I have a couple requests for future versions of Indigo that will really help me out.
I access Indigo through NGINX. This allows me to reach my home automation from anywhere on the Internet using SSL and my own SSL certificate. It also allows me to put multiple applications behind one interface (since I only have one IP to the Internet). Nginx handles its own authentication. That's my use case.
My problem is that Indigo only supports two authentication mechanisms: 1. No auth. 2. Digest Auth. Furthermore, the username/password created for digest auth has full access to the Indigo client as well as full access to the API. There is no way to separate that access or define which users can access what.
I've put a lot of thought into this. There are two very simple solutions to solve my problem, and if either one gets implemented I can correctly secure my home automation.
1. Allow an IP (or list of IPs) that are allowed unauthenticated access to the API. This allows me to keep Digest auth turned on, and whitelist my nginx server (and/or localhost).
2. Allow Basic Auth in addition to Digest Auth. I can spoof Basic Auth using nginx and store the credentials on that server.
That's it. Allowing a whitelisted IP sounds like it should be really easy, and I'm very hopeful something like this is added soon. I have many other ideals and suggestions for how to improve the usefulness and security of the API and client TCP ports. Hit me up if you're interested.
Thank you for reading,
-Captain
PS.
I really just want to write this other request somewhere too, even though I know it's highly unlikely to get implemented. Please add a "base path" parameter to the web server. This makes the web server more compatible with a reverse proxy. I'd like to serve the entire application on a single URI like `/indigo/`, but I need indigo to add add /indigo/ to the beginning of all html elements it serves. Grafana does this by setting the root_url variable in grafana.ini. Deluge does it by taking a client request header named "X-Deluge-Base" and appending that all resources before they're served. Lots of ways to achieve this and some may be simple to code.