edekeijzer
commented
1 year ago I understand your concern, it would be nice if Home Assistant allowed for scoping the token to certain entities and/or operations. However, you need root access or the account running Octoprint on the system to be able to read this file (if permissions are configured correctly) so I don't see the direct risk in this. Perhaps this could be fixed by Octoprint using some encryption on certain fields in config, but then still the encryption key has to be stored somewhere, so anyone with access to the config file would have access to the key as well, which is just moving the issue from one file to another.
A) does not seem to be possible, this is the way Octoprint is storing its settings. B) Looked into these quickly, it appears that HA webhooks are automation triggers, which don't allow to return any data to the requester. This is an essential part of the plugin as we have to determine if the power is turned on or off.
If this is too much of a risk, consider using MQTT, which can be scoped much tighter than the all-or-nothing tokens in HA. But please bear in mind, the MQTT username and password are stored in plain text as well.
Hi
I think it could be a risk to keep the long-lived acces token in plan text... I can think of two possible solutions:
A) Enter the token once and hide this data forever B) Work with webhooks. IE a webhook related with a automation to turn on the printer
What do you think?