radinsky
commented
6 years ago Yes, it's easy to create whitelist array and to get the self.client_address[0] from the request.
Closed uudruid74 closed 6 years ago
radinsky
commented
6 years ago Yes, it's easy to create whitelist array and to get the self.client_address[0] from the request.
uudruid74
commented
6 years ago I've managed to get Google Assistant integrated, a significant milestone. However, to make things easy, I used IFTTT (if this then that) and the "WebHooks" service they have to send random HTML requests. This can be expanded to way beyond just Google Assistant since IFTTT supports just about anything as a trigger. If you want to lower the temperature of house when a stock rises, I think you could do that!
However, WebHooks requests are made from the Internet, so security is a major concern. Here is a list of security-related issues I've implemented (about to push to my tree) for comment. All in "General"
If password is specified, then GET operations are only allowed from hosts in restrictAccess. GET operations won't need a password, but they'll only be allowed from specific hosts. There is currently no way to restrict hosts AND require a password, but serverAddress combined with firewall rules on the underlying host would be solution for the security paranoid, setting password and not restrictAccess.
uudruid74
commented
6 years ago Resolved by #13
I'm thinking there should be some sort of security on learnCommand, or on re-learning an existing command? Maybe a host whitelist?
Thoughts on the best way to handle it?