HASS-WH-Triggers (secure remote access for webhook triggers)

Share your Projects!
1

Hi,

I have created a small web app which some of you might find useful: https://github.com/danielperna84/hass-wh-triggers

A short summary of what this tool does (the repo provides more in-depth information and screenshots):
It’s a small website that lists shortcuts to your Webhook Trigger automations. These shortcuts are just simple buttons with a custom caption.

The insteresting part about this is how this can be accessed: obviously users have to register and login to gain access to these shortcuts. But additionally 2 factor authentication is a strict requirement. It is possible to choose between:

  • FIDO2 (recommended)
  • TOTP (the OTPs you get from Google Authenticator, use when FIDO2 is not an option)
  • Manually created OTPs by an admin user

So what problem does this solve?

By using this you can grant access to very specific functions of your smart home to 3rd parties without having to share access tokens or create extra users in Home Assistant.

This could be used for example to allow friends to unlock your front door under certain conditions, but do so with tight security and not exposing anything else about your home. And, when limiting to FIDO2, these users can’t share their access to others without passing the hardware token along as well.

Have a look at the installation section of the wiki on how to deploy the app. It’s available as a package on pypi, and I also provide a Docker image for amd64 (regular computers, not raspberries etc.).

If you have a Home Assistant Core installation, your system should be able to run the pypi package. But because it’s using the webhooks it can actually run anywhere in the web. So if you have a Microsoft Azure account, you can probably deploy it there and dont have to add port forwarding in your router. Or just some other server with Python 3 installed and shell-access.

Of course I’m happy to get some feedback on this. It’s my first Flask app. So I might be doing some pretty stupid stuff there. But I’m fairly confident, that I have done the security pretty good. If you find any issues, please report them. And if you can help with the application structure / deployment, you’re very welcome to do so.

5 Likes
2

Even though this project doesn’t seem to be all that popular (judging by the lack of feedback it has received until now), I still want to keep this thread up to date for those interested.

So, yeah, I have released version 0.0.2, for which now the changelog is following:

Version 0.0.2 (2020-02-16)

  • Re-enabled autocomplete
  • Disabled auto-capitalize at registration form
  • Use proper logging
  • Reject requests where supplied hostname does not match ORIGIN
  • Add progressive web app functionality
  • Send HUP to Gunicorn master process on saving settings (if Gunicorn is detected)

Changes 4 and 5 could be interesting, so I’ll give some more details about those:

  1. A webserver can be accessed either by the commonly used hostname (somedomain.tld), or directly by IP address. With version 0.0.1 both did work, albeit without FIDO2 working in case the IP address has been used. Since this webapp aims to be very secure, it is now required to actually use the correct hostname. Using the IP (or a different CNAME that points to the same server) will now be rejected and the client will be considered for banning. So automated scripts scraping the web and arriving at your instance will just get the unauthorized-error (because those scripts usually only connect using the IP).
  2. Since it makes sense to store a shortcut to this webapp on your phones homescreen, I have added some stuff that turns this into a Progressive Web Application (that only works online obviously). I don’t have iOs devices to test this with, but on my Android device I indeed get a nice icon-shortcut, and the webapp gets opened as if it was a standalone app (browserstuff like tabs are hidden etc.). This should make the app a little more convenient to use.

EDIT:
New version(s) available:
Version 0.0.3 (2020-02-20)

  • Hide TOTP input on loginsite if TOTP is globally disabled
  • Fix progressive web app functionality
  • Allow assigning triggers to users
  • Allow users to change their password
  • Add optional geolocation requirement for triggers
  • Allow to purge the banlist
  • Allow to disable triggers

And Version 0.0.4 (2020-02-21) just fixes a security issue.

EDIT:
New version available:
Version 0.0.5 (2020-02-24)

  • Reload when the app gets focus and show refresh-hint when lost
  • Add custom modals
  • Added button to append random string to Webhook URI
  • Allow to export and import triggers as JSON
  • Allow to export and import users as JSON
  • Allow to export and import FIDO2 authenticators as JSON
  • Cosmetic changes

My comments on the release:
The auto-reloading / hint to manually refresh is a result of the short session duration I use. When using the PWA the session usually expires. So when opening the app again you still see the triggers, even though you’re technically not logged in anymore. Firing a trigger in this state will just time out / do nothing. Hence the app tries to reload (which sadly still fails when the OS has put the app to sleep), and additionally shows a hint that refreshing is a good idea.
The export and import of data honestly is just a workaround to somehow save your data externally in case the database schema will be updated in the future. Databases aren’t my forte, so at least I will not implement automatic schema upgrades.

2 Likes