NUKI Bridge HTTP-API
For access restriction of the HTTP-API at least user authentication should be available. Additional authorization would be nice for enabling different user roles.
If using the HTTP-API even in the local home network a user authentication for accessing the API should be available to prevent missusage like by a untrusted user (using the WiFi or plugged into the LAN) or malware.
Enabling user autorization will enhance possible API use-cases:
- user role admin has full access to the API
- user role action can use API functions like locking or opening the door
- user role read can use unly API functions like status requests, reading log files etc. expect lokcing or openeing the door
For security and saftey reasons using the HTTP API inside the home network. Not every user has the ability runing a special secured and separated NUKI Bridge HTTP API network plus secured proxy or broker system.
Having user authentication and additional autorization for the API access, increase the security of home automation systems. Nowerdays it is not guaranteed anymore that malware/spyware etc. will be used by thiefs or other malicious people to missuse smart locks for gettng physical access to the locked location. Also malicious hardware placed inside the local network can be used to access the smart lock system via the API for opening the door e.g.
- Session based authentication and authorization for HTTP-API access
- At least BASIC HTTP Auth for accessing the HTTP-API