I’m developing an integration for an sensor. I’m thinking of using something like a REST API or WebSocket server to make data available, but I’m stuck on the best way to handle authentication. I’ve looked at a lot of other existing integrations, but it seems like a lot of them don’t require authentication, or just use username and password. I’m a little wary of this - wouldn’t it be better to exchange some sort of token between my device and HA? It seems like a risk to expose a server on my device without stricter authentication. Or should I not be worried about this? What about this authentication scheme? Does it make sense, or am I overthinking things or missing something obvious?
- User enables local API on the device and gets a passcode.
- Device broadcasts its service with Zeroconf.
- User clicks on discovered device tile in HA. In the user confirmation step, the integration asks for the device passcode.
- The integration connects to the device and provides the passcode. The device generates a token and replies with this. It is saved in the integration’s data.
- The integration uses the token to open a WebSocket connection with the device, over which actual sensor data is actually sent.
Also, a little more background about my device:
- It is capable of running local-only, but generally also talks to a backend server.
- It sends sensor measurements generated every second or so, and is not capable of receiving commands (or any other messages) over local API