Open keatontaylor opened 7 years ago
robbiet480
commented
7 years ago The core contributor Home Assistant team is working on this currently and has been for a few months. That's the main reason why I made it possible to pass in the config object :).
keatontaylor
commented
7 years ago Can you elaborate more @robbiet480? I've seen no mention of this on the HA side, and am curious how such an implementation would look.
robbiet480
commented
7 years ago The core contributors would operate a cloud service that allows secure linking of your Home Assistant instance(s). That cloud service would provide Alexa as a service, along with some other cloud functionality which you can imagine (cough DynDNS)...
keatontaylor
commented
7 years ago I do certainly hope this is coming soon, because it would greatly improve the user experience for things like alexa, especially with the new video skill.
robbiet480
commented
7 years ago
One of the things I really want is to give more users access to the cool features of haaska in a way that would be substantially easier for them to set up. Which by far the hardest part of setting up haaska is the getting the amazon login, alexa skill, and lambda stuff set up correctly.
All these steps could be avoided if we did the following:
Submit the HAASKA Smart Home Skill to amazon for publishing.
Generate the token by encrypting the user credentials. (hostname, port, ha password)
Queries to haaska will be forwarded to the appropriate ha install based on decryption of the token.
This seems to avoid us hosting our own database that links tokens to a specific user, meaning that there will be no database for the user to compromise. Also, alexa itself already encrypts the entire payload so our token would essentially be double encrypted in transport.
The only downside I see to this is someone would be required to host the haaska lambda instance and incur and associated costs, but I suspect this would be either zero (for less than 1 million requests) or very small.
Clearly this would mean that the person hosting the haaska instance could potentially capture user data, but that is a risk for using any cloud service. So building user trust by not logging tokens and continually providing the entire codebase for review would be our biggest ally.
@trisk @auchter what do you think?