I really love this project, use it daily, and enjoy that I have both: A nice end-user UI and an API for automating things. One fact, however, strikes me as a little weird: There is no option to disable authentication for the web-UI — which could be responsible in a well-secured home-internal IoT-Network. However, the API has no ability to be protected at all. So any attacker who has access can just fire requests to the API to trigger whatever malicious behavior he wanted to trigger, without caring about the authentication.
I think it would be nice to be flexible and offer both:
For happy-go-lucky users in a well-secured network: Allow disabling authentication
For careful users in an open or less trusted network: Protect both, UI and API, using authentication.
Hi,
I really love this project, use it daily, and enjoy that I have both: A nice end-user UI and an API for automating things. One fact, however, strikes me as a little weird: There is no option to disable authentication for the web-UI — which could be responsible in a well-secured home-internal IoT-Network. However, the API has no ability to be protected at all. So any attacker who has access can just fire requests to the API to trigger whatever malicious behavior he wanted to trigger, without caring about the authentication.
I think it would be nice to be flexible and offer both:
Thanks for your continued work on this ^_^