From eBower Wiki
Jump to: navigation, search
(Created page with "Unhappy with the security around the INSTEON Hub, I decided I wanted to front end it with a secure, modern webserver. I made the following assumptions: * I don't want to...")
 
(Google+ Authentication)
Line 27: Line 27:
 
Storing passwords locally is a Very Bad Idea™ unless you're a full-time IT guy. Password reuse is a big problem, and no matter what you think you're storing your passwords incorrectly. So is Google, but they have a large team of full-time IT guys on it. And you can use their password database to make sure there's one less password (including [http://www.google.com/landing/2step/ 2FA]) you need to remember.
 
Storing passwords locally is a Very Bad Idea™ unless you're a full-time IT guy. Password reuse is a big problem, and no matter what you think you're storing your passwords incorrectly. So is Google, but they have a large team of full-time IT guys on it. And you can use their password database to make sure there's one less password (including [http://www.google.com/landing/2step/ 2FA]) you need to remember.
  
I choose the [https://developers.google.com/+/web/signin/ Google+ Sign-In mechanism].
+
I choose the [https://developers.google.com/+/web/signin/ Google+ Sign-In mechanism]. First, go to the [https://console.developers.google.com/project Google Developers Console] and follow [https://developers.google.com/+/web/signin/javascript-flow#step_1_create_a_client_id_and_client_secret this workflow]. Once you're done, under APIs and Auth you can click "credentials." Find the "Client ID" (it looks like a mess of random characters ending in <tt>.apps.googleusercontent.com</tt>) and copy that value to the client ID in <tt>/etc/insteon.ini</tt>.
 +
 
 +
Now you should be able to open up the <tt>/insteon</tt> page on your web server and see the Google+ login button. Click on it, and log in. You'll be presented with a "Sorry, not authorized." message including your user ID. You can view your profile by entering that ID after <tt>https://plus.google.com/</tt>. If things are working, you can add that ID to <tt>/etc/insteon.ini</tt> as a unique user under the <tt>[valid_users]</tt> section (deleting the placeholders).
 +
 
 +
Finally, try refreshing the page and see if you can log in.

Revision as of 11:15, 7 March 2015

Unhappy with the security around the INSTEON Hub, I decided I wanted to front end it with a secure, modern webserver. I made the following assumptions:

  • I don't want to deal with password management, I want to use an OpenID(-like) solution.
  • All webservers should be TLS encrypted, even if there is no secure content.
  • I have a webserver on my home network that's world-accessible.
  • The webserver is a modern Linux system running php5.
  • I can either attach the Hub to a dedicated network on my webserver or rely on my router to filter traffic to it from only acceptable IP addresses.
  • I use an original Hub, however most of the code is abstracted that adding support for other controllers (or even WEMO via the [ouimeaux https://github.com/iancmcc/ouimeaux] libraries) should be easy enough.
  • The only browser I tested with is Chrome, but much of it is basic Javascript/HTML so other browsers should work.

Installation

Unpack the files into /var/www/insteon/ or the directory of your choice.

Edit insteon.conf to include your Hub information.

Edit insteon.ini, we're only interested in the [devices] section as of now. You can delete the sample entries, the format is:

short_name=insteon_id,device_details,friendly_name
short_name 
A short form of the device name, keep it small, unique, and one word. This is no longer used except as a key.
insteon_id 
The INSTEON ID, usually printed on the device or visible from the app. Use a format that's not mistakable for a number, like xx.xx.xx or xx:xx:xx.
device_details 
The product code for the device, visible from the app and provides a way to identify the type and version of the device. Today I just use this to determine if the device is a dimmer or one of my fan modules, but in theory device-specific icons and behavior are possible.
friendly_name 
What will be displayed in the UI. Avoid commas, but most other characters should be fine.

Google+ Authentication

Storing passwords locally is a Very Bad Idea™ unless you're a full-time IT guy. Password reuse is a big problem, and no matter what you think you're storing your passwords incorrectly. So is Google, but they have a large team of full-time IT guys on it. And you can use their password database to make sure there's one less password (including 2FA) you need to remember.

I choose the Google+ Sign-In mechanism. First, go to the Google Developers Console and follow this workflow. Once you're done, under APIs and Auth you can click "credentials." Find the "Client ID" (it looks like a mess of random characters ending in .apps.googleusercontent.com) and copy that value to the client ID in /etc/insteon.ini.

Now you should be able to open up the /insteon page on your web server and see the Google+ login button. Click on it, and log in. You'll be presented with a "Sorry, not authorized." message including your user ID. You can view your profile by entering that ID after https://plus.google.com/. If things are working, you can add that ID to /etc/insteon.ini as a unique user under the [valid_users] section (deleting the placeholders).

Finally, try refreshing the page and see if you can log in.