v3: non https connection to Hue bridge

[foxriver76]

Can it be that non-https connection to port 80 is no longer possible to the Hue Bridge? It seems like it is always using https

  connect(username, clientkey, timeout) {
    const self = this
      , hostname = self.hostname
      , baseUrl = self.baseUrl
    ;

    return axios.get(`${baseUrl}/api/config`, {httpsAgent: new https.Agent({rejectUnauthorized: false})})

[peter-murray]

I only connect via https in v3, it is the more secure and appropriate way to connect once they started self signing certificates on the bridges.

What is the use case here for not being able to use https?

[foxriver76]

See https://github.com/iobroker-community-adapters/ioBroker.hue/issues/78 And I am also not sure if it’s possible to connect to the 1st gen Bridge via https or is support dropped anyways in v3? Did not find anything breaking wrt to this in changelog.

[peter-murray]

Hmmm, not sure I really want to go backwards on this.

The purpose of forcing https was to ensure users are better protected and using the security features of the bridge. I can see them removing http connections in the future as well. And the remote api is https also.

This is not a real bridge, but an emulation of a bridge, I had a series of issues a few years back with someone raising a whole bunch of issues against the library due to a poorly written emulation library.

I only provide this library to work against and validate against actual hue bridges.

I will take a look at what might be possible to support http connections tomorrow, but if I do expose this, it will be under some really clear connectInsecure() like function.

[foxriver76]

I understand your concerns. For me as a dev who uses the library it would be a good thing if I have the ability to stay backward compatible as much as possible - I am not sure if I am the only one who comes up with these issues or if v3 is just too new.

However a method like connectInsecure would be fine for me. Thank you for looking into this.

[peter-murray]

I have released version 3.4.0 to the npm registry with an insecure connection option.

It will print a warning indicating that you are using an insecure method for establishing a connection to the Hue Bridge. Consumers of the library should be using https, which is the default for the library, and this is here only to satisfy the software emulation solutions that appear to exist.

I will not support issues that arise from this library being used against emulated bridges. The Bridge API changes and has plenty of minor quirks in it which come and go as the bridge firmware is updated. Most emulated solutions will introduce other quirks or failures to match the Hue Bridge in certain edge cases.

To use the new connection method, use code like the following:

const v3Api = require('node-hue-api').v3.api;
const api = await v3Api.createInsecureLocal(ipAddress).connect('username');

To really get the point across about this not being something I want used it will report a warning to the user on console.error. This can be suppressed using the presence of an environment variable NODE_HUE_API_USE_INSECURE_CONNECTION as there may be valid situations that may require this, although I cannot think of any as disabling security for users is far from ideal.

[foxriver76]

Thanks, works.