Continuing the discussion from SmartTiles Dashboard v5.7: Release March 2, 2016:
We have posted an important Announcement regarding the release of SmartTiles v5.8...
We have be released SmartTiles v5.8 to Blue edition users this week. Here’s an outline of the changes to expect. Questions are welcome, but stay tuned to this Topic for more details and updates.
SmartTiles v5.8 was updated to the Green ("published") edition on Tuesday June 21st, 2016.
(Below is a copy of most of the post from our website.)
SmartTiles now "Published": What is the "Blue edition"?
SmartTiles was officially "reviewed and published" by SmartThings in mid-April to prepare for the disablement of the shared OAuth install method.
SmartTiles does not appear in the App "Marketplace" yet, but can be installed using SmartTiles.click/install
- Users who installed prior to publication are actually still running against the shared OAuth edition/stream. We changed the icon and added a "-Blue" suffix to the version number. Blue edition users will receive new versions (like this v5.8) up to 3 weeks ahead of other users. More details in this Post.
Command calls all verified against device Tiles' Capabilities.
- In response to one of the concerns reported by security researchers, we made sure that only REST Endpoint calls (commands) which match the authorized Tile Capability type (e.g. lock/unlock, but not lock PIN code update...) are accepted by the SmartTiles SmartApp. In fact, only the Music Player Tile did not already have explicit command validation.
WeatherStation Tile scheduled refresh re-enabled.
- Since the SmartThings Scheduler has been stabilized, we have re-enabled periodic refreshes of the SmartWeatherStation Tile. Users had reported that the Tile often showed stale information.
Addition of a Tools Tile for links to special functions.
- It is no longer necessary to manually modify your dashboard URL with "css" or "list" to get web browser access to the Customize CSS and** Arrange Tiles (Tile Order)* functions. We have added a new Tools "..." Tile that will pop-up a menu of these functions *and more. It looks like this:
Password login sessions: Phasing out use of Access Tokens.
Use of the
access_token=parameter in the URL for SmartTiles dashboards has always been a great convenience that comes with a bit of security compromise.
We emphasize that users should not use or bookmark a tokenized URL on insecure devices. While folks avoid sending passwords in email, it is nearly as important to avoid sending tokenized URLs. We also remind users that they can invoke the "Revoke Access Token" function from the dashboard configuration
Preferences / Securitypage in the SmartThings App at anytime, and users can also choose to leave off the access_token from their URLs to force require an SmartThings login.
Out of an abundance of caution, particularly due to the recent extra attention and response to SmartThings security researchers, we decided it is best to completely phase out the ability to use OAuth access tokens with SmartTiles. Existing tokens will be automatically invalidated (revoked) within as little as a few days after the release of v5.8. We have worked closely with SmartThings (thanks, @slagle @jodyalbritton!) to come up with the most practical alternative way to authenticate dashboard access. Our options were limited by the SmartThings platform and the design of SmartTiles V5.
Instead of the
access_tokenbased URL, dashboards will be given a new format of URL that will automatically redirect through a SmartThings IDE Login webpage. Any userid (email) + password linked to the same Account as your Dashboard will be valid -- i.e., any login that is valid for the SmartThings native mobile App.
The unfortunate consequence of the elimination of access_token support is that you will no longer be able to share a dashboard without also creating or sharing a "Managed Account User"; i.e., an email and password. You may consider using a password manager (such as those built into your browser or an add-on like LastPass) to help make this a little less inconvenient.
The login session will remain active: (a) until you Logout (using the Tools Tile shown above), (b) until the browser exits, or (c) until the session times-out due to inactivity. We have no control over the longevity of login sessions and apologize for the burden this may impose. (SmartTiles V6 will have an independent external login mechanism with configurable extended login durations and secure login cookies, etc.. We're excited to provide these convenient features - and much, much more - in a few months!)
Please note that the login session for a SmartTiles Dashboard will have full IDE/API access (i.e., full "logged-in" permission to access everything under http://graph.api.smartthings.com or your equivalent shard. This is an ironic increase in permissions that we have made SmartThings (@slagle @dlieberman) aware of. Granular security by individual users on an Account is a long outstanding feature that we hope comes to SmartThings soon; in the meantime, we have built this function into SmartTiles V6.
Users will have to update their URLs, bookmarks, home screen and/or desktop shortcuts accordingly. The URL for the SmartTiles Launcher with parameters for your Dashboard will be provided in the usual way from within the
View Dashboard and URLpage in the SmartTiles SmartApp configuration and on the new Tools Tile as shown above.
The SmartTiles Launcher URL will look similar to this. This will be the new page that you bookmark, pin, or share...
@625alex and I thank-you for your continued support and love of SmartTiles!!!