Do I need to further authenticate MQTT auth messages?

[mccahan]

Hello! I've got this up and running, and I'm successfully getting MQTT messages through to my MQTT_AUTH_TOPIC. My question is, if I get a message with homekey:true in it, does that mean that it has actually authenticated the user against my Apple Home, or do I need to validate the endpoint/issuerIds against a whitelist of my own?

The only two phones I have on hand are both part of my Apple Home and automagically got the key when I added the accessory. I don't necessarily care which device is doing the unlocking, so do I need to go around collecting the endpoint/issuerIds for devices I add to whitelist them, or can I just trust if they've made it to the point of sending that MQTT message that they're definitely a part of my home and I can safely unlock?

Very cool project! I mostly set it up to tinker, if I do end up doing something practical with it I'll probably make a fork and add code to pulse a GPIO pin to trigger a garage door opener and mount it outside instead of a keypad. If only Apple would let us share keys with guests... oh well. Thanks!

[rednblkx]

Hi there!

Apologize for the late reply.

To answer your question shortly, No.

The mqtt message is published upon a successful homekey transaction and you don't need to "authenticate" the data if you do not want to.
Additionally, the homekey field's purpose is to differentiate between data formats since the projects also accepts regular rfid cards for which different sets of data is published.

I'm glad you like the project, if you have any other questions and/or suggestions, i'll be happy to hear 'em.

Side-note: Afaik apple is supposedly releasing the share feature sometime in the future just no idea when 🤷‍♂️ , the closest thing to this is access codes that can be shared with guests which i managed to reverse-engineer recently and i plan to integrate it into this project sometime in the future.

[mccahan]

Thanks! FYI, I had enough trouble with the PlatformIO stuff in VSCode that I ended up making a web installer (source here) which I was intending on PRing when you've got the web UI ready to see if you're interested. Using GH Actions to make a binary, and then ESP Web Tools and Improv WiFi to be able to flash and set up WiFi from the browser.

[rednblkx]

That’s really cool though I haven’t been working on the web ui lately especially ever since I started to develop a HomeKit component for esphome which has been an absolute headache but I’m making progress. Issue with the WiFi configuration is that HomeSpan has its own configuration flow of the ESP for which I see you’ve already made a lot of changes on your fork to make improv work, you should open a PR for this to HomeSpan, would been great to see this added, once that is merged I’ll integrate it onto my fork (if my PR for homekey hasn’t been merged by then).

[mccahan]

Unfortunately the person who maintains HomeSpan doesn't think adding the Improv functionality is within the intended scope at the moment. If I find the time I might split it out into a separate library for people to use, I think a lot of people are doing way too much cool HomeSpan work for it to be gated behind having to compile everything themselves.

[rednblkx]

That’s a bummer, would be nice if you can package this into a library though I don’t see how you can couple it into homespan without using a fork of it. Honestly the primary reason for wanting to port to esphome is the same reason people use it, it’s versatile, it’s flexible, you use what you want to use(for the most part). I have also been considering for a while to migrate away from HomeSpan on this project to perhaps something more barebones like esp-homekit-sdk and not constraint the user on whether WiFi or Ethernet can be used, how the configuration can be done and stuff like that, but…. that is still very much a thought at this time but I think it’s a nice idea for the future.

[rednblkx]

even though the maintainer does not want it upstream, I’ll still be integrating it in my own fork like I said as I do think it’s pretty handy to have it since not everyone wants to deal with the code but I’ll first need to finish with the webui since you need to configure the mqtt details.