Here I am again.
I have been looking in to this as I feel as Vaughn does, that some type of security needs to be implemented in to the REST.API plugin.
With so many ways to complete this, we have to keep in mind that what ever we put in place on the server side has to be able to be implemented on the client side.
For example, any application that uses the rest plugin to communicate with OSA will have to be revised to implement the new security.
This would mainly include, but not be limited to: The Web UI Screens page and the mobile app.
So first, I looked in to what it would take to move the Rest.API over to HTTPS.
Even though the development side would not be that difficult, it would put a strain on the end user.
As they would have to know how to create a "Self Signed" certificate and know where and how to implement it on the rest port of the OSA server computer.
So now, I'm looking at encrypting the data manually using an API Key and a SALT vector that is only known by the user and the server.
The Rest plugin would have a new property that holds a 64 character Randomly generated API key.
There is also a 16 character randomly generated "Salt" vector.
So, from the Client side, (Web UI Screens page, Mobile App or my Alexa skill), before sending a REST command, the app would have to know 4 things.
1) The Rest API Key
2) The Salt Vector
3) The User name.
4) The User password.
first the password is encrypted using the API key and the Salt vector.
Then the username is added to the end of the string:
Then, the whole string is encrypted again using the API key and the Salt vector.
Then the end resulting string is added to the end of the rest api url.
for example: http://192.168.xxx.xxx:8732/api/kitchen ... 5iTmmwGzs=
So now the Rest API Decrypts the last item using the same API Key and the same salt vector.
From here the Rest API now knows the User name, and can look up the person object by name.
Then, It can decrypt the password and see if it matches the object.
One big issue we must consider by doing any of this, is:
You will no longer be able to run a REST request just using a browser. as the Encryption would require coding.