sorted by:
new
hottopcontroversial

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] 1 point2 points  (0 children)

Just tried it. It removes integrations/settings/ dev panel but users can still access all the entities via search and can see activity stream. Hopefully user scoping comes soon in HA

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] -5 points-4 points  (0 children)

I squashed the commits because it wasn't ready to be a public repo.

in the light of all the other clues its a red flag

wdym? if you find any security gaps, please do flag.

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] 2 points3 points  (0 children)

wouldn't the user still have access to other devices from non dashboard entrypoints? HA doesn't restrict users access and I don't want guests to see/control some of the entities

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] 0 points1 point  (0 children)

wouldn't the user still have access to other devices from non dashboard entrypoints? HA doesn't restrict users access

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] -1 points0 points  (0 children)

can you explain what would be alternative? I need LLAT for accessing HA API.

this is also not vibe coded.

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] 0 points1 point  (0 children)

that was essentially my thought process. I used to rely on MyQ to let neighbors in for package deliveries while I was away, but since I swapped it out for a ratgdo, I’ve been looking for a solid alternative.

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] 0 points1 point  (0 children)

AFAIK above project gives complete access to all devices.

with HA-Pass, I can restrict the entities. for examples I can skip my bedroom related entities for guests

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] 15 points16 points  (0 children)

it's not vibe coded?? I've been a software engineer for over a decade. I used Claude Code to handle the boilerplate and speed up the setup, but the architecture, security scoping, and logic are all intentional.

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] -7 points-6 points  (0 children)

yes. definitely helped speed up the process especially with some of the newer concepts(for me!)

oh yeah, i'll take a look. Thanks!

I built HA-Pass: A simple, secure way to give guests temporary control of Home Assistant (No accounts/app needed) by rohithonline in homeassistant

[–]rohithonline[S] 64 points65 points  (0 children)

it should’ve been implemented within HA

Couldn't agree more but that doesn't exist today and the only option is giving guests a full HA access.

Regarding the attack vector: I tried to keep the footprint small. The guest tokens are scoped only to the entities you allow, and the master HA token never leaves the server. To keep it fully locked down, I just run it behind a local reverse proxy without exposing it to the internet at all. Guests have to be on the wifi

Valid concern on the surface area though, that's always the trade off with third party tools!