danielperna84 / hass-wh-triggers Goto Github PK

It would be nice if users could change their passwords.

The current requirements.txt uses the package versions referenced be the example app from py_webauthn. Some packages probably can be pinned to a more recent version, which may also improve security.

It could be useful to take a users Geo-Location into account for either logging in, or for firing triggers. After all it wouldn't always make sense to open the front door if the user isn't actually in front of the door.
This probably should be rather configured per trigger (and included in the JSON payload), and possibly even dependent on who the users is. The reasoning for this is, that trusted users may have to be able to fire a trigger regardless of where they are, while for others a specific physical location is required. Of course this will not help if the location is spoofed. But as an additional layer of protection this could be useful.

The way it is now the manually created OTP tokens only serve as a fallback if 2FA is not available. Those users can still add 2FA when logged in. A flag should be added to the userdata that marks him as OTP-only. With this enabled FIDO2 / TOTP authentication should be rejected. With this in place the admin has the control to limit how often a user is able to log in.

Since it's possible to disable TOTP entirely, it should also be hidden on the loginsite because it doesn't serve any purpose in that case.

Currently users that are not assigned to a trigger won't see the trigger. However, if they know how they could still fire it because in triggers_fire it is not checked if the user is assigned to the trigger.

It seems as if using a Reverse Proxy setup where the app is located further down the path the url_for mechanism doesn't work. This is a popular solution to the problem.

When opening in Firefox on Windows 10, the browser constantly refreshes the site. Probably related to the PWA stuff or the auto-logout.

There are a lot of Flask settings which could probably be used to enhance security etc.. This is the documentation for these flags: https://flask.palletsprojects.com/en/1.1.x/config/

The way globals are used for things like the app-title or ssl verification only reliably works with a single process. When using e.g. gunicorn with multiple workers, the settings only get reloaded for the process which handled the request to save the settings. Refreshing the site hence can still display the old settings if it's a different process. In this case the new settings also won't apply.

This does not affect things like triggers though. After restarting gunicorn all processes will work with the new settings. So there is a workaround available by restarting the server process.

The browser may propose to save login-information, possibly making the 2nd factor the only way of authentication when autofilled. A global option to disable autocomplete for the input fields probably can prevent this. And for the TOTP field autocomplete always should be disabled.

Edit: autocomplete=off may not prevent password managers from doing their job. But the browser itself may stop offering suggestions for the data. See this discussion.

Users can add additional FIDO2 tokens currently. So if they share their credentials and add another key, someone else could use that key to login. To counteract this problem it should be possible to disable the addition of further tokens.

Would be nice if instead of WebAuthn we could also use TOTP.

On top of WebAuthn and TOTP it could also be useful for the admin to create OTP tokens (like the registration tokens) that expire after a configurable amount of time and can be used for exactly one login. This could be especially usefule if a user has registered the account, but did not add a 2FA token.

The TOTP Base32 secret should be encrypted before storing the value in the database. The key could com from the environment, much like the secret used for the Flask sessions.

Limiting triggers to a defined set of users would be nice. That way not all users would be presented with all available triggers.

After firing a trigger or some other activities alert is being used to display notifications. It would be nicer to use Bulma modals for this.

It might be worth it to follow common patterns when dealing with these these types of tokens. This section of the Flask documentation seems related.

Some ideas:

• Button to generate webhook IDs
• Export / import triggers as JSON
• Provide automation-examples that make good use of a trigger

User is authenticated when WebAuthn is aborted. Makes no sense at all. Critical security issue!

Easy and versatile deployment options are needed. For Flask itself this looks interesting. On top of that Docker and a hassio add-on could be useful.

Since I'm new to Flask the way I initialize the database and prefill the default settings seems a bit hacky. If there is a better solution, it should be implemented.

Registration tokens should expire after a while, similar to the OTP tokens.

Opening the site (either in the browser or PWA) should initially do a refresh because usually the users session will have expired at that point. In this state firing a trigger will just display the spinner within the button and nothing happens. Pulling down to refrehs will solve this problem. But users might not know how to do this, and in general it would be just more user-friendly if they get redirected to the login-site right away in case the session has expired.

Some templates still use hardcoded URIs. This reduces portability.

Currently triggers can only be added and modified. It should be possible to remove or deactivate existing triggers.

Currently registration fails using the internal FIDO2 capabilities of Android.

Error:

Server validation of credential failed: Registration failed.
Error: Registration rejected. Error: Unable to verify attestation statement format..
didClickRegister @ webauthn.js:77

This probably is a result of the underlying py_webauthn package simply not supporting these type of devices yet. Issue 28 at their repository seems to be where this problem is being discussed.

Using external tokens with Android (e.g. NFC Yubikey) is working.