Currently I have Home Assistant accessible only on the LAN or over VPN from the outside. I’d like to get into using custom Alexa skills, but I’m not too crazy about exposing Home Assistant directly to the Internet. Passing the password in the URL doesn’t seem like a good security model, even with TLS enabled, and there’s no good way of filtering by IP (you’d have to allow all of AWS, which is nearly useless). I see that Alexa skill requests are signed, but I assume there’s no way to verify them since the HASS API isn’t specific to Alexa skills. In addition, many ISPs would block incoming traffic to common server ports such as 80, 443, and 25, on residential accounts.
The reason I’m asking is that I am considering creating a custom proxy for Alexa skills that would:
- Check against a white listed set of operations and block everything else
- Verify Alexa signature
- Perhaps add OAuth, if there’s a way to set up the Client Credentials flow
I wanted to ask if I’m missing some simpler solution, before I go down this path. Thanks! 