Secure REST endpoints in addon

Development
,
1

Hi all,
I created an addon that exposes a REST endpoint that will send WhatsApp messages based on GitHub - pedroslopez/whatsapp-web.js: A WhatsApp client library for NodeJS that connects through the WhatsApp Web browser app.
This works perfect.
Now I wanted to make it secure as the REST endpoint is now exposed inside my network. The goal is that they should only be called by the HA framework (automation actions, NodeRed calls, etc).
This security can (should) be done on 2 levels:

  • Add some authentication.
  • Don’t expose the REST endpoint port (but keep it inside the home assistant OS/docker host)

The first can be done by adding some shared secret of sort. Either something custom either via the /auth supervisor API and a dedicated user (service account).
The second can be done (if not mistaken) by adding 127.0.0.1 in the docker run command parameter for port mapping. I do have however no control (I think) over that.
Q: How can I limit exposure of the endpoint port of my add-on to only Home Assistant (and other add-ons inside HA)?

Thanks,
Stefaan

2

By default, you can expose the add-on only home assistant network so the communication will stay inside home assistant but not accessible outside of home assistant.

Unless you open the port explicitly, the ports are available internal only.

Host network as host can be used too, you can disable this and it will become bridged only with HA.

3

Indeed.
I had added the following to my config.yaml
ports: 3000/tcp: 3000 network: 3000/tcp: "The REST webserver port"
This seemed obsolete and caused exposing the ports. Commenting this out kept the ports inside home assistant.

Thanks,
Stefaan

1 Like