Stop requiring home-assistant authentication for meraki #34752

jbergler · 2020-04-27T02:20:56Z

Breaking change

None

Proposed change

The Meraki Scanning API is configured with a shared secret that are part of every request the Meraki Cloud makes to configured receivers.

As such we can allow requests to this integration to go without authentication by homeassistant.

It's worth noting that the GET method returns a static value that should not be considered a secret and thus it is ok not to be protected. Validation serves to ensure that the receiver you are configuring in the Meraki Dashboard is ready to receive requests.

This change also refactors the secret validation logic slightly to improve readability.

Type of change

Dependency upgrade
Bugfix (non-breaking change which fixes an issue)
New integration (thank you!)
New feature (which adds functionality to an existing integration)
Breaking change (fix/feature causing existing functionality to break)
Code quality improvements to existing code or addition of tests

Additional information

This PR fixes or closes issue:
This PR is related to issue:
Link to documentation pull request: device_tracker/meraki, update docs home-assistant.io#13187

Checklist

The code change is tested and works locally.
Local tests pass. Your PR cannot be merged unless tests pass
There is no commented out code in this PR.
I have followed the [development checklist][dev-checklist]
The code has been formatted using Black (black --fast homeassistant tests)
Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

Documentation added/updated for [www.home-assistant.io][docs-repository]

If the code communicates with devices, web services, or third-party tools:

The [manifest file][manifest-docs] has all fields filled out correctly.
Updated and included derived files by running: python3 -m script.hassfest.
[] New or updated dependencies have been added to requirements_all.txt.
Updated by running python3 -m script.gen_requirements_all.
Untested files have been added to .coveragerc.

The integration reached or maintains the following [Integration Quality Scale][quality-scale]:

No score or internal
🥈 Silver
🥇 Gold
🏆 Platinum

The Meraki Scanning API is configured with a shared secret that are part of every request the Meraki Cloud makes to configured receivers. As such we can allow requests to this integration to go without authentication by homeassistant. It's worth noting that the GET method returns a static value that should not be considered a secret and thus it is ok not to be protected. Validation serves to ensure that the receiver you are configuring in the Meraki Dashboard is ready to receive requests. This change also refactors the secret validation logic slightly to improve readability.

jbergler · 2020-05-09T04:34:58Z

In my travels since opening this PR, I stumbled across a conversation here #15376 (comment) which suggests that the meraki implementation should switch to the webhook api's.

I haven't been able to find good documentation, but (at least superficially) it would seem that this approach does the same thing the webhook component does (disable api auth)

stale · 2020-06-09T04:35:42Z

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days.
Thank you for your contributions.

ironslow · 2020-06-09T17:40:22Z

When this PR will be merged ? I already integrate the change on my setup in a custom component but I would prefer to have it integrate officially.

MartinHjelmare · 2020-06-10T10:58:56Z