Hey! I’m setting up a web service app and have everything working except I’m not happy with the security of SmartThings HTTP put request to my server.
It’s all working GREAT! however right now I don’t have anything in the way of validating that the PUT request from SmartThings is actually from smartthings. Here’s a sample of what I’m getting:
INFO – : [] Parameters: {“name”=>“Front Door”, “value”=>"", “lock”=>{“name”=>“Front Door”}}
How do I validate that’s from SmartThings and not an attacker spoofing information to my server?
Sorry if this question is vague, I’m in the beginning steps of this web service and want to make sure everything is secure.
I’m happy with the endpoint oAuth requests that my app makes to SmartThings of course. I followed the oAuth2 sinatra tutorial on the documentation, but there’s no documentation on validating HTTP REST request TO my server.
Any reason why you could not include an encoded secret string (shared public/private key) in the payload or header so that your SSL server can verify the authenticity of the httpPut?
Never mind, doesn’t seem like encryption classes are allowed on SmartThings platform. I’ll just pass a secret key along with the request. Since it’s a HTTPS PUT it should be fine.
That will work! And if you want an extra level of security, you could calculate a dynamic secret key based on a formula that involves some derived agreed upon variable, like the date, hour, day of the month, day of the year, etc…
