Add option to allow access to config section only from select IPs

Hi,
I’ve configured my HA setup to require a password and access over SSL from the Internet etc. I’m fine with the potential risk of someone turning a device on or off etc, or triggering a script or automation should by password get compromised. However, I’m not so keen on allowing access to modify or create new actions, or disable the service entirely via the config: pages.

My options currently are to disable access to the configuration entirely if I don’t want this to happen. Frankly, I like the new web-based configuration stuff, and want to update & maintain my setup via that interface rather than hand editing the config files directly.

Could we have an option to selectively allow access to config: from a trusted IP range?
That way I can leave config: configured all the time, but can only modify or perform shutdown/restarts via it when I’m connected via my home network. My current alternatives are: Keep config: enabled all the time and live with the potential risk, or remove config: and live with not being able to use the cool web-based config stuff.

Alternatively, could we have multi-account support instead of a single password gating access, and have different privilege levels for different accounts.
e.g.
guest: Access to certain pages read-only &/or toggle certain controls etc.
normal: Full access to everything except home-assistant system & configuration stuff.
admin: Super user/administrator access etc.

That way I could have a far more secure password for admin (or even combine the two ideas and have admin have a stronger password plus only valid from local IP addresses) than the current weak password I need to use now given how frequently I need to re-enter it, or painful it is to enter on a mobile device, or how simple it needs to be so all the family members can remember it.

I guess the TL;DR: is, the trivial password protection is not sufficient IMHO. Better access controls are needed.

Thanks in advance.

Here are some earlier thoughts on this topic: Advanced Authentication

Agreed. That’s fairly similar, but it would be nice to have a second-factor approach of having a password AND an address from the correct IP range for some functions.

For me, realistically its “I only want to have config control when I’m accessing it from home” and have config access disabled from everywhere else.