esphomeyaml Dashboard Authentication about esphome HOT 5 CLOSED

I haven't looked that much into how to do this, but I think it would be relatively easy for me to add.

The reason it's not in esphomeyaml is that I'm not a web developer and there's a at least some probability that any authentication code I write will have some flaw somewhere... And with the architecture of the dashboard, you can essentially have remote code execution once you would gain access to the password.

So it's because I don't want to give a "false" sense of security where a bug could essentially lead to someone exposing their whole network... I mean I can try to write bug-free code, but I cannot guarantee there won't be a flaw.

I suppose though that if I put in a big red warning, it won't be that big of a problem.

from esphome.

It's understandable.

It's just that the dashboard it´s very helpful but everyone can see the authentication for the mqtt, wireless, OTA, etc, It's a big security weaknesses.

Maybe someone who wrote the HA authentication can help with this.

Congratulations and thanks for the esphomeyaml, this appears to have a big potential, i'm using espeasy and while it's easy it's at the same time limited and problematic (buggy). Also i have some 1MB wemos that i dont use because of the space occupied by espeasy vs OTA.

if esphomeyaml had the ability to control a motor with a motorshield and/or the possibility for control a program made in arduino for the esp would be very nice

from esphome.

Ok, so I spend some time today implementing this feature ... and it was even easier than I expected :)

I also showed it to a friend who's working in the web business and he said it looks good 😀. So esphomeyaml explicitly protects against these attacks:

• Timing Attacks, keys are hashed and compared using a function that takes time only dependent on the input string size from the login request.
• Cookie Secret: The cookie secret is generated using a hash of the password. This was done so that the configuration for the AddOn only requires one variable (password) instead of two for the cookie secret. Making the cookie secret based on a short string is technically a security vulnerability, but esphomeyaml's using a pretty secure hashing algorithm that makes it pretty hard even with 8+ characters.
• CSRF: esphomeyaml does not protect against this sort of attack. But, as the attacker would have to know your local setup and attack you specifically, this shouldn't be that big of a deal.

The login page is ... well ... pretty awful-looking. But as you will only need to re-sign in once every 30 days or so it shouldn't be a big problem.

See this for instructions on how to update to the dev release with this feature.

if esphomeyaml had the ability to control a motor with a motorshield

May I ask what sort of motorshield? One that controls motors through a direction pin and a PWM signal for speed?

the possibility for control a program made in arduino for the esp would be very nice

Do you mean the ability to communicate with an arduino (through i2c or something like that). That's pretty specific to the application one is building on the other end (the arduino), so I would say that falls into the category "use custom esphomelib code" and should be solvable using tip 5 here

Or, in case you mean having custom Arduino code in your esphomeyaml application, also have a look at above link :)

from esphome.

You're the Man :)

I'll be out on business the next 2 days so i cannot test the authentication until then.

Yes, the idea was to use a custom Arduino code, i have to see the "Custom Sensor Component" and understand how it works.

About the motorshield:
https://wiki.wemos.cc/products:d1_mini_shields:motor_shield
or
https://hackaday.io/project/8856-incubator-controller/log/29291-node-mcu-motor-shield

Many thanks OttoWinter

from esphome.

I will have a look at that. Closing this issue as it's resolved

from esphome.