Additional context

globals:
  - id: bearer_token
    type: std::string
    initial_value: '""'
  - id: fw_url
    type: std::string
    initial_value: '""'
  - id: fw_md5
    type: std::string
    initial_value: '""'

text:
  - platform: template
    id: ota_manifest_key
    name: "_OTA Manifest Key"
    optimistic: true
    initial_value: "${ota_prefix}_ota_${name}"
    mode: text

  - platform: template
    id: ota_fw_md5_current
    name: "_OTA FW MD5 Current"
    optimistic: true
    restore_value: true
    initial_value: '""'
    mode: text
    internal: true
    min_length: 0
    max_length: 32

button:
 - platform: template
    name: "_Update fw"
    id: btn_update_secure
    on_press:
      then:
        # 1) LOGIN → get Bearer token
        - http_request.post:
            url: !lambda 'return std::string("${ota_token}");'
            headers:
              Content-Type: application/x-www-form-urlencoded
            body: |-
              username=${ota_name}&password=${ota_passwd}
            capture_response: true
            on_response:
              then:
                - lambda: |-
                    if (response->status_code == 200) {
                      json::parse_json(body, [&](JsonObject root){
                        if (root.containsKey("accessToken")) {
                          id(bearer_token) = root["accessToken"].as<std::string>();
                        } else {
                          id(bearer_token).clear();
                        }
                        return true;
                      });
                      ESP_LOGI("ota", "Bearer token %s", id(bearer_token).empty() ? "MISSING" : "OK");
                    } else {
                      ESP_LOGE("ota", "Login failed (HTTP %d)", response->status_code);
                      return; // Stop without further actions
                    }

        # 2) GET manifest.json with Bearer → extract ota.path + ota.md5
        - delay: 2s  # Delay between steps
        - if:
            condition:
              lambda: 'return !id(bearer_token).empty();'
            then:
              - http_request.get:
                  url: !lambda 'return std::string("${ota_manifest}");'
                  headers:
                    Authorization: !lambda |-
                      static std::string auth_header;
                      auth_header = std::string("Bearer ") + id(bearer_token);
                      return auth_header.c_str();
                  max_response_buffer_size: 4kB
                  capture_response: true
                  on_response:
                    then:
                      - lambda: |-
                          if (response->status_code == 200) {
                            ESP_LOGI("ota", "Manifest response length: %d bytes", body.length());
                            // Debug: show first 200 characters of response
                            std::string debug_preview = body.length() > 200 ? body.substr(0, 200) + "..." : body;
                            ESP_LOGI("ota", "Manifest preview: %s", debug_preview.c_str());
                            std::string url, md5;
                            bool parse_success = json::parse_json(body, [&](JsonObject root){
                              if (root.containsKey("ota_files") && root.containsKey("base_url")) {
                                std::string base_url = root["base_url"].as<std::string>();
                                JsonObject ota_files = root["ota_files"];
                                std::string key = id(ota_manifest_key).state;
                                // Normalization: '-' -> '_' for manifest keys
                                size_t pos = 0;
                                while ((pos = key.find('-', pos)) != std::string::npos) {
                                  key.replace(pos, 1, "_");
                                  pos += 1;
                                }
                                ESP_LOGI("ota", "Looking for key: %s", key.c_str());
                                if (ota_files.containsKey(key.c_str())) {
                                  JsonObject file_info = ota_files[key.c_str()];
                                  std::string relative_url = file_info["url"].as<std::string>();
                                  md5 = file_info["md5"].as<std::string>();
                                  // URL composition: base_url + relative_url
                                  url = base_url + relative_url;
                                  ESP_LOGI("ota", "Found file: base_url=%s relative_url=%s full_url=%s md5=%s",
                                           base_url.c_str(), relative_url.c_str(), url.c_str(), md5.c_str());
                                } else {
                                  ESP_LOGE("ota", "Key '%s' not found in ota_files", key.c_str());
                                }
                              } else {
                                ESP_LOGE("ota", "Missing 'ota_files' or 'base_url' in manifest");
                              }
                              return true;
                            });
                            if (parse_success) {
                              id(fw_url) = url;
                              id(fw_md5) = md5;
                              ESP_LOGI("ota", "Manifest md5=%s url=%s",
                                       id(fw_md5).c_str(), id(fw_url).c_str());
                            } else {
                              ESP_LOGE("ota", "JSON parse failed");
                              id(fw_url).clear();
                              id(fw_md5).clear();
                            }
                          } else {
                            ESP_LOGE("ota", "Manifest fetch failed (HTTP %d)", response->status_code);
                            return; // Stop without further actions
                          }

        # 3) Compare MD5 → flash only if different
        - delay: 1s  # Delay before check
        - if:
            condition:
              lambda: |-
                if (id(fw_md5).empty() || id(fw_url).empty()) {
                  ESP_LOGE("ota", "Missing fw_url or fw_md5 in manifest");
                  return false;
                }
                // Compare manifest MD5 with current firmware MD5
                return id(fw_md5) != id(ota_fw_md5_current).state;
            then:
              - ota.http_request.flash:
                  url: !lambda 'return id(fw_url).c_str();'
                  md5: !lambda 'return id(fw_md5).c_str();'
                  username: !lambda 'return std::string("${ota_name}");'
                  password: !lambda 'return std::string("${ota_passwd}");'
            else:
              - logger.log:
                  level: INFO
                  format: "No update: MD5 matches current (%s)"
                  args: [ 'id(ota_fw_md5_current).state.c_str()' ]