Closed neophob closed 5 years ago
peter-murray
commented
6 years ago Thanks for the heads up, I am part way through completing an update to clean up the APIs and complete the missing features where the API has evolved but the library has not kept up.
I will look to incorporate some HTTPS support into that change.
peter-murray
commented
6 years ago Looking at the developer documentation, the plain HTTP endpoints will be supported for at least a year from here, so plenty of time to transition.
The HTTPS certificate is also self signed, at least whilst in beta, and as such will require special handling to not generate errors when using those endpoints (will not be too difficult to support, but a little annoying).
neophob
commented
6 years ago Thanks @peter-murray. I asked myself how they want to handle https for a local device as this is still a pretty much black hole - especially it won't protect from MITM except you install the bridge certificate on each enduser device
peter-murray
commented
6 years ago Apparently it does use the bridge id as part of the self signing, but you would have to hit the endpoint with all the info for the bridge when establishing the first connection to be certain of that value, so it becomes a bit of a chicken and egg issue to validate the self signed cert in that case. There is no indication as to what they may do come official release of the feature, so fingers crossed they have a plan for a better solution that self signed.
paolotremadio
commented
5 years ago peter-murray
commented
5 years ago Thanks, I have already implemented it for the upcoming release, in a similar way, but limited to the bridge connection, validating the bridge details in the cert, and once successful, disabling the SSL verification, which always fails due to self signing whilst still maintaining the https endpoints.
paolotremadio
commented
5 years ago Brilliant! Do you have a branch for that?
peter-murray
commented
5 years ago There is a V3 branch, although I have a lot of uncommitted changes not on it yet.
It is effectively a rewrite whilst trying to maintain most of the existing api whilst removing the older parts.
When it releases it will require small changes against the old API, and provide a cleaner new API in parallel.
paolotremadio
commented
5 years ago Cool! I’ll watch the repo so I can get a notification once it has been published
peter-murray
commented
5 years ago There is an alpha release 3.0.0-alpha.2 in the npm registry as of now, this will be released as the next major version once I complete the documentation. All the API functionality is practically locked down now for
peter-murray
commented
5 years ago 3.0.0 was released today, it uses https connections with the bridge, validating the bridge certificate data (it is self signed) before then trusting the connection (as it has to ignore the certificate for the TLS connection after the validation as the Node.js certificate validation will fail due to it being self signed).
see https://www2.meethue.com/en-us/support/release-notes/bridge
June 28, 2018, Firmware 1806051111 (Bridge V2)
So it might be that the plain HTTP interface will be gone soon (I don't know). Any plans to support the new HTTPS interface?