I know RBAC/fine-grained user permissions is a highly demanded feature; I’m one of the demanders. In my case I really want to provide my condo co-owner with the power to turn on the exterior lights and buzz the shared front door without exposing any other power or data to him.
I started to write my own frontend that would have a hardcoded or configuration-based list of entities and services that each user was allowed to access, and then I realized I was building chunks of lovelace.
What about just proxying the websocket connection from lovelace directly, and filtering messages? The idea is that there would be a server that would make a connection to the WS API as a service user. That service would have its own auth, and each user would have a list of services they were allowed to call and what the targets are allowed to be. If the proxy received a message that didn’t match the filter it would send an error back to the client, otherwise it would pass it on.
Same for state updates; if the target of the update isn’t on the proxy’s allowlist, it simply wouldn’t be forwarded to the client.
I’m hoping that I could just point Lovelace at the proxy endpoint and everything would Just Work™.
I’m an experienced full stack dev but new to working on HA. Is there anything about this plan that obviously wouldn’t work, or things I have to look out for?