REST HTTP Endpoint validation


(Erik Thayer) #1

Hey! I’m setting up a web service app and have everything working except I’m not happy with the security of SmartThings HTTP put request to my server.

It’s all working GREAT! however right now I don’t have anything in the way of validating that the PUT request from SmartThings is actually from smartthings. Here’s a sample of what I’m getting:

INFO – : [] Parameters: {“name”=>“Front Door”, “value”=>"", “lock”=>{“name”=>“Front Door”}}

How do I validate that’s from SmartThings and not an attacker spoofing information to my server?

Sorry if this question is vague, I’m in the beginning steps of this web service and want to make sure everything is secure.

I’m happy with the endpoint oAuth requests that my app makes to SmartThings of course. I followed the oAuth2 sinatra tutorial on the documentation, but there’s no documentation on validating HTTP REST request TO my server.


(Kurt Sanders) #2

Hello @ethayer,

Any reason why you could not include an encoded secret string (shared public/private key) in the payload or header so that your SSL server can verify the authenticity of the httpPut?


(Erik Thayer) #3

Yes, this is what I want to do. I’m asking how to implement it.

I’m thinking this might get me what I want:
https://groovygrailsblogs.wordpress.com/tag/encryption/

I can give the SmartThings client a new secret key through oAuth2 during the authentication flow.


(Erik Thayer) #4

Never mind, doesn’t seem like encryption classes are allowed on SmartThings platform. I’ll just pass a secret key along with the request. Since it’s a HTTPS PUT it should be fine.


(Kurt Sanders) #5

That will work! And if you want an extra level of security, you could calculate a dynamic secret key based on a formula that involves some derived agreed upon variable, like the date, hour, day of the month, day of the year, etc…


(Erik Thayer) #6

Yeah, I get the theory of that but there are no cipher classes on the ST platform and I’m not in the business of creating them from scratch.

I don’t need theories, mate! I need codez.

https token will be fine though, upward and onward. :wink:


(Kurt Sanders) #7

I am truly gobsmacked, real “SmartApp Code Slingers” don’t need code examples, they create them! :grinning:


(Erik Thayer) #8

Yeeeeahhhh… I’m not writing my own cipher. No thanks, Mr.