search

Ayagikei / LifeUp-SDK

Provide LifeUp SDK, and expose LifeUp APIs as HTTP services!
22 stars 4 forks source link

Authentication for HTTP API ("LifeUp Cloud") #3

Open SombraFrog opened 1 year ago

SombraFrog commented 1 year ago

Hi Ayagikei,

I can't find anything in the documentation regarding this, so I thought I'd ask here. Is there any type of authentication on the HTTP API provided by LifeUp Cloud? Or can anyone on the network freely access it?

Thanks! SombraFrog

Ayagikei commented 1 year ago

Hello SombraFrog, Thanks for the issue!

We currently assume that the local area network where the device is located is a trusted device, and in order to reduce the access cost. So there is no authorization mechanism implemented at the HTTP API level.

But this is indeed a nice issue, and the authorization mechanism is necessary.

And feel free to add authorization-related implementations if you would like to!

Or we will schedule the development of this authorization function when we are free.

Kei

douglasg14b commented 2 months ago

I'd like to callout that the LAN for a mobile device should never be considered safe. You may be at a hotel, out and about, connected to corporate wifi, connected to a store's wifi, on a hotspot, connected to "fake" bridge cell towers ....etc Most individuals spend a significant part of their life away from home anyways, and during the majority of their week day waking hours do not have the benefit of being in a "safe" LAN.

The device always being at home, in a trusted network, is a rather slim possibility. And even then, the proliferation of insecure, CVE-ridden IoT devices make a "secure LAN" a thing of the past for many home users.

Aside: Auth is a moot point of there is no transport level encryption. Your credentials are in the clear regardless, which is easy enough for bots to pick up on public wifi. Which presents another problem with a mobile device server, how are you going to use DNS, and how will you use a valid certificate? Self signed certs still work of course, but those have their own jank.

I was poking around today, and the problem I'm seeing with contributing is the model seems flipped the "wrong way" (Not to be disparaging)

A static server the app can communicate with has endless automation & integration capabilities. The IP is stable, the network can always be controlled, external services can always integrate to the same location, 3rd party tooling and webhooks are straightforward ...etc Where as a phone doesn't have any of these attributes?

Leaving me scratching my head on what consistent integration utility can be achieved without having to first write your own server to act like a server which can handle integrations the phone "server" cannot (when it so happens to pop into the network) 🤔

The conundrum that comes into play is that the rest of the app has to first build in support to communicate with a server before the community to run with the concept and start playing around with the preexisting automation & life management ecosystem.

Tl;Dr:

I (And I'm sure others) really want to automate and integrate with this app. But that's not feasible with the current model. This is an exciting app, and I want to see this be the best it can be. I 🙏🙏🙏 that we can get the ability for the app to communicate with a server at some point.