Allow adding integration with master token alone

Let’s also hear from @KapJI and @Drakulix, maybe they have some thoughts on security and better practises 😃

Honestly, I think securely storing this information is a problem, that the home-assistant core has to solve. Many integrations including official ones do store sensitive secrets in there and there is no good way to encrypt them as an integration, that is not easily circumvented. Of course this is not an easy problem for the core to solve as well, but systems like home-assistant OS could at least offer disk-encryption? Anyway, in my opinion this is way out of our reach.

Was there any research onto getting other authentification flows to work? Obviously we would like to have a normal web-based authentification flow with a limited set of scopes. gmusicapi had a similar problem and stuck with the master_token approach, although simon-weber found a way to a web-based auth flow. The problem is just, that the token is stored in a cookie and not easy to extract.

I am not sure, if that approach even allows to limit scopes, but if we find any more secure solution, we should maybe write a tutorial and additionally offer people to sign in with a token instead. That way they can generate and extract a more secure one, instead of relying on our more convenient login procedure.

I think encrypting any data is meaningless because it should be decrypted by HA, and the decryption key must be stored somewhere where HA can access it. If someone has access to these files you’re pwned in any case, it doesn’t matter if they’re encrypted or not.

This is as far as I understand, also the reasoning behind why HA does not encrypt in the first place, which makes totally sense BTW.

And @Drakulix reply answered what i was gonna say 😆

But the cookie thing sounds interesting.

We can still support master token as an auth method, thou i dont think it’s a common use case and it’s not going to make it easier to authenticate or use the integration.

👍 from me.