Improve security, the ewelink password is visible, not encrypted or scrambled.

[azagramac]

• Please explain your feature request in a one or two sentences. The eWelink plugin password is in plain text and visible in the config.json file or directly in the Homebridge configuration editor. Wouldn't it be better if it was in base64 or some other kind of encryption instead of plain text, even in an encrypted file.

• Is your feature request related to a problem? Please describe. Security flaw by having the password visible in plain text instead of an encrypted or scrambled format.

• Any particular eWeLink devices that this relates to? No

• Anything else? No

• Info version Node.js: v14.16.0 npm: v6.14.11 Homebridge: v1.3.4 Homebridge UI: homebridge-config-ui-x v4.41.0 Homebridge Ewelink: homebridge-ewelink v5.5.1

• Example Current

       {
          "name": "eWeLink",
          "username": "yourmail@domain.com",
          "password": "HelloWorld1234",
          "mode": "auto",
          "platform": "eWeLink"
      }

  With hidden password in base64

       {
          "name": "eWeLink",
          "username": "yourmail@domain.com",
          "password": "SGVsbG9Xb3JsZDEyMzQK",
          "mode": "auto",
          "platform": "eWeLink"
      }

[bwp91]

Hi @AzagraMac

Please try the latest beta v5.5.2-2, looking at these options here:

If the option is set to true then the plugin will decode the given password from base64 into 'plain text'.

This is the most feasible way this can be done, ie, it will require the user to encode their password themselves.

Let me know what you think

[azagramac]

Encode the password in base64 first and put it in the login field of the plugin?

[bwp91]

Yes

[azagramac]

v 5.5.1

{
  "error": 10001,
  "msg": "password error!",
  "data": {}
}

I can't find the version v5.5.2-2

[bwp91]

v5.1.1 was released before and so doesn't decode the password.

It's something I have added to the beta version, you can use the "Install Previous Version" feature in homebridge-ui (the spanner icon on the plugins page) and you can select the top entry which should show 'v5.5.2-2 - beta' to install

[bwp91]

Don't forget you will also need to tick the "Encoded Password" setting so the plugin knows to decode your password (needed so it doesn't try to decode any user's password that hasn't been encoded in the first place)

[bwp91]

Did you get it to work? Do you think this would be a useful feature?

There isn't really a way that I can auto-encode the password when the user puts it in their config. I also think it would create a lot of confusion!

[azagramac]

Thansk for new upgrade!!!!

[azagramac]

Error, update 5.6.0. config

{
            "name": "eWeLink",
            "username": "yourmail@domain.com",
            "password": "PASSWORD_ENCODE64",
            "encodedPassword": true,
            "mode": "auto",
            "platform": "eWeLink"
}

Log:

[3/26/2021, 8:30:24 AM] Homebridge v1.3.4 (HomebridgePi) is running on port 52182.
[3/26/2021, 8:30:25 AM] [eWeLink] ***** Disabling plugin [v5.6.0]. *****
[3/26/2021, 8:30:25 AM] [eWeLink] ***** No auth token received.
{
  "error": 10001,
  "msg": "password error!",
  "data": {}
}{. *****

[bwp91]

Hi @AzagraMac

This is working for me. First please verify you have the correct encoding of your password, perhaps using a site like this:

https://www.base64encode.org

[azagramac]

Yes, it is correct the password in bas64, checked in the web that you have facilitated me. To pass it I do it from terminal. echo "your_password" | base64

[bwp91]

and sorry have to check, you have restarted homebridge since updating the plugin and editing your config?

[azagramac]

Yes, I always restart homebridge after an upgrade or change.

[bwp91]

When I use the terminal to encode, I get a different result to the website I mentioned.

It seems terminal is adding a newline to the end of the string that is inputted, which will mean the result is incorrect.

[azagramac]

Right, when encoding the key in base64 by terminal, I get some characters at the end, specifically, these Cg== However, when I copy the key in base64, it decodes it correctly even with those characters...

curious

[bwp91]

If you copy the terminal encoded string into the website and decode it, you’ll find that a new line is placed at the end (ie the cursor can go to the next line)

[azagramac]

I have set the key without those characters at the end, which I get by passing the key through the terminal, and it works perfectly.

[github-actions[bot]]

This issue has been marked as complete as I believe the original query has been fixed/answered or will not be actioned. The issue will be closed in three days. If you feel the issue requires further attention then please let me know. Thanks!

[no-response[bot]]

This issue has been automatically closed as it was marked as complete and has had no further responses within three days. If you are still experiencing problems related to the original issue then please reply to this message and the issue will be reopened if necessary. Thank you.

[burkenyo]

Hi, @AzagraMac and @bwp91, noting here that base64 encoding is not a form of encryption. It’s primary use-case is encoding arbitrary binary data (including possibly other text) into printable ASCII characters, especially for embedding that data in another text stream such as an RFC 5322-compliant e-mail or a JSON text.

Do not rely on Base64 encoding as a security measure!