Can't hardcode an application key

[bachya]

Home Assistant currently has an integration that uses the Ambient Weather REST API. In its original design, it required users to provide both an application key and an API key. Recently, when one of our users reached out to Ambient, he had this interaction:

Ambient weather does not want to provide app keys and has told me the developer of this should have hard coded the app key in to this.

I referred them to the HA documentation and the following was the response:

"Unfortunately, he is wrong. It is one app with many users, not many apps with many users. Thus, he needs to supply you with the app key unique to his application."

Although we understand the principle (the application key identifies the application and the API key identifies the user), we can't use this approach. We are an open source, GitHub-hosted project; if we hardcode an application key into our integration, it will be available for the entire world to see. Although an API key is still required to use the API, enterprising Google users could simply hunt around, find our application key, pair it with their own API key, and go to town.

Would you be willing to collaborate with us on a different authentication mechanism that accomplishes your purposes, but also adequately supports the fact that we are public and open source? Or, if a "more correct" mechanism already exists, could you point us to it?

Thanks!

[ambientweather]

The issue is that it is time consuming since we review each app key. I would not worry about posting the app key. I doubt anyone will do anything nefarious with it.  Anyone that writes their own application will want their own app key. Thanks Ed

  From: Aaron Bach <notifications@github.com>

To: ambient-weather/api-docs api-docs@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Sent: Thursday, January 10, 2019 2:29 PM Subject: [ambient-weather/api-docs] Can't hardcode an application key (#14)

Home Assistant currently has an integration that uses the Ambient Weather REST API. In its original design, it required users to provide both an application key and an API key. Recently, when one of our users reached out to Ambient, he had this interaction: Ambient weather does not want to provide app keys and has told me the developer of this should have hard coded the app key in to this.I referred them to the HA documentation and the following was the response:"Unfortunately, he is wrong. It is one app with many users, not many apps with many users. Thus, he needs to supply you with the app key unique to his application." Although we understand the principle (the application key identifies the application and the API key identifies the user), we can't use this approach. We are an open source, GitHub-hosted project; if we hardcode an application key into our integration, it will be available for the entire world to see. Although an API key is still required to use the API, enterprising Google users could simply hunt around, find our application key, pair it with their own API key, and go to town.Would you be willing to collaborate with us on a different authentication mechanism that accomplishes your purposes, but also adequately supports the fact that we are public and open source? Or, if a "more correct" mechanism already exists, could you point us to it?Thanks!— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[bachya]

Thanks, Ed – we'll accommodate. Closing this issue.

[owise1]

@bachya Update on this. In the next week we'll be allowing users to create their own application API keys. In light of that, I think it's probably best not to publish your application key. Are you able to hang tight for a week?

[bachya]

@owise1 Yes; we'll re-open and hold for now.

[owise1]

ok. That feature is out. You may need to clear your cache and reload to see it. Thanks!

[bachya]

I see it, @owise1. Thank you!