I’ve got this use case where I want to be able to give guests or employees limited access. Things like to open the garage door to the shop…
I’ve read a bunch of threads on guest access and not found anything quite like I want. Ideally the guest can access a URL and they get access to one specific dashboard. For employees I’d like the same, but ideally keep some track of who did what and when.
I’ve been using kiosk mode to secure my phones dashboard when it’s locked (android device control), but that works because you can’t modify the URL path to disable kiosk mode.
Tonight, I wondered if I could create a dashboard and use a reverse proxy to access just that dash, that might keep people from being able to append queries that break out of kiosk mode right? From a security/access control perspective I could do authentication on the reverse proxy. A downside to this is that HA would see everyone as one user, so there’s no logging about who did what if I had multiple users.
Just spit balling here, could that work and be “secure”? Any other ideas?
I create JavaScript webpage and linked it to HA API with auth token.
Page has “doorbell” and “open with code” button.
I created OTP sensor for each user. They can enter OTP to allow opening. This prevent sharing and requires time of use authorization. It also allows me to see who entered code to open
There is automation that verifies OTP code along with any other rules, like time of day limits, and executes appropriate action. In this case it either opens gate, sends image to me and rings bell or if wrong code it rings the bell and send notification.
Since the page only sends info to HA (the OTP code) there is no possibility of sidestepping this to open
Site send http post with OTP as data. This gets redirected by my proxy server to weblink with bearer token to send data to HA automation. I need to check if it is possible to retrieve the redirect link which would also mean grabbing bearer token but for now I’m not terribly concerned and actually more concerned about someone with access to the webpage spamming the doorbell
I will edit my first post with code. Worst case maybe someone can improve it. I’m no coder but can make useful junk every once in a while
I’m following you know, at least in concept. I’m happy to help trying to exploit it too.
In my case it’s only going to be exposed via secure WiFi, and highly unlikely any person connecting will have the background to realize and exploit a vulnerability, but… I’d rather prefer to keep it properly locked down.
alias: ACTION_OTPWebhookGateOpen
description: ""
trigger:
- platform: webhook
allowed_methods:
- POST
- PUT
- GET
- HEAD
local_only: false
webhook_id: webhook2
id: code
- platform: webhook
allowed_methods:
- POST
- PUT
- GET
- HEAD
local_only: false
webhook_id: webhook1
id: doorbell
condition: []
action:
- if:
- condition: trigger
id:
- code
- condition: template
value_template: "{{ (trigger.json) == (states.sensor.person_otp.state) }}"
enabled: true
then:
- service: switch.turn_on
target:
entity_id: switch.gate_switch_3
data: {}
enabled: true
- service: notify.mobile_app_myphone
data:
data:
entity_id: camera.frigate_gate03
message: The Gate was opened using Code
else:
- if:
- condition: state
entity_id: siren.doorbell_play_tone
state: "off"
for:
hours: 0
minutes: 0
seconds: 10
enabled: true
mode: single
EDIT
It’s not in this code but the else condition needs a then action. Should be simple enough to add. I deleted by mistake when sanitizing for posting here
Alright, finally getting to this… I have a couple questions if you don’t mind.
Is your mysite.com a different subdomain or something than your main URL to home assistant? I’d assume so, but it’s unclear from your nginx snippit. I’m running into CORS errors, and the locations don’t appear to be triggering the automation. Wondering if that’s my issue. I am using two subdomains.
I get an automation trigger if I hit the URL from a browser or CURL, but not from the button. When I hit the button I get nothing. Finally thought to check the browser console…
I did try disabling CORS, however I still get an error. I’m almost certain my issue is from the proxy configuration, however I’m rather inexperienced. Most of my success has been via NPM, with a few backend tweaks. Do you have any suggestions on where to start?
Yes. I should have made that more clear. The 308 redirects to the HA main site and API. This webpage exist in separate domain. Both domains are my own private.
Did you try other browsers or do you have some pop up blocker? I’m not expert at this but CORS errors seem to be browser side error not webserver error. I’m guessing your browser doesn’t like the redirect. I first tested with direct api call from the button and later moved it into nginx redirect. You can expire the token after testing to be sure it didn’t get picked up and leaked
I do nothing here. OTP sensor automatically creates tokens every minute.
I will post automation if I didn’t already. I never created log for numbers since only my daughter used this. The data received is placed in the message sent in ha notification. Really it currently excepts anything including code FYI. Need to filter inputs in nginx or html code at some point.
My website had my ha.x.com url on the buttons instead of guest.x.com. Once I caught that all the rabbithole of CORS went away…
Now the final issue I’m having is getting the json info to get caught by the automation.
EDIT - I was missing a { at the beginning of the template that read the trigger.
I’ve got this working in a with test actions, but I’m gonna swap everything to the real deal and share a code snippets of what finally worked.
Security FYI - the webhook string is visible to anyone visiting the website and inspecting the headers. I don’t think it’s a security issue as long as you don’t allow anything critical (like a door/gate/garage) to be triggered without the OTP condition.
Thank you!
Makes sense now.