From a security point of view, I highly dislike the one, global API password that lets you do everything. My initial thought was to have a different password for the HTTP interface vs. the API. But, even that, if someone figures out or snoops out your API password, they have control over everything.
I would like to see a new optional parameter on every configuration object that allows you to create a new API password that only has access to that one specific component.
Going further, perhaps the ability to add API users and define what actions they can take.
I’m sure there’s a million ways to improve security in this fashion, so I open this up to discussion. But, I do believe this should be considered a high priority request as securing external access to our systems should be paramount.
Thanks, but that has nothing to do with what I’m requesting.
If my API password is “password123” and I go make a IFTTT trigger with “?api_password=password123” and someone sees that/figures it out, then now have my password to control EVERYTHING in my system, or to log into my HTTP interface and see my logs, history, locations, etc.
Sorry for digging this old post. I’m surprise it is still not yet implemented to this day. I find it pretty uncomfortable to use the same password for everything. Please let us have separate password for http and API.