paolotremadio
commented
6 years ago Hi @saveriospeziali! I am in a similar situation: I have installed Google Home equipped devices in my house and now I'm wondering how can I bridge the gap between HomeKit and Google Assistant.
Before we start, there's an aspect to be taken into the account: security. Homekit is a brilliant system with security at the core of its design. Exposing APIs MUST take security into consideration. What's the point of having a secure system if you're opening a backdoor to operate some of the devices? 😊 I've recently contributed to the HttpWebHooks to add HTTP authentication.
Please, use webhooks over localhost (127.0.0.1) only. If you're exposing WebHooks to your LAN or to the internet you really should use an SSL certificate. I know what you're thinking: on the LAN too? Well, yes! Your home network must be considered and hostile network. You might have guests in your house and they might have compromised Android devices. Or your own device could be compromised. Or you might have some friends that want to mess with your setup (I know, I might need better friends haha). SSL is free now so why not using it? (see Cloudflare for Internet-facing hooks and Let's Encrypt for your own SSL certificate).
Now that we've got security out of the way... I think this accessory should not implement any HTTP APIs and the reason is quite simple: can you imagine what mess it would be if each single homebridge plugin starts implementing its own API with different protocols, security standards, etc?
Now, I've actually solved this issue. The way I've solved is simple, by using one of the best features of Homekit: automations! I have multiple homekit and homebridge accessories in my house. What I do is exposing a WebHook Push Button / Switch (via HttpWebHooks) for each feature/scene I want to trigger. You can link the switch with an automation (e.g. when the switch turns on, set the alarm to arm away).
I expose my hooks over the internet using Cloudflare Argo Tunnel (you could use Ngrok or Localtunnel) and I link some key phrases to my Google Assistant via IFTTT.
It works like this: "Hey Google, turn on the speakers", that triggers an IFTTT WebHook call -> Cloudflare Argo Tunnel from the internet to my house (over HTTPS) -> my homebridge instance at home (with HTTP auth that has been transmitted encrypted, over SSL) -> the fake WebHook "Speakers on" turns On and Homekit triggers the automation of turning on the speakers.
Now, this sounds complex and it is a bit complex. But it works and it is fairly secure! You have full control of what you are exposing and in which ways the user can interact with the accessories.
As a side note, please do not expose critical services over the internet like door locks or things that could set your house on fire :)
saveriospeziali
grover
Hi Grover
I am just looking at your work and seem amazing !! my compliments
I think that with you plugin anyone using HomeKit can build a very great security system, but I have an additional need, my sun (a very nerd boy) have an android smartphone , so he will be unable to operate with the security system.. What about add basic http operations to activate the security functions? something similar to the HttpWebHooks plugin ?
Cann you help or can you suggest some workaround ?
Best regards