Closed miho9 closed 1 year ago
mk-maddin
commented
1 year ago Can you please provide some more context? Which version of the integration are you using? Did you upgrade from an older version or did you do a fresh install? Which home assistant version are you using? Where are you seeing the plain text password within the core config entries?
miho9
commented
1 year ago I am finding this snippet of code in \192.168.50.222\config.storage\core.config_entries
{ "entry_id": "1d4de810d0d99aded582a41fe1ce648b", "version": 1, "domain": "wattpilot", "title": "Wattpilot", "data": { "friendly_name": "Wattpilot", "ip_address": "192.168.50.142", "password": "miWP12ho", "timeout": 15 }, "options": { "friendly_name": "Wattpilot", "ip_address": "192.168.50.142", "password": "miho9spassword", "timeout": 15 }, "pref_disable_new_entities": false, "pref_disable_polling": false, "source": "user", "unique_id": null, "disabled_by": null }
I am running 2023.7.3, updated two weeks ago from the previous version. The wattpilot integration was installed by downloading the package from git about a week ago and installing it as instructed by copying into the custom integrations folder.
I should mention that I got the password wrong when configuring the wattpilot integration and need to reset the wattpilot for setting a new one. That hasn't been done, yet.
mk-maddin
commented
1 year ago Thanks for your request.
As of https://developers.home-assistant.io/docs/config_entries_index the file you are referencing is managed by home assistant core instance. The topic about Home Assistant Core functions storing configuration data provided and received from them was discussed as of here: https://github.com/home-assistant/architecture/discussions/556
While I understand your case relating to this integration, anything I could do within this integration to make it more secure is to request the password for authentication at every restart / reload of the integration being typed in manually. Never the less this obviously would cause a significant usage restriction.
As HA by default does not provide a function to store configuration passwords in other way than clear text, I was able to reproduce the behavior you describe with other integrations as well due to the reasoning explained above. Examples showing the same behavior are e.g. (some of them being core ha integrations): mqtt, esphome, unifiprotect, google, mobile_app, home_connect, renault, unifi, tuya, bmw_connected_drive, xiaomi_miio Please feel free to check the corresponding by yourself setting up some more integrations and searching the core.config_entries file for "password" or "tokent" tag.
Due to this I have to close this issue not being related to this integration directly and ask you to please re-open the discussion within home assistant core integration where the underlying storage functions are programmed and provided.
Thanks for your understanding
miho9
commented
1 year ago Many thanks for looking into this! Bring new to home assistant I didn't realize that this is a core file. As you describe it it's really an issue which should be handled by the core functionality. I'll raise the issue there.
I was researching some other issues and came across the entry for my wattpilot in core.config_entries. I noticed that the password is stored in there in plain text. I realise this project is in an early stage but security should not be forgotten or at least be mentioned as an open point.