Closed saveriospeziali closed 6 years ago
Hi @saveriospeziali! I am in a similar situation: I have installed Google Home equipped devices in my house and now I'm wondering how can I bridge the gap between HomeKit and Google Assistant.
Before we start, there's an aspect to be taken into the account: security. Homekit is a brilliant system with security at the core of its design. Exposing APIs MUST take security into consideration. What's the point of having a secure system if you're opening a backdoor to operate some of the devices? 😊 I've recently contributed to the HttpWebHooks to add HTTP authentication.
Please, use webhooks over localhost (127.0.0.1) only. If you're exposing WebHooks to your LAN or to the internet you really should use an SSL certificate. I know what you're thinking: on the LAN too? Well, yes! Your home network must be considered and hostile network. You might have guests in your house and they might have compromised Android devices. Or your own device could be compromised. Or you might have some friends that want to mess with your setup (I know, I might need better friends haha). SSL is free now so why not using it? (see Cloudflare for Internet-facing hooks and Let's Encrypt for your own SSL certificate).
Now that we've got security out of the way... I think this accessory should not implement any HTTP APIs and the reason is quite simple: can you imagine what mess it would be if each single homebridge plugin starts implementing its own API with different protocols, security standards, etc?
Now, I've actually solved this issue. The way I've solved is simple, by using one of the best features of Homekit: automations! I have multiple homekit and homebridge accessories in my house. What I do is exposing a WebHook Push Button / Switch (via HttpWebHooks) for each feature/scene I want to trigger. You can link the switch with an automation (e.g. when the switch turns on, set the alarm to arm away).
I expose my hooks over the internet using Cloudflare Argo Tunnel (you could use Ngrok or Localtunnel) and I link some key phrases to my Google Assistant via IFTTT.
It works like this: "Hey Google, turn on the speakers", that triggers an IFTTT WebHook call -> Cloudflare Argo Tunnel from the internet to my house (over HTTPS) -> my homebridge instance at home (with HTTP auth that has been transmitted encrypted, over SSL) -> the fake WebHook "Speakers on" turns On and Homekit triggers the automation of turning on the speakers.
Now, this sounds complex and it is a bit complex. But it works and it is fairly secure! You have full control of what you are exposing and in which ways the user can interact with the accessories.
As a side note, please do not expose critical services over the internet like door locks or things that could set your house on fire :)
By the way, I'm thinking about creating a solution to expose Homekit accessories exposed over WebHooks in a secure fashion (always over HTTPS, always with authentication). Please get in touch with me over email so we can discuss your needs and I can start collecting some requirements.
Hi Paolo
My compliments for your very good reply, for sure exposing basic http services (both in local or internet network) in order to manage a security system is quite crazy..! :) Nice job almost try to add http basic auth to WebHooks ! I agree the best will be to ad https to webhooks
About you suggestion to use a WebHooks pushbutton I thing it is a good idea and I will try it this evening, in may case I am not so worried about security because I have almost nothing to rob at home !! (nothing that justify an hacker to force my HomeKit !! ) but in any case I do not think to statically NAT to internet.
Let me say, the best thing would be to have a better way to program HomeKit other than EVE app, a scripting language editor would be the best !
I will be pleased to stay in touch with you and give help, let me know !!
Regards
Hi guys,
You have a great discussion and I welcome this. However I don’t think this is the right place for it.
To add to the topic itself: One of the big benefits of homebridge and HomeKit is the modular extensibility. I certainly do not plan to extend this plugin in ways initially requested. I believe that the discussed proposal, enabling external triggers through webhooks, is a fairly good solution.
Thanks, grover
Hi Grover
I am just looking at your work and seem amazing !! my compliments
I think that with you plugin anyone using HomeKit can build a very great security system, but I have an additional need, my sun (a very nerd boy) have an android smartphone , so he will be unable to operate with the security system.. What about add basic http operations to activate the security functions? something similar to the HttpWebHooks plugin ?
Cann you help or can you suggest some workaround ?
Best regards