Skip to content

v0.1.2

Choose a tag to compare

View all tags
@rusty4444 rusty4444 released this 18 May 21:30
· 5 commits to main since this release
v0.1.2
f1922c9

What's Changed

Security

  • CSRF protection on /call_service endpoint (cross-site, host mismatch, Content-Type enforcement)
  • WiFi password redacted in /status unless both per-token and global options enable it
  • Guest secret on card changed to password field with reveal/hide, dismiss, and 60s auto-clear
  • TOCTOU fix: token validate + use-count increment now atomic under a single lock

Fixed

  • Guest URL now uses proxy bind host+port instead of HA UI port (8123)
  • GuestModeManager properly cancels auto-disable timer on shutdown
  • async_revoke_all accepts source filter so guest mode doesn't revoke admin tokens
  • Safe-state overrides map values to real service names (e.g. lockedlock)
  • Safe-state no-op path skips service calls entirely when no overrides exist
  • Sensor/binary_sensor coordinator-missing path now logs at ERROR level
  • Dead SHA-256 fallback removed; bcrypt is a hard requirement
  • Explicit imports throughout

Changed

  • Lovelace card split into dedicated repo: rusty4444/gatekeeper-card
  • State keyed by entry.entry_id for correct multi-entry teardown

Added

  • Tests for auth proxy, safe-state, and guest mode (33 passing)
Assets 2
Loading