Comments (5)
Hi @mwalterskirchen ,
That's intended. In order to keep your session up and running across reboots of HomeAssistant, the Meross integration needs to keep an access token stored locally, as the meross app does. Encrypting the credentials would require an encryption key to be stored somewhere: again that would just shift the problem, as we would store the encryption key for decrypting the credentials.
Most of the HomeAssistant components store credentials this way. The point is that nobody except admins should be ever able to access the SSH console or the SD contents of the HA directory.
In any case, we are not storing your user's password, but just the issued token (this is how browsers and apps work) in order to improve the security (you should not be able to do major account changes with only the token, you'll need the actual user's password)
from meross-homeassistant.
Hi @albertogeniola,
Thanks for getting back to me and clarifying your point of view! 🙌🏻
But my user password iot_homeassistant
is saved in clear text in the config file. This would best be avoided by just using a token all together and never saving the user password but rather just the token. This way IF a potential attacker were to get access to the HA directory somehow they could only abuse one service and not potentially obtain a clear text password that users tend to reuse across applications.
from meross-homeassistant.
Hi @mwalterskirchen ,
my mistake, I was wrong. You are right, the current version of this component is storing the user's password.
Now that I think about it, I remember this was necessary as the token did not report its expiration timestamp, so it was hard to say when it would have expired. Nor it was possible to renew it without user-password combination.
However, that was long time ago, so it might be the right time to get back to the Meross Engineering team to get info about the token expiration and see if we can store only the token instead of email-password combination.
I'll mark this discussion as feature request to improve the overall security of this component.
Thanks for the spot!
from meross-homeassistant.
Hi @mwalterskirchen ,
I got back to the Meross Engineers. It looks like the token expiration is handled on their side: every time you use the same token, its expiration is extended. This means that we can assume the token never expires, if the HA system is kept running and connected to the Internet. Therefore, I performed the necessary changes to the library and to the component so that user/password credentials are no longer stored. Instead, we just use the token.
I've released a beta version for you to try it out: v1.3.1beta1. Would you please try it and provide some feedback?
Please note: you need to completely remove the integration, restart HA, then install the new integration. In this way, the previous stored info is wiped away and username/password won't be there any longer.
from meross-homeassistant.
Fixed in v1.3.1. Closing!
from meross-homeassistant.
Related Issues (20)
- Meross MTS200b HOT 3
- MTS960 Feature Request - Meross Smart Wi-Fi Socket Thermostat HOT 10
- 2024.1 - Deprication of SUPPORT_*** HOT 3
- Sensor logger verbosity HOT 2
- Setup failed for custom integration 'meross_cloud': Requirements for meross_cloud not found: ['meross_iot==0.4.6.0rc2']. HOT 1
- Internal LED control HOT 2
- mrs100 HOT 33
- Deprecation of HVAC_MODE_COOL --> Use HVACMode.COOL instead HOT 2
- Unable to install package meross_iot==0.4.6.1 HOT 4
- problem with the latest update HOT 6
- Problemas con actualización v1.2.13 HOT 2
- Cloud-connected entities become unavailable in the integration HOT 3
- Failure to add device, fixed by hack to regexp HOT 5
- Validation of translation placeholders for localized (it) string component.meross_lan.issues.cloud_token_expired.fix_flow.step.profile.description failed HOT 1
- "Closing" and "Opening" state feedback HOT 6
- Incorrect colour on light strip
- Crypto package not found HOT 3
- BUG: Duplicate "do_not_disturb" entities HOT 2
- Deprecated alias in use HomeAssistantType HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from meross-homeassistant.