Setting up a home automation for my Mother’s vacation home.
- I want remote access without VPN/Tor (She is not technically inclined)
- I want to support multiple accounts, for guests with temporary access
- I do want to use social logins (Google/Facebook) to avoid having to manage a separate password
The approach that I’m trying to setup is my own FrontEnd UI:
- uses Google/Facebook to authenticate the user on the front end
- sends the ID_token to my backend
- backend authenticates the ID_token, verifies the user is authorized, and sends a JWT back to the front-end
- The JWT includes the hass api_password inside the token
- The front-end uses the JWT and api_password to connect to the hass websocket API
This way the hass websocket connection is doubly protected with both a time-expiring JWT as well as the hass api_password.
Benefits:
- all my open ports are secured with JWT + SSL authorization
- should prevent brute force attacks on my api_password
- supports multiple user accounts
- no password to remember
- allows me to change the api_password at will (or on cron) without having to notify users
I’m not an ITSEC person… can anyone tell me if this is a reasonable approach?