esphome/esphome-vscode

Fix Security, leave_front_door_open

glmnet opened this issue · 3 comments

glmnet commented

I was just checking how HA vscode add on uses ESPHome vscode add on and I see it is using the leave_front_door_open config and it's warning about it, etc.

Now I want to fix this but I don't know exactly how. I can learn for sure but it will be best if people with more knowledge can put me on the right track.

It will be good to do it in some way it can integrate easier with HA vscode add on, as I believe many people will be using it that way.

Otto wrote:

Authentication also will need to be resolved. The dashboard uses a "secure cookie" for this that is set when the client first logs in (at /login). The plugin will need some way of setting this cookie (or another authentication mechanism needs to be added in the backend).

So I believe a cookie can be set when the plugin opens the websocket for authentication (never did it), in that case I need the cookie.

I have no good idea of how to get the cookie?
I know if I do the post at login I'll get it, but I'll have to provide the credentials, should I present a UI in vscode for this? I hope not.

Is there someway to launch a browser window where the user logs in and then I take the cookie? I believe I've seen this in other plugins like the one that does Settings Sync.

Should a token be created in ESPHome dashboard which users manually copies into vscode settings?

Do anyone know what are good options?
@OttoWinter @frenck

Thanks!

OttoWinter commented

So I see two things here:

  1. A token based auth system (next to the user/pass system there already is). Right now it's just a secure cookie that has the value authenticated in it.
  2. websocket auth: Right now, that's done via cookies too. But it would be better to solve that with a message in the websocket connection that is first sent upon connecting.

I know HA does both 1&2. How the token is generated with the HA VSCode plugin I don't know, but shouldn't be too hard to figure out (haven't tried the plugin, but from the onboarding it should be pretty clear how it's done).

glmnet commented

How the token is generated with the HA VSCode plugin I don't know

It instructs you to create a Long Lived Access Token token in HA which then you have to copy on VSCode settings

OttoWinter commented

Additionally, we should think about how this ties into Hass.io ingress.
Ideally, a solution would also work for ingress (ingress is a service that proxies HTTP to Hass.io addons on a special path).

I believe Hass.io ingress uses cookie-based authentication for ingress websockets - which would mean we'd need to support both access-token auth (for direct esphome dashboard server) and cookie-based auth (for esphome dashboard behind ingress).