Currently, the plugin asks for full read-write access (scope=smartWrite) during the Ecobee API authorization process. I don't think this is necessary since we never issue any POST request that would change anything on the thermostat. I think some people may not be willing to grant the write access It's easy to imagine Terminator-like scenario where some crazy piece of software is literally messing with their house.
At the moement all the functionality is a bit "dumb" and the plugin merely forwards the values to be displayed in HomeKit. Read-only privileges (scope=smartRead) should be enough to get the sensor values and we should take advantage of it to make things a bit more secure.
More details about the authorization API can be found in the documentation.
Development of #7 will require some logic to switch back to scope=smartWrite when authenticating, since setting the target temperature or HVAC mode obviously needs write access.
Currently, the plugin asks for full read-write access (
scope=smartWrite
) during the Ecobee API authorization process. I don't think this is necessary since we never issue any POST request that would change anything on the thermostat. I think some people may not be willing to grant the write access It's easy to imagine Terminator-like scenario where some crazy piece of software is literally messing with their house.At the moement all the functionality is a bit "dumb" and the plugin merely forwards the values to be displayed in HomeKit. Read-only privileges (
scope=smartRead
) should be enough to get the sensor values and we should take advantage of it to make things a bit more secure.More details about the authorization API can be found in the documentation.