Closed jonathanjsimon closed 6 days ago
hatl
commented
1 month ago unfortunately, it doesn't seem like the garmin API offers support for handling the "CertificateRequest" message: https://developer.garmin.com/connect-iq/api-docs/Toybox/Communications.html#makeWebRequest-instance_function
jonathanjsimon
commented
1 month ago Well, that's lame (on Garmin). Thanks for checking into it. If you ever find a way, I would certainly be excited to test it out.
jonathanjsimon
commented
1 month ago Do you have the ability to inject arbitrary headers? Cloudflare allows blocks to be bypassed based on any number of rules, including a header.
hatl
commented
1 month ago yes, arbitrary headers can be specified (see previous link)
jonathanjsimon
commented
1 month ago So could the widget have two fields for header and header value?
swiergot
commented
1 month ago Another option would be to create a subdomain that cannot be guessed by anyone and disable the certificate check for it. It's a similar approach to the official Home Assistant Cloud where subdomains are just random strings.
jonathanjsimon
commented
1 month ago Well, security by obscurity is....not particularly reliable. The domains are public. Using unguessable domains is the same as changing your SSH port to 63854. Just a matter of time. Adding support for a bypass header is quite straightforward. If I get a chance in the coming weeks, I'll submit a PR to that effect.
swiergot
commented
1 month ago It's not security by obscurity. Subdomains cannot be listed (unless you are permitted to do zone transfers which - in case of Cloudflare - you are not). Trying to brute force subdomains will result in getting banned by Cloudflare's IDS/IPS.
hatl
commented
1 month ago So could the widget have two fields for header and header value?
This could work. Would you be able to modify the code and check if your use case works? This part would need to be adjusted: https://github.com/hatl/hasscontrol/blob/50a467b4caf707f7ce9860afaef5b2b069d5561e/widget/source/hass/OAuthClient.mc#L272-L275
hatl
commented
1 week ago implemented in v1.5.0 please check thanks
jonathanjsimon
commented
1 week ago Awesome, thanks! Sorry, I'd meant to take care of this and got absolutely buried at work. Will check shortly
jonathanjsimon
commented
6 days ago This appears to work. Nice work. :-)
hatl
commented
6 days ago you're welcome
if you would like to show some kind of appreciation, there would be an option here: https://github.com/sponsors/hatl :wink:
hatl
commented
3 days ago thank you very much! :slightly_smiling_face:
For HA installations accessed via Cloudflare, it's not uncommon to configure mutual TLS protection to restrict access to that domain unless the client has the certificate. All other access is blocked. One the certificate is installed on the phone and the phone restarted, the HA companion app will prompt to select the certificate on first access. It would be great if this widget could also do this so I can continue to use it against my HA installation.
Here is the guide I used to configure it for reference: https://kcore.org/2024/06/28/using-cloudflare-zerotrust-and-mtls-with-home-assistant-via-the-internet/