@homebridge-wyze-node24/homebridge-wyze-node24 1.1.0 → 1.1.2

package/config.schema.json

@@ -16,30 +16,43 @@
       },
       "username": {
         "title": "Username (E-Mail Address)",
-        "description": "The e-mail address used for your Wyze account",
+        "description": "The e-mail address used for your Wyze account. You can also set WYZE_USERNAME env var or use secretsFile.",
         "type": "string",
         "default": "",
         "required": true
       },
       "password": {
         "title": "Password",
-        "description": "The password used for your Wyze account",
+        "description": "The password used for your Wyze account. You can also set WYZE_PASSWORD env var or use secretsFile.",
         "type": "string",
+        "format": "password",
         "default": "",
         "required": true
       },
       "keyId": {
         "title": "Key ID",
-        "description": "API Key/ID available from the official Wyze Portal https://developer-api-console.wyze.com",
+        "description": "API Key/ID available from the official Wyze Portal https://developer-api-console.wyze.com. You can also set WYZE_KEY_ID env var or use secretsFile.",
         "type": "string",
+        "format": "password",
         "required": true
       },
       "apiKey": {
         "title": "API Key",
-        "description": "API Key/ID available from the official Wyze Portal https://developer-api-console.wyze.com/)",
+        "description": "API Key/ID available from the official Wyze Portal https://developer-api-console.wyze.com. You can also set WYZE_API_KEY env var or use secretsFile.",
         "type": "string",
+        "format": "password",
         "required": true
       },
+      "secretsFile": {
+        "title": "Secrets file path (optional)",
+        "description": "Path to a local JSON file containing secrets (e.g., username/password/apiKey/etc). File must be chmod 600 (owner-only) or the plugin will refuse to start.",
+        "type": "string",
+        "default": "",
+        "required": false,
+        "condition": {
+          "functionBody": "return model.showAdvancedOptions === true;"
+        }
+      },
       "refreshInterval": {
         "title": "Refresh Interval",
         "description": "Specify the number of milliseconds to wait between updates, default is 60000 ms (60 seconds)",
@@ -63,7 +76,7 @@
       },
       "apiLogEnabled": {
         "title": "Enable API logging",
-        "description": "",
+        "description": "WARNING: may log request/response details from upstream libraries. Keep OFF unless you understand the risk.",
         "type": "boolean",
         "default": false,
         "condition": {
@@ -79,6 +92,15 @@
           "functionBody": "return model.showAdvancedOptions === true;"
         }
       },
+      "dangerouslyAllowCustomBaseUrls": {
+        "title": "Dangerously allow custom API base URLs",
+        "description": "SECURITY WARNING: If enabled, the plugin will accept authBaseUrl/apiBaseUrl overrides. This can enable SSRF and credential exfiltration. Only enable if you know exactly what you're doing.",
+        "type": "boolean",
+        "default": false,
+        "condition": {
+          "functionBody": "return model.showAdvancedOptions === true;"
+        }
+      },
       "lowBatteryPercentage": {
         "title": "Low Battery Percentage",
         "description": "Specify the Percentage of battery when consider low, default is 30%",
@@ -204,4 +226,4 @@
   },
   "form": null,
   "display": null
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@homebridge-wyze-node24/homebridge-wyze-node24",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Wyze Smart Home plugin for Homebridge compatible with Node.JS 24",
   "license": "MIT",
   "type": "commonjs",

package/src/WyzeSmartHome.js

@@ -3,6 +3,13 @@ const { OutdoorPlugModels, PlugModels, CommonModels, CameraModels, LeakSensorMod
   TemperatureHumidityModels, LockModels, MotionSensorModels, ContactSensorModels, LightModels,
   LightStripModels, MeshLightModels, ThermostatModels, S1GatewayModels } = require('./enums')
 
+const {
+  getValidatedBaseUrls,
+  resolveSecrets,
+  sanitizeDeviceName,
+  wrapLogger
+} = require('./security')
+
 const WyzeAPI = require('wyze-api') // Uncomment for Release
 //const WyzeAPI = require('./wyze-api/src') // Comment for Release
 const WyzePlug = require('./accessories/WyzePlug')
@@ -29,8 +36,8 @@ function delay(ms) {
 
 module.exports = class WyzeSmartHome {
   constructor(log, config, api) {
-    this.log = log
-    this.config = config
+    this.log = wrapLogger(log)
+    this.config = resolveSecrets(config || {}, this.log)
     this.api = api
     this.client = this.getClient()
 
@@ -44,6 +51,8 @@ module.exports = class WyzeSmartHome {
   }
 
   getClient() {
+    const { authBaseUrl, apiBaseUrl } = getValidatedBaseUrls(this.config, this.log)
+
     return new WyzeAPI({
       // User login parameters
       username: this.config.username,
@@ -57,9 +66,9 @@ module.exports = class WyzeSmartHome {
       lowBatteryPercentage: this.config.lowBatteryPercentage,
       //Storage Path
       persistPath: homebridge.user.persistPath(),
-      //URLs
-      authBaseUrl: this.config.authBaseUrl,
-      apiBaseUrl: this.config.apiBaseUrl,
+      //URLs (strictly validated)
+      authBaseUrl,
+      apiBaseUrl,
       // App emulation constants
       authApiKey: this.config.authApiKey,
       phoneId: this.config.phoneId,
@@ -83,14 +92,24 @@ module.exports = class WyzeSmartHome {
   }
 
   async runLoop() {
-    const interval = this.config.refreshInterval || DEFAULT_REFRESH_INTERVAL
+    const baseInterval = this.config.refreshInterval || DEFAULT_REFRESH_INTERVAL
+    let failures = 0
+
     // eslint-disable-next-line no-constant-condition
     while (true) {
       try {
         await this.refreshDevices()
-      } catch (e) { }
+        failures = 0
+      } catch (e) {
+        failures += 1
+        const message = e?.message || String(e)
+        this.log.error(`Refresh loop error: ${message}`)
+      }
 
-      await delay(interval)
+      // simple backoff to avoid noisy retry loops on auth/network failures
+      const backoffMultiplier = Math.min(6, failures) // caps at 64x
+      const delayMs = baseInterval * (failures === 0 ? 1 : Math.pow(2, backoffMultiplier))
+      await delay(delayMs)
     }
   }
 
@@ -102,10 +121,10 @@ module.exports = class WyzeSmartHome {
       const timestamp = objectList.ts
       const devices = objectList.data.device_list
 
-      if (this.config.pluginLoggingEnabled) this.log(`Found ${devices.length} device(s)`)
+      if (this.config.pluginLoggingEnabled) this.log(`Found ${devices.length} device(s)`) 
       await this.loadDevices(devices, timestamp)
     } catch (e) {
-      this.log.error(`Error getting devices: ${e}`)
+      this.log.error(`Error getting devices: ${e?.message || e}`)
       throw e
     }
   }
@@ -122,7 +141,7 @@ module.exports = class WyzeSmartHome {
 
     const removedAccessories = this.accessories.filter(a => !foundAccessories.includes(a))
     if (removedAccessories.length > 0) {
-      if (this.config.pluginLoggingEnabled) this.log(`Removing ${removedAccessories.length} device(s)`)
+      if (this.config.pluginLoggingEnabled) this.log(`Removing ${removedAccessories.length} device(s)`) 
       const removedHomeKitAccessories = removedAccessories.map(a => a.homeKitAccessory)
       this.api.unregisterPlatformAccessories(PLUGIN_NAME, PLATFORM_NAME, removedHomeKitAccessories)
     }
@@ -131,28 +150,30 @@ module.exports = class WyzeSmartHome {
   }
 
   async loadDevice(device, timestamp) {
-    const accessoryClass = this.getAccessoryClass(device.product_type, device.product_model, device.mac, device.nickname)
+    const safeNickname = sanitizeDeviceName(device.nickname)
+
+    const accessoryClass = this.getAccessoryClass(device.product_type, device.product_model, device.mac, safeNickname)
     if (!accessoryClass) {
-      if (this.config.pluginLoggingEnabled) this.log(`[${device.product_type}] Unsupported device type: (Name: ${device.nickname}) (MAC: ${device.mac}) (Model: ${device.product_model})`)
+      if (this.config.pluginLoggingEnabled) this.log(`[${device.product_type}] Unsupported device type: (Name: ${safeNickname}) (MAC: ${device.mac}) (Model: ${device.product_model})`)
       return
     }
     else if (this.config.filterByMacAddressList?.find(d => d === device.mac) || this.config.filterDeviceTypeList?.find(d => d === device.product_type)) {
-      if (this.config.pluginLoggingEnabled) this.log(`[${device.product_type}] Ignoring (${device.nickname}) (MAC: ${device.mac}) because it is in the Ignore Device list`)
+      if (this.config.pluginLoggingEnabled) this.log(`[${device.product_type}] Ignoring (${safeNickname}) (MAC: ${device.mac}) because it is in the Ignore Device list`)
       return
     }
     else if (device.product_type == 'S1Gateway' && this.config.hms == false) {
-      if (this.config.pluginLoggingEnabled) this.log(`[${device.product_type}] Ignoring (${device.nickname}) (MAC: ${device.mac}) because it is not enabled`)
+      if (this.config.pluginLoggingEnabled) this.log(`[${device.product_type}] Ignoring (${safeNickname}) (MAC: ${device.mac}) because it is not enabled`)
       return
     }
 
 
     let accessory = this.accessories.find(a => a.matches(device))
     if (!accessory) {
-      const homeKitAccessory = this.createHomeKitAccessory(device)
+      const homeKitAccessory = this.createHomeKitAccessory(device, safeNickname)
       accessory = new accessoryClass(this, homeKitAccessory)
       this.accessories.push(accessory)
     } else {
-      if (this.config.pluginLoggingEnabled) this.log(`[${device.product_type}] Loading accessory from cache ${device.nickname} (MAC: ${device.mac})`)
+      if (this.config.pluginLoggingEnabled) this.log(`[${device.product_type}] Loading accessory from cache ${safeNickname} (MAC: ${device.mac})`)
     }
     accessory.update(device, timestamp)
 
@@ -192,16 +213,16 @@ module.exports = class WyzeSmartHome {
     }
   }
 
-  createHomeKitAccessory(device) {
+  createHomeKitAccessory(device, safeNickname) {
     const uuid = UUIDGen.generate(device.mac)
 
-    const homeKitAccessory = new Accessory(device.nickname, uuid)
+    const homeKitAccessory = new Accessory(safeNickname, uuid)
 
     homeKitAccessory.context = {
       mac: device.mac,
       product_type: device.product_type,
       product_model: device.product_model,
-      nickname: device.nickname
+      nickname: safeNickname
     }
 
     this.api.registerPlatformAccessories(PLUGIN_NAME, PLATFORM_NAME, [homeKitAccessory])
@@ -224,7 +245,8 @@ module.exports = class WyzeSmartHome {
       try {
         this.api.unregisterPlatformAccessories(PLUGIN_NAME, PLATFORM_NAME, [homeKitAccessory])
       } catch (error) {
-        this.log.error(`Error removing accessory ${homeKitAccessory.context.nickname} (MAC: ${homeKitAccessory.context.mac}) : ${error}`)
+        const safeName = sanitizeDeviceName(homeKitAccessory.context.nickname)
+        this.log.error(`Error removing accessory ${safeName} (MAC: ${homeKitAccessory.context.mac}) : ${error?.message || error}`)
       }
     }
   }

package/src/accessories/WyzeAccessory.js

@@ -1,4 +1,5 @@
 const { Service, Characteristic } = require("../types");
+const { sanitizeDeviceName } = require("../security");
 
 // Responses from the Wyze API can lag a little after a new value is set
 const UPDATE_THROTTLE_MS = 1000;
@@ -33,6 +34,7 @@ module.exports = class WyzeAccessory {
 
   async update(device, timestamp) {
     const productType = device.product_type;
+    const safeNickname = sanitizeDeviceName(device.nickname);
 
     switch (productType) {
       default:
@@ -40,14 +42,14 @@ module.exports = class WyzeAccessory {
           mac: device.mac,
           product_type: device.product_type,
           product_model: device.product_model,
-          nickname: device.nickname,
+          nickname: safeNickname,
         };
         break;
     }
 
     this.homeKitAccessory
       .getService(Service.AccessoryInformation)
-      .updateCharacteristic(Characteristic.Name, device.nickname)
+      .updateCharacteristic(Characteristic.Name, safeNickname)
       .updateCharacteristic(Characteristic.Manufacturer, "Wyze")
       .updateCharacteristic(Characteristic.Model, device.product_model)
       .updateCharacteristic(Characteristic.SerialNumber, device.mac)
@@ -82,4 +84,4 @@ module.exports = class WyzeAccessory {
   sleep(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms * 1000));
   }
-};
+};

package/src/accessories/WyzeMeshLight.js

@@ -81,7 +81,12 @@ module.exports = class WyzeMeshLight extends WyzeAccessory {
     ) {
       return true;
     } else {
-      this.plugin.log(`Encountered invalid property value: ${JSON.stringify(property, null, 2)}`);
+      // Avoid logging raw API objects; they can contain device IDs / other sensitive fields.
+      if (this.plugin.config.pluginLoggingEnabled) {
+        this.plugin.log(
+          `Encountered invalid property value (pid=${property?.pid}, value=${String(property?.value)})`
+        );
+      }
       return false;
     }
   }
@@ -288,4 +293,4 @@ module.exports = class WyzeMeshLight extends WyzeAccessory {
       }
     }
   }
-};
+};

package/src/security.js

@@ -0,0 +1,262 @@
+const fs = require('fs')
+const net = require('net')
+
+const DEFAULT_AUTH_BASE_URL = 'https://auth-prod.api.wyze.com'
+const DEFAULT_API_BASE_URL = 'https://api.wyzecam.com'
+
+const WYZE_ALLOWED_HOSTNAMES = new Set([
+  new URL(DEFAULT_AUTH_BASE_URL).hostname,
+  new URL(DEFAULT_API_BASE_URL).hostname
+])
+
+const SECRET_KEYS = [
+  'username',
+  'password',
+  'mfaCode',
+  'keyId',
+  'apiKey',
+  'authApiKey',
+  'phoneId',
+  'appName',
+  'appVer',
+  'appVersion',
+  'userAgent',
+  'sc',
+  'sv',
+  'fordAppKey',
+  'fordAppSecret',
+  'oliveSigningSecret',
+  'oliveAppId',
+  'appInfo'
+]
+
+const ENV_MAP = {
+  username: 'WYZE_USERNAME',
+  password: 'WYZE_PASSWORD',
+  mfaCode: 'WYZE_MFA_CODE',
+  keyId: 'WYZE_KEY_ID',
+  apiKey: 'WYZE_API_KEY',
+  authApiKey: 'WYZE_AUTH_API_KEY',
+  phoneId: 'WYZE_PHONE_ID',
+  appName: 'WYZE_APP_NAME',
+  appVer: 'WYZE_APP_VER',
+  appVersion: 'WYZE_APP_VERSION',
+  userAgent: 'WYZE_USER_AGENT',
+  sc: 'WYZE_SC',
+  sv: 'WYZE_SV',
+  fordAppKey: 'WYZE_FORD_APP_KEY',
+  fordAppSecret: 'WYZE_FORD_APP_SECRET',
+  oliveSigningSecret: 'WYZE_OLIVE_SIGNING_SECRET',
+  oliveAppId: 'WYZE_OLIVE_APP_ID',
+  appInfo: 'WYZE_APP_INFO'
+}
+
+function stripControlChars(input) {
+  return String(input)
+    .replace(/[\r\n\t]+/g, ' ')
+    .replace(/[\u0000-\u001F\u007F]/g, '')
+}
+
+function boundLength(input, maxLen) {
+  const s = String(input)
+  if (s.length <= maxLen) return s
+  return s.slice(0, maxLen) + '…'
+}
+
+function redactMacs(str) {
+  return str.replace(/\b([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}\b/g, (mac) => {
+    const parts = mac.split(':')
+    return 'xx:xx:xx:xx:xx:' + parts[5]
+  })
+}
+
+function redactBearerTokens(str) {
+  return str.replace(/\bBearer\s+[-._~+/0-9a-zA-Z]+=*\b/g, 'Bearer [REDACTED]')
+}
+
+function redactKeyValueSecrets(str) {
+  const keys = [
+    'password',
+    'apiKey',
+    'keyId',
+    'access_token',
+    'refresh_token',
+    'accessToken',
+    'refreshToken',
+    'authorization',
+    'fordAppSecret',
+    'fordAppKey',
+    'oliveSigningSecret',
+    'oliveAppId',
+    'authApiKey'
+  ]
+
+  const keyGroup = keys.map(k => k.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')).join('|')
+
+  // Covers JSON-ish and plain logs like `password: ...` or `"password":"..."`
+  const re = new RegExp(`(\\b(?:${keyGroup})\\b"?\\s*[:=]\\s*)("?)([^"\\s,}]+)("?)`, 'gi')
+  return str.replace(re, (_m, prefix) => `${prefix}[REDACTED]`)
+}
+
+function sanitizeLogMessage(input) {
+  let s = stripControlChars(input)
+  s = redactBearerTokens(s)
+  s = redactKeyValueSecrets(s)
+  s = redactMacs(s)
+  return boundLength(s, 2000)
+}
+
+function sanitizeDeviceName(name) {
+  return boundLength(stripControlChars(name).trim(), 64) || 'Wyze Device'
+}
+
+function wrapLogger(log) {
+  const callLevel = (level, args) => {
+    const sanitizedArgs = args.map(sanitizeLogMessage)
+
+    if (log && typeof log[level] === 'function') {
+      return log[level](...sanitizedArgs)
+    }
+
+    if (typeof log === 'function') {
+      return log(...sanitizedArgs)
+    }
+  }
+
+  const wrapped = (...args) => callLevel('info', args)
+
+  for (const level of ['error', 'warn', 'info', 'debug']) {
+    wrapped[level] = (...args) => callLevel(level, args)
+  }
+
+  return wrapped
+}
+
+function loadSecretsFromFile(secretsFile, log) {
+  const stat = fs.statSync(secretsFile)
+  // Must not be readable/writable by group/others
+  if ((stat.mode & 0o077) !== 0) {
+    throw new Error(
+      `Secrets file permissions too open: ${secretsFile}. ` +
+        'Set mode to 600 (owner read/write only).'
+    )
+  }
+
+  const raw = fs.readFileSync(secretsFile, 'utf8')
+  const parsed = JSON.parse(raw)
+  return parsed && typeof parsed === 'object' ? parsed : {}
+}
+
+function resolveSecrets(config, log) {
+  const merged = { ...config }
+
+  if (config?.secretsFile) {
+    try {
+      const fromFile = loadSecretsFromFile(config.secretsFile, log)
+      for (const k of SECRET_KEYS) {
+        if (fromFile[k] != null && fromFile[k] !== '') merged[k] = fromFile[k]
+      }
+      log('Loaded secrets from secretsFile')
+    } catch (e) {
+      // Refuse to start: this prevents accidentally using a world-readable secrets file.
+      log.error(`Failed to load secretsFile: ${e?.message || e}`)
+      throw e
+    }
+  }
+
+  for (const [key, envName] of Object.entries(ENV_MAP)) {
+    const v = process.env[envName]
+    if (v == null || v === '') continue
+
+    if (key === 'appInfo') {
+      try {
+        merged.appInfo = JSON.parse(v)
+      } catch {
+        merged.appInfo = v
+      }
+      continue
+    }
+
+    merged[key] = v
+  }
+
+  return merged
+}
+
+function isIpLiteral(hostname) {
+  return net.isIP(hostname) !== 0
+}
+
+function isClearlyLocalHostname(hostname) {
+  const lower = String(hostname).toLowerCase()
+  return (
+    lower === 'localhost' ||
+    lower.endsWith('.localhost') ||
+    lower.endsWith('.local')
+  )
+}
+
+function validateBaseUrl(urlString) {
+  const u = new URL(urlString)
+  if (u.protocol !== 'https:') {
+    throw new Error(`Base URL must use https: ${urlString}`)
+  }
+  if (isIpLiteral(u.hostname)) {
+    throw new Error(`IP literals are not allowed in base URLs: ${urlString}`)
+  }
+  if (isClearlyLocalHostname(u.hostname)) {
+    throw new Error(`Local hostnames are not allowed in base URLs: ${urlString}`)
+  }
+  return u
+}
+
+function getValidatedBaseUrls(config, log) {
+  const hasCustom = Boolean(config?.authBaseUrl || config?.apiBaseUrl)
+  const allowCustom = Boolean(config?.dangerouslyAllowCustomBaseUrls)
+
+  if (hasCustom && !allowCustom) {
+    log.error(
+      'Custom authBaseUrl/apiBaseUrl are ignored for security. ' +
+        'If you understand the risks and still want this, set dangerouslyAllowCustomBaseUrls=true.'
+    )
+    return {
+      authBaseUrl: DEFAULT_AUTH_BASE_URL,
+      apiBaseUrl: DEFAULT_API_BASE_URL
+    }
+  }
+
+  if (!hasCustom) {
+    return {
+      authBaseUrl: DEFAULT_AUTH_BASE_URL,
+      apiBaseUrl: DEFAULT_API_BASE_URL
+    }
+  }
+
+  // Custom base URLs only when explicitly opted-in.
+  const authUrl = config.authBaseUrl ? validateBaseUrl(config.authBaseUrl) : new URL(DEFAULT_AUTH_BASE_URL)
+  const apiUrl = config.apiBaseUrl ? validateBaseUrl(config.apiBaseUrl) : new URL(DEFAULT_API_BASE_URL)
+
+  // Even when opted-in, refuse non-Wyze hosts by default.
+  // This keeps the escape-hatch useful for path tweaks, but blocks credential exfiltration/SSRF.
+  if (!WYZE_ALLOWED_HOSTNAMES.has(authUrl.hostname) || !WYZE_ALLOWED_HOSTNAMES.has(apiUrl.hostname)) {
+    throw new Error(
+      `Custom base URL hostnames must be one of: ${Array.from(WYZE_ALLOWED_HOSTNAMES).join(', ')}. ` +
+        'Refusing to start.'
+    )
+  }
+
+  return {
+    authBaseUrl: authUrl.toString().replace(/\/+$/, ''),
+    apiBaseUrl: apiUrl.toString().replace(/\/+$/, '')
+  }
+}
+
+module.exports = {
+  DEFAULT_AUTH_BASE_URL,
+  DEFAULT_API_BASE_URL,
+  sanitizeLogMessage,
+  sanitizeDeviceName,
+  wrapLogger,
+  resolveSecrets,
+  getValidatedBaseUrls
+}