Zigbee2MqttAssistant icon indicating copy to clipboard operation
Zigbee2MqttAssistant copied to clipboard

Published 20 hours ago verified publisher icon yllibed

Authentication

Open Edzilla2000 opened this issue 5 years ago • 10 comments

Hello, Would it be possible to implement some kind of authentication? Right now anyone having access to this webapp can do anything with my zigbee network. I'm mitigating the issue by only bringing it up when I need it but I would love to see some kind of user/password on it.

Edzilla2000 avatar Jan 09 '20 17:01 Edzilla2000

To be honest the tool has been developed to be a HASS.IO ingress add-in first, so the authentication is managed by HASS when used that way. But I agree it's a security issue when used as a stand-alone container (or when you activate the port-mapping feature to access it directly without the ingress mode).

Does having a hard-coded username + password, defined in the configuration, would be enough for you?

carldebilly avatar Jan 10 '20 02:01 carldebilly

@all-contributors please add Edzilla2000 to ideas

carldebilly avatar Jan 10 '20 02:01 carldebilly

@carldebilly

I've put up a pull request to add @Edzilla2000! :tada:

allcontributors[bot] avatar Jan 10 '20 02:01 allcontributors[bot]

I would also appreciate some authentication method in the stand-alone version. Username + password in the configuration would be ok, but only with https/ssl encryption. Of course it would be better to save the login data in an encrypted file. In this file you can also store e.g. the MQTT Broker login data securely.

kennymc-c avatar Jan 17 '20 17:01 kennymc-c

To be honest the tool has been developed to be a HASS.IO ingress add-in first, so the authentication is managed by HASS when used that way. But I agree it's a security issue when used as a stand-alone container (or when you activate the port-mapping feature to access it directly without the ingress mode). [...]

Sorry for asking, but does this include the use of !secret in the configuration? Because in my case it is not working, so I'd like to add a feature request, a bug report or an apology for misconfiguring the addon. 😄

EDIT: Nevermind, I found #33

Paddy0174 avatar Feb 29 '20 16:02 Paddy0174

Any updates on this? The mentioned solution using hard-coded login credentials would be better than nothing as it is currently the case in the stand-alone version.

kennymc-c avatar Jun 03 '20 22:06 kennymc-c

For my part I've added basic auth in my traefik config for this service, but something better integrated would be great!

Edzilla2000 avatar Jun 03 '20 22:06 Edzilla2000

As I also use Zigbee2MqttAssistant as standalone in the form of a docker container, I am interested in even the basic form of authorization. Is there a chance for such a feature? Alternatively, I am asking for tips on how to do this?

dawidkrawczak avatar Mar 31 '21 09:03 dawidkrawczak

@DavePol21 personnaly I do it like this in Traefik 2:

deploy:
  labels:
    - "traefik.enable=true"
    - "traefik.docker.network=webgateway"
    - "traefik.http.routers.zigbee.rule=Host(`zigbee.domain.tld`)"
    - "traefik.http.services.zigbee.loadbalancer.server.port=8080"
    - "traefik.http.routers.zigbee.entrypoints=websecure"
    - "traefik.http.routers.zigbee.tls.certresolver=mydnschallenge"
    - "traefik.http.middlewares.zigbee-auth.basicauth.users=user:hash"
    - "traefik.http.routers.zigbee.middlewares=zigbee-auth@docker"

Edzilla2000 avatar Mar 31 '21 09:03 Edzilla2000

Thank you. I wouldn't like to put up an additional container with Traefik. Is it possible to edit the page files / webserver configuration files directly in the Z2MA container?

dawidkrawczak avatar Mar 31 '21 09:03 dawidkrawczak