API Keys for Server

Hi, I am trying to see how I can create API keys for my local Indigo Web Server. I don't want to use the reflector. According to this post the keys can only be create in my Indigo account. Not only that but these are synced to my Indigo Server via frequent connection to the mothership with a caching of about a day. If this is how it works I do not really like it. I always liked the fact that I could run Indigo without depending on any cloud server, service or vendor. I know I can use basic authentication why can't I use API keys locally which are more secure? Thanks

[jay (support)]

We are evaluating further changes/refinements to API Key caching for future releases.

We have no current plans to make the creation of API Keys happen locally in the UI.

I'm a bit confused. Is there any sort of local non-cloud reliant http access to indigo left? I'm running 2022.2.0 where the ui option still exists. And, the first post in this thread mentions we might still be able to use basic authentication. However, it seems from the Indigo 2022.2.1 Release Notes this was removed since it didn't do anything:

Removed UI option from Start Local Server dialog to enable HTTP Basic Authentication since that functionality has been deprecated in 2022.2.0.

And this post implies the same:
https://forums.indigodomo.com/viewtopic.php?f=131&t=26965&hilit=http+basic
fwiw, it does seem that the web ui (i.e. http://localhost:8176/index.html) still uses digest auth.

Anyway, I'd like to second the request to keep Indigo non-cloud reliant. Echoing the sentiment above that indigo was great since it has always been standalone (other than I suppose maybe checking the license? ) Or at least carve out the ability to exempt parts of the local network?

+1. Agree. Having the ability to control the home including reading and writing of variables and running actions without the cloud was a key selling point for me.
I do not run reflector as I VPN into my network as needed when I'm remote.

I have lots of scripts that read and write variable data to / from indigo.

I was relying on the basic auth setting. I have the password and username base64 encoded in my nginx proxy config. Users authorize through an auth proxy, and nginx handled the middle-man part of this. Now to figure out if nginx can do digest auth. It sure was easy before. Why make it hard on us?

Very sad.

For whatever it's worth, I write Golang libraries to interface APIs on _everything_ I can. I've been waiting for Indigo to provide better auth options on the API so I can write a library for it. Am I to understand that's being discouraged? Meaning, I have no use for the reflector, and if the API requires it, it'll be impossible for me to write a library for it. In the 10 or so years I've been using Indigo, I've requested better auth in the web server, and the ability to bind it to a specific IP. Security features for software that controls hundreds of devices in my home.

A couple examples of my work:
https://github.com/unpoller/unifi
https://github.com/golift/securityspy
https://github.com/golift/starr

Would love to add Indigo to this list. Whatcha think?

-captain

[jay (support)]

Using API Keys should be significantly easier, right? Basic auth is widely known to be insecure, which is why we deprecated it.

In the next release we will enable users to create their own local secrets, which will work similarly to API Keys generated in your Indigo Account in terms of authenticating API calls.

That sounds great. As long as cloud connectivity isn't mandatory. Would be nice to allow simple (albeit insecure) auth from my local network. Is there an option to click that the indigo server to not check api keys at all from your central servers? I know it's paranoid but in theory someone could hack my indigo account, create a key and then access my server without me knowing. Again, that was one of the great things is not being cloud reliant at all. I live in TX as well, and as you know, we're frequently on UPS/generator backup in these parts. Lost power for a week during the last storm but my home automation was just fine!

I am pleased to hear that there is a local API key model coming, but disappointed that suddenly my REST API systems failed after upgrade and there is no non-cloud model to get access to my own data - this seems like it should have been the path before a breaking change. Indigo needs to be able to operate in an air-gapped environment where the server has no communication with the outside world. I suspect quite a few people here use Indigo precisely because it is NOT a cloud-based system, and this is a disturbing step that I hope the next release will repair.

Pleased to hear there will be a way to use API keys locally. Jay for the avoidance of any doubt can you please confirm "local secrets" will work with both the new HTTP and WebSocket APIs and there will not be any requirement to connect to IndigoDomo.com?

I purposefully block Indigo from communicating to IndigoDomo.com using Little Snitch. Not because I don't trust Indigo but because I want to be sure it's working without any depedancy on the Cloud and or internet server. So far I have found any issues with this way of working and I hope it remains the same as it is key requirement on my part that my home automation does not depend on the cloud to work.

Not to put the great Indigo folks on the spot, but is there an estimated timeline for the next release?

[jay (support)]

can you please confirm "local secrets" will work with both the new HTTP and WebSocket APIs and there will not be any requirement to connect to IndigoDomo.com?

Correct.

[jay (support)]

Not to put the great Indigo folks on the spot, but is there an estimated timeline for the next release?

We don't pre-announce releases, but the next release is probably a few months out. We've got some backend system upgrades that need addressing before that release.

I just upgraded my Indigo install to 2022.2 and stumbled on the new API requirements..

My old REST calls are not working anymore, and I try to keep Indigo away from the internet...

I'm just here to add my vote for a local-non-cloud-connected-solution.
I see you have a solution ready, I'd just like to add my name to the list in case this is a deciding factor which feature is introduced when..

anyone else experiencing an outage of API calls due to reported no communication to indigodomo.com ??

It would appear that Indigo is unable validate the token (presumably from the mothership) ... and therefore all API calls are failing (absolutely spamming the console and log).
Another plea to allow indigo to work fully fledged without internet connectivity.




2023-06-16 21:11:55.352 Error Unable to connect to IndigoDomo.com.
2023-06-16 21:12:07.317 Web Server Error Attempt to validate token failed
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/_exceptions.py", line 10, in map_exceptions
yield
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/backends/sync.py", line 62, in start_tls
raise exc
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/backends/sync.py", line 57, in start_tls
sock = ssl_context.wrap_socket(
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 1070, in _create
self.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 1341, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpx/_transports/default.py", line 60, in map_httpcore_exceptions
yield
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpx/_transports/default.py", line 218, in handle_request
resp = self._pool.handle_request(req)
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/_sync/connection_pool.py", line 253, in handle_request
raise exc
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/_sync/connection_pool.py", line 237, in handle_request
response = connection.handle_request(request)
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/_sync/connection.py", line 86, in handle_request
raise exc
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/_sync/connection.py", line 63, in handle_request
stream = self._connect(request)
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/_sync/connection.py", line 150, in _connect
stream = stream.start_tls(**kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/backends/sync.py", line 54, in start_tls
with map_exceptions(exc_map):
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/contextlib.py", line 153, in __exit__
self.gen.throw(typ, value, traceback)
File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/httpcore/_exceptions.py", line 14, in map_exceptions
raise to_exc(exc)
httpcore.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)