Comments (5)
I haven't looked that much into how to do this, but I think it would be relatively easy for me to add.
The reason it's not in esphomeyaml is that I'm not a web developer and there's a at least some probability that any authentication code I write will have some flaw somewhere... And with the architecture of the dashboard, you can essentially have remote code execution once you would gain access to the password.
So it's because I don't want to give a "false" sense of security where a bug could essentially lead to someone exposing their whole network... I mean I can try to write bug-free code, but I cannot guarantee there won't be a flaw.
I suppose though that if I put in a big red warning, it won't be that big of a problem.
from esphome.
It's understandable.
It's just that the dashboard it´s very helpful but everyone can see the authentication for the mqtt, wireless, OTA, etc, It's a big security weaknesses.
Maybe someone who wrote the HA authentication can help with this.
Congratulations and thanks for the esphomeyaml, this appears to have a big potential, i'm using espeasy and while it's easy it's at the same time limited and problematic (buggy). Also i have some 1MB wemos that i dont use because of the space occupied by espeasy vs OTA.
if esphomeyaml had the ability to control a motor with a motorshield and/or the possibility for control a program made in arduino for the esp would be very nice
from esphome.
Ok, so I spend some time today implementing this feature ... and it was even easier than I expected :)
I also showed it to a friend who's working in the web business and he said it looks good 😀. So esphomeyaml explicitly protects against these attacks:
- Timing Attacks, keys are hashed and compared using a function that takes time only dependent on the input string size from the login request.
- Cookie Secret: The cookie secret is generated using a hash of the password. This was done so that the configuration for the AddOn only requires one variable (
password
) instead of two for the cookie secret. Making the cookie secret based on a short string is technically a security vulnerability, but esphomeyaml's using a pretty secure hashing algorithm that makes it pretty hard even with 8+ characters. - CSRF: esphomeyaml does not protect against this sort of attack. But, as the attacker would have to know your local setup and attack you specifically, this shouldn't be that big of a deal.
The login page is ... well ... pretty awful-looking. But as you will only need to re-sign in once every 30 days or so it shouldn't be a big problem.
See this for instructions on how to update to the dev release with this feature.
if esphomeyaml had the ability to control a motor with a motorshield
May I ask what sort of motorshield? One that controls motors through a direction pin and a PWM signal for speed?
the possibility for control a program made in arduino for the esp would be very nice
Do you mean the ability to communicate with an arduino (through i2c or something like that). That's pretty specific to the application one is building on the other end (the arduino), so I would say that falls into the category "use custom esphomelib code" and should be solvable using tip 5 here
Or, in case you mean having custom Arduino code in your esphomeyaml application, also have a look at above link :)
from esphome.
You're the Man :)
I'll be out on business the next 2 days so i cannot test the authentication until then.
Yes, the idea was to use a custom Arduino code, i have to see the "Custom Sensor Component" and understand how it works.
About the motorshield:
https://wiki.wemos.cc/products:d1_mini_shields:motor_shield
or
https://hackaday.io/project/8856-incubator-controller/log/29291-node-mcu-motor-shield
Many thanks OttoWinter
from esphome.
I will have a look at that. Closing this issue as it's resolved
from esphome.
Related Issues (20)
- Buttons should be published by raising events in Home Assistant HOT 1
- Issue Title HOT 2
- Missing `f` prefix on f-strings HOT 1
- esp8285 reboot due to incorrect API or wireless timeout HOT 6
- ESPhome reboot at various intervals
- Create SECURITY.md HOT 2
- Typo in oversampling 32x HOT 1
- adafruit_qtpy_esp32 neopixel gpio8 HOT 1
- New PMS5003T HOT 2
- I2S Media Player not working for ESP32 S2 based boards
- ESPHOME and NGINX Proxy Manager SSL proxy HA addon don't play nicely HOT 1
- Unable to compile new firmware for BT Proxies HOT 1
- missing ADC2 register on ESP32-S3 HOT 1
- Can be deleted
- AC dimmer - phase delay calculation
- Delete the `packages` directory in the `.platformio` directory and try again. It's probably at `/home/esphome/.platformio`. If that doesn't work, then delete the entire `.platformio` directory. HOT 4
- M5StickC support for Rhasspy or Home assistant voice control HOT 1
- response_size (Required): Number of bytes of the response HOT 1
- Please add missing code for climate
- Error compiling yaml with ssl_fingerprints HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from esphome.