Limit lock action types accessible through Bridge HTTP API

Product name

Nuki Bridge HTTP Api

Summary

Add ability to limit specific lock actions through Bridge HTTP API

Features

As described in Limit Bridge remote actions additional security for Bridge API should be added.
Either by limiting the lock type actions available through Bridge HTTP API, or by assigning multiple API keys to different action types.

Reason

Additional security. Considering “lock” action as relative secure to use by external systems over unsecure HTTP interface, but “unlock” as strongly unsecure.

Examples

There already exists Home Assistant plugin, which is able to unlock and open the door. I have to provide a API key to that system. So it means that:

  1. API key is stored on third system, that has internet connection (for other information services)
  2. API key is transferred in plaintext over the network (even local network, but who know who is listening)

I hope I can trust your Android application and Fobs where the communication is end-to-end encrypted. But I do not trust the scenario I have described above.

So the result is, that I would like to allow just locking the door through the Bridge API, but NOT unlocking.

Auto-lock is not solution for me, as I do not want to lock when somebody is inside and only the smart home system knows that.