Comments (7)
Can we have a client_id white list feature? I feel more safe if I can control/see who can access my system.
# configuration.yml
auth:
allowed_unknown_client: False
allowed_client_ids:
- https://hassbian.local:8123/
- https://mypersonaldomain.com/
from architecture.
It's not giving any extra security.
The Client ID of the Home Assistant frontend will always be accessible. If a hacker wants to try out your logins, it can just try to login to your normal frontend.
from architecture.
Yes, so I say I feel safe. I can imagine that may users will make similar feature request after this change released.
from architecture.
OK, I have a scenario for it.
Let's say I am very worry my security, I don't want anyone access my frontend though Internet, but I have to open API access for some webhook, so I just open 443 port, and only allow https://mydomain.com/api/some_endpoint be access from Internet.
In that case, hacker need only discovery "some_endpoint" before he can play attack. He doesn't need to know client_id. If I white list client_id, my security level back to normal setup of OAuth2, he need to first guess my client_id now.
from architecture.
This use case is more for a proxy. We should make our http/frontend component safe as possible but we should not go into competition to a full featured webserver/proxy.
from architecture.
I am not talking about how to filter URL. The indie auth basically eliminate the usage of client id, anyone can use HA auth provider without preregistration.
from architecture.
Given that they know your instance url, they already could because the frontend contains a client id.
from architecture.
Related Issues (20)
- Splitting tests files in smaller files in components/modules tests HOT 1
- Feature Request HOT 1
- Add favorite position to Cover entity HOT 10
- Add feature light distribution control to LightEntity
- Add new CURRENT_HVAC constants HOT 1
- Add Home Appliance entity
- Officially allow enities to set their entity ID not based on their names HOT 2
- Custom Device Class for Binary Sensors HOT 9
- Installed homeassistant supervised on my Linux machine; can't get it to run. HOT 1
- Expand enqueue options media player HOT 2
- Extend Rest API - unique_id HOT 3
- Add "status" as an attribute to CalendarEvents HOT 5
- Add list of (upcoming) calendar events to templating HOT 1
- Creating automations on the fly HOT 1
- Optional health check HOT 2
- Open letter for improving Home Assistant's Authentication system HOT 7
- Add device_class Heater HOT 2
- Area Units HOT 3
- New Device class for Reactive Energy (varh) HOT 1
- "Lost" device HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from architecture.