uiprotect 7.5.2__py3-none-any.whl → 7.32.0__py3-none-any.whl

uiprotect/api.py

@@ -14,9 +14,9 @@ from datetime import datetime, timedelta
 from functools import partial
 from http import HTTPStatus, cookies
 from http.cookies import Morsel, SimpleCookie
-from ipaddress import IPv4Address, IPv6Address
+from ipaddress import IPv4Address, IPv6Address, ip_address
 from pathlib import Path
-from typing import Any, Literal, cast
+from typing import Any, Literal, TypedDict, cast
 from urllib.parse import SplitResult
 
 import aiofiles
@@ -27,7 +27,10 @@ from aiohttp import CookieJar, client_exceptions
 from platformdirs import user_cache_dir, user_config_dir
 from yarl import URL
 
+from uiprotect.data.base import ProtectBaseObject
 from uiprotect.data.convert import list_from_unifi_list
+from uiprotect.data.devices import LightDeviceSettings, LightModeSettings
+from uiprotect.data.nvr import MetaInfo
 from uiprotect.data.user import Keyring, Keyrings, UlpUser, UlpUsers
 
 from ._compat import cached_property
@@ -52,6 +55,7 @@ from .data import (
     SmartDetectTrack,
     Version,
     Viewer,
+    WSAction,
     WSPacket,
     WSSubscriptionMessage,
     create_from_unifi_dict,
@@ -62,8 +66,10 @@ from .data.types import IteratorCallback, ProgressCallback
 from .exceptions import BadRequest, NotAuthorized, NvrError
 from .utils import (
     decode_token_cookie,
+    format_host_for_url,
     get_response_reason,
     ip_from_host,
+    pybool_to_json_bool,
     set_debug,
     to_js_time,
     utc_now,
@@ -75,16 +81,23 @@ if "partitioned" not in cookies.Morsel._reserved:  # type: ignore[attr-defined]
     cookies.Morsel._reserved["partitioned"] = "partitioned"  # type: ignore[attr-defined]
     cookies.Morsel._flags.add("partitioned")  # type: ignore[attr-defined]
 
+
+class LightPatchRequest(TypedDict, total=False):
+    """Type for PATCH /v1/lights/{id} request body."""
+
+    name: str
+    isLightForceEnabled: bool
+    lightModeSettings: dict[str, Any]
+    lightDeviceSettings: dict[str, Any]
+
+
 TOKEN_COOKIE_MAX_EXP_SECONDS = 60
 
 # how many seconds before the bootstrap is refreshed from Protect
 DEVICE_UPDATE_INTERVAL = 900
 # retry timeout for thumbnails/heatmaps
 RETRY_TIMEOUT = 10
-PROTECT_APT_URLS = [
-    "https://apt.artifacts.ui.com/dists/stretch/release/binary-arm64/Packages",
-    "https://apt.artifacts.ui.com/dists/bullseye/release/binary-arm64/Packages",
-]
+
 TYPES_BUG_MESSAGE = """There is currently a bug in UniFi Protect that makes `start` / `end` not work if `types` is not provided. This means uiprotect has to iterate over all of the events matching the filters provided to return values.
 
 If your Protect instance has a lot of events, this request will take much longer then expected. It is recommended adding additional filters to speed the request up."""
@@ -158,11 +171,52 @@ def get_user_hash(host: str, username: str) -> str:
     return session.hexdigest()
 
 
+class RTSPSStreams(ProtectBaseObject):
+    """RTSPS stream URLs for a camera."""
+
+    model_config = {"extra": "allow"}
+    # Intentionally no variables like 'high', 'medium', 'low' are defined here.
+    # The API naming appears inconsistent - what's called "quality" might actually be "channels".
+    # Besides standard qualities (high/medium/low), there are special cases like "package" for doorbells
+    # and unclear implementation for 180° cameras with dual sensors. Dynamic handling via __pydantic_extra__ is safer.
+
+    def get_stream_url(self, quality: str) -> str | None:
+        """Get stream URL for a specific quality level."""
+        return getattr(self, quality, None)
+
+    def get_available_stream_qualities(self) -> list[str]:
+        """Get list of available RTSPS stream quality levels (including inactive ones with null values)."""
+        if self.__pydantic_extra__ is None:
+            return []
+        return list(self.__pydantic_extra__.keys())
+
+    def get_active_stream_qualities(self) -> list[str]:
+        """Get list of currently active RTSPS stream quality levels (only those with stream URLs)."""
+        if self.__pydantic_extra__ is None:
+            return []
+        return [
+            key
+            for key, value in self.__pydantic_extra__.items()
+            if isinstance(value, str) and value is not None
+        ]
+
+    def get_inactive_stream_qualities(self) -> list[str]:
+        """Get list of inactive RTSPS stream quality levels (supported but not currently active)."""
+        if self.__pydantic_extra__ is None:
+            return []
+        return [
+            key
+            for key, value in self.__pydantic_extra__.items()
+            if not (isinstance(value, str) and value is not None)
+        ]
+
+
 class BaseApiClient:
     _host: str
     _port: int
     _username: str
     _password: str
+    _api_key: str | None = None
     _verify_ssl: bool
     _ws_timeout: int
 
@@ -170,14 +224,20 @@ class BaseApiClient:
     _last_token_cookie: Morsel[str] | None = None
     _last_token_cookie_decode: dict[str, Any] | None = None
     _session: aiohttp.ClientSession | None = None
+    _public_api_session: aiohttp.ClientSession | None = None
     _loaded_session: bool = False
     _cookiename = "TOKEN"
 
     headers: dict[str, str] | None = None
-    _websocket: Websocket | None = None
+    _private_websocket: Websocket | None = None
+    _events_websocket: Websocket | None = None
+    _devices_websocket: Websocket | None = None
 
-    api_path: str = "/proxy/protect/api/"
-    ws_path: str = "/proxy/protect/ws/updates"
+    private_api_path: str = "/proxy/protect/api/"
+    public_api_path: str = "/proxy/protect/integration"
+    private_ws_path: str = "/proxy/protect/ws/updates"
+    events_ws_path: str = "/proxy/protect/integration/v1/subscribe/events"
+    devices_ws_path: str = "/proxy/protect/integration/v1/subscribe/devices"
 
     cache_dir: Path
     config_dir: Path
@@ -189,8 +249,10 @@ class BaseApiClient:
         port: int,
         username: str,
         password: str,
+        api_key: str | None = None,
         verify_ssl: bool = True,
         session: aiohttp.ClientSession | None = None,
+        public_api_session: aiohttp.ClientSession | None = None,
         ws_timeout: int = 30,
         cache_dir: Path | None = None,
         config_dir: Path | None = None,
@@ -203,6 +265,7 @@ class BaseApiClient:
 
         self._username = username
         self._password = password
+        self._api_key = api_key
         self._verify_ssl = verify_ssl
         self._ws_timeout = ws_timeout
         self._ws_receive_timeout = ws_receive_timeout
@@ -216,6 +279,9 @@ class BaseApiClient:
         if session is not None:
             self._session = session
 
+        if public_api_session is not None:
+            self._public_api_session = public_api_session
+
         self._update_url()
 
     def _update_cookiename(self, cookie: SimpleCookie) -> None:
@@ -224,12 +290,26 @@ class BaseApiClient:
 
     def _update_url(self) -> None:
         """Updates the url after changing _host or _port."""
+        formatted_host = format_host_for_url(self._host)
+
         if self._port != 443:
-            self._url = URL(f"https://{self._host}:{self._port}")
-            self._ws_url = URL(f"wss://{self._host}:{self._port}{self.ws_path}")
+            self._url = URL(f"https://{formatted_host}:{self._port}")
+            self._ws_url = URL(
+                f"wss://{formatted_host}:{self._port}{self.private_ws_path}"
+            )
+            self._events_ws_url = URL(
+                f"https://{formatted_host}:{self._port}{self.events_ws_path}"
+            )
+            self._devices_ws_url = URL(
+                f"https://{formatted_host}:{self._port}{self.devices_ws_path}"
+            )
         else:
-            self._url = URL(f"https://{self._host}")
-            self._ws_url = URL(f"wss://{self._host}{self.ws_path}")
+            self._url = URL(f"https://{formatted_host}")
+            self._ws_url = URL(f"wss://{formatted_host}{self.private_ws_path}")
+            self._events_ws_url = URL(f"https://{formatted_host}{self.events_ws_path}")
+            self._devices_ws_url = URL(
+                f"https://{formatted_host}{self.devices_ws_path}"
+            )
 
         self.base_url = str(self._url)
 
@@ -245,6 +325,16 @@ class BaseApiClient:
         """Get Websocket URL."""
         return str(self._ws_url_object)
 
+    @property
+    def events_ws_url(self) -> str:
+        """Get Events Websocket URL."""
+        return str(self._events_ws_url)
+
+    @property
+    def devices_ws_url(self) -> str:
+        """Get Devices Websocket URL."""
+        return str(self._devices_ws_url)
+
     @property
     def config_file(self) -> Path:
         return self.config_dir / "unifi_protect.json"
@@ -259,6 +349,15 @@ class BaseApiClient:
 
         return self._session
 
+    async def get_public_api_session(self) -> aiohttp.ClientSession:
+        """Gets or creates current public API client session"""
+        if self._public_api_session is None or self._public_api_session.closed:
+            if self._public_api_session is not None and self._public_api_session.closed:
+                _LOGGER.debug("Public API session was closed, creating a new one")
+            self._public_api_session = aiohttp.ClientSession()
+
+        return self._public_api_session
+
     async def _auth_websocket(self, force: bool) -> dict[str, str] | None:
         """Authenticate for Websocket."""
         if force:
@@ -271,10 +370,19 @@ class BaseApiClient:
         await self.ensure_authenticated()
         return self.headers
 
+    async def _auth_public_api_websocket(
+        self, force: bool = False
+    ) -> dict[str, str] | None:
+        """Authenticate for Public API Websocket."""
+        if self._api_key is None:
+            raise NotAuthorized("API key is required for public API WebSocket")
+
+        return {"X-API-KEY": self._api_key}
+
     def _get_websocket(self) -> Websocket:
         """Gets or creates current Websocket."""
-        if self._websocket is None:
-            self._websocket = Websocket(
+        if self._private_websocket is None:
+            self._private_websocket = Websocket(
                 self._get_websocket_url,
                 self._auth_websocket,
                 self._update_bootstrap_soon,
@@ -285,7 +393,39 @@ class BaseApiClient:
                 timeout=self._ws_timeout,
                 receive_timeout=self._ws_receive_timeout,
             )
-        return self._websocket
+        return self._private_websocket
+
+    def _get_events_websocket(self) -> Websocket:
+        """Gets or creates current Events Websocket."""
+        if self._events_websocket is None:
+            self._events_websocket = Websocket(
+                lambda: self._events_ws_url,
+                self._auth_public_api_websocket,
+                lambda: None,
+                self.get_public_api_session,
+                self._process_events_ws_message,
+                self._on_events_websocket_state_change,
+                verify=self._verify_ssl,
+                timeout=self._ws_timeout,
+                receive_timeout=self._ws_receive_timeout,
+            )
+        return self._events_websocket
+
+    def _get_devices_websocket(self) -> Websocket:
+        """Gets or creates current Devices Websocket."""
+        if self._devices_websocket is None:
+            self._devices_websocket = Websocket(
+                lambda: self._devices_ws_url,
+                self._auth_public_api_websocket,
+                lambda: None,
+                self.get_public_api_session,
+                self._process_devices_ws_message,
+                self._on_devices_websocket_state_change,
+                verify=self._verify_ssl,
+                timeout=self._ws_timeout,
+                receive_timeout=self._ws_receive_timeout,
+            )
+        return self._devices_websocket
 
     def _update_bootstrap_soon(self) -> None:
         """Update bootstrap soon."""
@@ -304,6 +444,12 @@ class BaseApiClient:
             self._session = None
             self._loaded_session = False
 
+    async def close_public_api_session(self) -> None:
+        """Closing and deletes public API client session"""
+        if self._public_api_session is not None:
+            await self._public_api_session.close()
+            self._public_api_session = None
+
     async def _cancel_update_task(self) -> None:
         if self._update_task:
             self._update_task.cancel()
@@ -325,20 +471,29 @@ class BaseApiClient:
         url: str,
         require_auth: bool = False,
         auto_close: bool = True,
+        public_api: bool = False,
         **kwargs: Any,
     ) -> aiohttp.ClientResponse:
         """Make a request to UniFi Protect"""
-        if require_auth:
+        if require_auth and not public_api:
             await self.ensure_authenticated()
 
         request_url = self._url.join(
             URL(SplitResult("", "", url, "", ""), encoded=True)
         )
-        headers = kwargs.get("headers") or self.headers
+        headers = kwargs.get("headers") or self.headers or {}
+        if require_auth and public_api:
+            if self._api_key is None:
+                raise NotAuthorized("API key is required for public API requests")
+            headers = {"X-API-KEY": self._api_key}
         _LOGGER.debug("Request url: %s", request_url)
         if not self._verify_ssl:
             kwargs["ssl"] = False
-        session = await self.get_session()
+
+        if public_api:
+            session = await self.get_public_api_session()
+        else:
+            session = await self.get_session()
 
         for attempt in range(2):
             try:
@@ -390,19 +545,29 @@ class BaseApiClient:
         method: str = "get",
         require_auth: bool = True,
         raise_exception: bool = True,
+        api_path: str | None = None,
+        public_api: bool = False,
         **kwargs: Any,
     ) -> bytes | None:
-        """Make a request to UniFi Protect API"""
+        """Make a API request"""
+        path = self.private_api_path
+        if api_path is not None:
+            path = api_path
+        elif public_api:
+            path = self.public_api_path
+
         response = await self.request(
             method,
-            f"{self.api_path}{url}",
+            f"{path}{url}",
             require_auth=require_auth,
             auto_close=False,
+            public_api=public_api,
             **kwargs,
         )
 
         try:
-            if response.status != 200:
+            # Check for successful status codes (2xx range)
+            if not (200 <= response.status < 300):
                 await self._raise_for_status(response, raise_exception)
                 return None
 
@@ -425,16 +590,20 @@ class BaseApiClient:
         msg = "Request failed: %s - Status: %s - Reason: %s"
         status = response.status
 
+        # Success status codes (2xx) should not raise exceptions
+        if 200 <= status < 300:
+            return
+
         if raise_exception:
             if status in {
                 HTTPStatus.UNAUTHORIZED.value,
                 HTTPStatus.FORBIDDEN.value,
             }:
                 raise NotAuthorized(msg % (url, status, reason))
-            elif status == HTTPStatus.TOO_MANY_REQUESTS.value:
+            if status == HTTPStatus.TOO_MANY_REQUESTS.value:
                 _LOGGER.debug("Too many requests - Login is rate limited: %s", response)
                 raise NvrError(msg % (url, status, reason))
-            elif (
+            if (
                 status >= HTTPStatus.BAD_REQUEST.value
                 and status < HTTPStatus.INTERNAL_SERVER_ERROR.value
             ):
@@ -449,6 +618,8 @@ class BaseApiClient:
         method: str = "get",
         require_auth: bool = True,
         raise_exception: bool = True,
+        api_path: str | None = None,
+        public_api: bool = False,
         **kwargs: Any,
     ) -> list[Any] | dict[str, Any] | None:
         data = await self.api_request_raw(
@@ -456,6 +627,8 @@ class BaseApiClient:
             method=method,
             require_auth=require_auth,
             raise_exception=raise_exception,
+            api_path=api_path,
+            public_api=public_api,
             **kwargs,
         )
 
@@ -475,6 +648,7 @@ class BaseApiClient:
         method: str = "get",
         require_auth: bool = True,
         raise_exception: bool = True,
+        public_api: bool = False,
         **kwargs: Any,
     ) -> dict[str, Any]:
         data = await self.api_request(
@@ -482,6 +656,7 @@ class BaseApiClient:
             method=method,
             require_auth=require_auth,
             raise_exception=raise_exception,
+            public_api=public_api,
             **kwargs,
         )
 
@@ -496,6 +671,7 @@ class BaseApiClient:
         method: str = "get",
         require_auth: bool = True,
         raise_exception: bool = True,
+        public_api: bool = False,
         **kwargs: Any,
     ) -> list[Any]:
         data = await self.api_request(
@@ -503,6 +679,7 @@ class BaseApiClient:
             method=method,
             require_auth=require_auth,
             raise_exception=raise_exception,
+            public_api=public_api,
             **kwargs,
         )
 
@@ -541,8 +718,25 @@ class BaseApiClient:
             response = await self.request("post", url=url, json=auth)
             if response.status != 200:
                 await self._raise_for_status(response, True)
-            self.set_header("cookie", response.headers.get("set-cookie", ""))
+
+            csrf_token = response.headers.get("x-csrf-token")
+            if csrf_token:
+                self.set_header("x-csrf-token", csrf_token)
+
+            cookie_header = response.headers.get("set-cookie", "")
+            self.set_header("cookie", cookie_header)
             self._is_authenticated = True
+
+            # parse and store the cookie for session persistence
+            if self.store_sessions and cookie_header:
+                # extract cookie from header to save in session file
+                cookie = SimpleCookie(cookie_header)
+                if cookie:
+                    for cookie_obj in cookie.values():
+                        self._last_token_cookie = cookie_obj
+                        await self._update_auth_config(cookie_obj)
+                        break  # auth response only contains single cookie (TOKEN or UOS_TOKEN)
+
             _LOGGER.debug("Authenticated successfully!")
 
     async def _update_last_token_cookie(self, response: aiohttp.ClientResponse) -> None:
@@ -554,7 +748,6 @@ class BaseApiClient:
             and csrf_token != self.headers.get("x-csrf-token")
         ):
             self.set_header("x-csrf-token", csrf_token)
-            await self._update_last_token_cookie(response)
             self._update_cookiename(response.cookies)
 
         if (
@@ -610,6 +803,7 @@ class BaseApiClient:
 
     async def _read_auth_config(self) -> SimpleCookie | None:
         """Read auth cookie from config."""
+        config: dict[str, Any] = {}
         try:
             async with aiofiles.open(self.config_file, "rb") as f:
                 config_data = await f.read()
@@ -640,10 +834,16 @@ class BaseApiClient:
         cookie_value = _COOKIE_RE.sub("", str(cookie[cookie_name]))
         self._last_token_cookie = cookie[cookie_name]
         self._last_token_cookie_decode = None
+
+        # Only mark as authenticated if we have both cookie and CSRF token
+        csrf_token = session.get("csrf")
+        if not csrf_token:
+            _LOGGER.debug("Session found but missing CSRF token, will re-authenticate")
+            return None
+
         self._is_authenticated = True
         self.set_header("cookie", cookie_value)
-        if session.get("csrf"):
-            self.set_header("x-csrf-token", session["csrf"])
+        self.set_header("x-csrf-token", csrf_token)
         return cookie
 
     def is_authenticated(self) -> bool:
@@ -674,21 +874,90 @@ class BaseApiClient:
 
         return token_expires_at >= max_expire_time
 
+    async def clear_session(self) -> None:
+        """Clears stored session for this specific user/host combination."""
+        if not self.store_sessions:
+            return
+
+        config: dict[str, Any] = {}
+        session_hash = get_user_hash(str(self._url), self._username)
+        try:
+            async with aiofiles.open(self.config_file, "rb") as f:
+                config_data = await f.read()
+                if config_data:
+                    try:
+                        config = orjson.loads(config_data)
+                    except orjson.JSONDecodeError:
+                        _LOGGER.warning("Invalid config file, ignoring.")
+                        return
+        except FileNotFoundError:
+            return
+
+        if "sessions" in config and session_hash in config["sessions"]:
+            del config["sessions"][session_hash]
+
+            async with aiofiles.open(self.config_file, "wb") as f:
+                await f.write(orjson.dumps(config, option=orjson.OPT_INDENT_2))
+
+            _LOGGER.debug("Cleared session for %s", session_hash)
+
+            # Clear authentication state only when session was actually removed
+            self._is_authenticated = False
+            self._last_token_cookie = None
+            self._last_token_cookie_decode = None
+
+    async def clear_all_sessions(self) -> None:
+        """Clears all stored sessions from the config file."""
+        if not self.store_sessions:
+            return
+
+        try:
+            await aos.remove(self.config_file)
+        except FileNotFoundError:
+            # File already gone - either never existed or removed by another process
+            return
+
+        # If we get here, the file was successfully removed (no exception raised)
+        _LOGGER.debug("Cleared all sessions from config file")
+
+        # Clear authentication state only after successful deletion
+        self._is_authenticated = False
+        self._last_token_cookie = None
+        self._last_token_cookie_decode = None
+
     def _get_websocket_url(self) -> URL:
         """Get Websocket URL."""
         return self._ws_url_object
 
     async def async_disconnect_ws(self) -> None:
         """Disconnect from Websocket."""
-        if self._websocket:
+        if self._private_websocket:
             websocket = self._get_websocket()
             websocket.stop()
             await websocket.wait_closed()
-            self._websocket = None
+            self._private_websocket = None
+        if self._events_websocket:
+            events_websocket = self._get_events_websocket()
+            events_websocket.stop()
+            await events_websocket.wait_closed()
+            self._events_websocket = None
+        if self._devices_websocket:
+            devices_websocket = self._get_devices_websocket()
+            devices_websocket.stop()
+            await devices_websocket.wait_closed()
+            self._devices_websocket = None
 
     def _process_ws_message(self, msg: aiohttp.WSMessage) -> None:
         raise NotImplementedError
 
+    def _process_events_ws_message(self, msg: aiohttp.WSMessage) -> None:
+        """Process events websocket message - to be implemented by subclass."""
+        raise NotImplementedError
+
+    def _process_devices_ws_message(self, msg: aiohttp.WSMessage) -> None:
+        """Process devices websocket message - to be implemented by subclass."""
+        raise NotImplementedError
+
     def _get_last_update_id(self) -> str | None:
         raise NotImplementedError
 
@@ -699,6 +968,14 @@ class BaseApiClient:
         """Websocket state changed."""
         _LOGGER.debug("Websocket state changed: %s", state)
 
+    def _on_events_websocket_state_change(self, state: WebsocketState) -> None:
+        """Events websocket state changed."""
+        _LOGGER.debug("Events websocket state changed: %s", state)
+
+    def _on_devices_websocket_state_change(self, state: WebsocketState) -> None:
+        """Devices websocket state changed."""
+        _LOGGER.debug("Devices websocket state changed: %s", state)
+
 
 class ProtectApiClient(BaseApiClient):
     """
@@ -721,6 +998,7 @@ class ProtectApiClient(BaseApiClient):
         port: UFP HTTPS port
         username: UFP username
         password: UFP password
+        api_key: API key for UFP
         verify_ssl: Verify HTTPS certificate (default: `True`)
         session: Optional aiohttp session to use (default: generate one)
         override_connection_host: Use `host` as your `connection_host` for RTSP stream instead of using the one provided by UniFi Protect.
@@ -735,7 +1013,11 @@ class ProtectApiClient(BaseApiClient):
     _subscribed_models: set[ModelType]
     _ignore_stats: bool
     _ws_subscriptions: list[Callable[[WSSubscriptionMessage], None]]
+    _events_ws_subscriptions: list[Callable[[WSSubscriptionMessage], None]]
+    _devices_ws_subscriptions: list[Callable[[WSSubscriptionMessage], None]]
     _ws_state_subscriptions: list[Callable[[WebsocketState], None]]
+    _events_ws_state_subscriptions: list[Callable[[WebsocketState], None]]
+    _devices_ws_state_subscriptions: list[Callable[[WebsocketState], None]]
     _bootstrap: Bootstrap | None = None
     _last_update_dt: datetime | None = None
     _connection_host: IPv4Address | IPv6Address | str | None = None
@@ -748,8 +1030,10 @@ class ProtectApiClient(BaseApiClient):
         port: int,
         username: str,
         password: str,
+        api_key: str | None = None,
         verify_ssl: bool = True,
         session: aiohttp.ClientSession | None = None,
+        public_api_session: aiohttp.ClientSession | None = None,
         ws_timeout: int = 30,
         cache_dir: Path | None = None,
         config_dir: Path | None = None,
@@ -767,8 +1051,10 @@ class ProtectApiClient(BaseApiClient):
             port=port,
             username=username,
             password=password,
+            api_key=api_key,
             verify_ssl=verify_ssl,
             session=session,
+            public_api_session=public_api_session,
             ws_timeout=ws_timeout,
             ws_receive_timeout=ws_receive_timeout,
             cache_dir=cache_dir,
@@ -780,16 +1066,62 @@ class ProtectApiClient(BaseApiClient):
         self._subscribed_models = subscribed_models or set()
         self._ignore_stats = ignore_stats
         self._ws_subscriptions = []
+        self._events_ws_subscriptions = []
+        self._devices_ws_subscriptions = []
         self._ws_state_subscriptions = []
+        self._events_ws_state_subscriptions = []
+        self._devices_ws_state_subscriptions = []
         self.ignore_unadopted = ignore_unadopted
         self._update_lock = asyncio.Lock()
 
         if override_connection_host:
-            self._connection_host = ip_from_host(self._host)
+            self._connection_host = ip_address(self._host)
 
         if debug:
             set_debug()
 
+    def _set_connection_host_from_bootstrap(self) -> None:
+        """
+        Set connection host from bootstrap NVR hosts (sync).
+
+        NOTE: Must stay in sync with _async_set_connection_host_from_bootstrap().
+        Sync version for property getter, async version for update() method.
+        """
+        index = 0
+        try:
+            index = self.bootstrap.nvr.hosts.index(self._host)
+        except ValueError:
+            try:
+                host = ip_address(self._host)
+                with contextlib.suppress(ValueError):
+                    index = self.bootstrap.nvr.hosts.index(host)
+            except ValueError:
+                pass
+
+        self._connection_host = self.bootstrap.nvr.hosts[index]
+
+    async def _async_set_connection_host_from_bootstrap(
+        self,
+        bootstrap: Bootstrap,
+    ) -> None:
+        """
+        Set connection host from bootstrap NVR hosts (async).
+
+        NOTE: Must stay in sync with _set_connection_host_from_bootstrap().
+        Async version allows DNS resolution via ip_from_host().
+        """
+        index = 0
+        try:
+            index = bootstrap.nvr.hosts.index(self._host)
+        except ValueError:
+            try:
+                host_ip = await ip_from_host(self._host)
+                index = bootstrap.nvr.hosts.index(host_ip)
+            except ValueError:
+                pass
+
+        self._connection_host = bootstrap.nvr.hosts[index]
+
     @cached_property
     def bootstrap(self) -> Bootstrap:
         if self._bootstrap is None:
@@ -799,21 +1131,11 @@ class ProtectApiClient(BaseApiClient):
 
     @property
     def connection_host(self) -> IPv4Address | IPv6Address | str:
-        """Connection host to use for generating RTSP URLs"""
+        """Connection host to use for generating RTSP URLs."""
         if self._connection_host is None:
-            # fallback if cannot find user supplied host
-            index = 0
-            try:
-                # check if user supplied host is avaiable
-                index = self.bootstrap.nvr.hosts.index(self._host)
-            except ValueError:
-                # check if IP of user supplied host is avaiable
-                host = ip_from_host(self._host)
-                with contextlib.suppress(ValueError):
-                    index = self.bootstrap.nvr.hosts.index(host)
-
-            self._connection_host = self.bootstrap.nvr.hosts[index]
+            self._set_connection_host_from_bootstrap()
 
+        assert self._connection_host is not None
         return self._connection_host
 
     async def update(self) -> Bootstrap:
@@ -847,6 +1169,11 @@ class ProtectApiClient(BaseApiClient):
                 )
             self.__dict__.pop("bootstrap", None)
             self._bootstrap = bootstrap
+
+            # Set connection host if not set via override_connection_host
+            if self._connection_host is None:
+                await self._async_set_connection_host_from_bootstrap(bootstrap)
+
             return bootstrap
 
     async def poll_events(self) -> None:
@@ -888,6 +1215,62 @@ class ProtectApiClient(BaseApiClient):
             except Exception:
                 _LOGGER.exception("Exception while running subscription handler")
 
+    def emit_events_message(self, msg: WSSubscriptionMessage) -> None:
+        """Emit message to all events subscriptions."""
+        if _LOGGER.isEnabledFor(logging.DEBUG):
+            if msg.new_obj is not None:
+                _LOGGER.debug(
+                    "emitting events message: %s:%s:%s:%s",
+                    msg.action,
+                    msg.new_obj.model,
+                    msg.new_obj.id,
+                    list(msg.changed_data),
+                )
+            elif msg.old_obj is not None:
+                _LOGGER.debug(
+                    "emitting events message: %s:%s:%s",
+                    msg.action,
+                    msg.old_obj.model,
+                    msg.old_obj.id,
+                )
+            else:
+                _LOGGER.debug("emitting events message: %s", msg.action)
+
+        for sub in self._events_ws_subscriptions:
+            try:
+                sub(msg)
+            except Exception:
+                _LOGGER.exception("Exception while running events subscription handler")
+
+    def emit_devices_message(self, msg: WSSubscriptionMessage) -> None:
+        """Emit message to all devices subscriptions."""
+        if _LOGGER.isEnabledFor(logging.DEBUG):
+            if msg.new_obj is not None:
+                _LOGGER.debug(
+                    "emitting devices message: %s:%s:%s:%s",
+                    msg.action,
+                    msg.new_obj.model,
+                    msg.new_obj.id,
+                    list(msg.changed_data),
+                )
+            elif msg.old_obj is not None:
+                _LOGGER.debug(
+                    "emitting devices message: %s:%s:%s",
+                    msg.action,
+                    msg.old_obj.model,
+                    msg.old_obj.id,
+                )
+            else:
+                _LOGGER.debug("emitting devices message: %s", msg.action)
+
+        for sub in self._devices_ws_subscriptions:
+            try:
+                sub(msg)
+            except Exception:
+                _LOGGER.exception(
+                    "Exception while running devices subscription handler"
+                )
+
     def _get_last_update_id(self) -> str | None:
         if self._bootstrap is None:
             return None
@@ -905,7 +1288,111 @@ class ProtectApiClient(BaseApiClient):
 
         self.emit_message(processed_message)
 
-    async def _get_event_paginate(
+    def _process_events_ws_message(self, msg: aiohttp.WSMessage) -> None:
+        """Process events websocket message (Public API - JSON format)."""
+        if msg.type != aiohttp.WSMsgType.TEXT:
+            _LOGGER.debug("Ignoring non-text websocket message: %s", msg.type)
+            return
+
+        try:
+            data = orjson.loads(msg.data)
+            action_type = data.get("type")  # "update", "add", "remove"
+            item = data.get("item", {})
+            model_key = item.get("modelKey")
+
+            if not action_type or not model_key:
+                _LOGGER.debug("Invalid public API websocket message: %s", data)
+                return
+
+            # Create a WSSubscriptionMessage similar to private WS
+            model_type = ModelType.from_string(model_key)
+
+            if model_type is ModelType.UNKNOWN:
+                _LOGGER.debug("Unknown model type in public API message: %s", model_key)
+                return
+
+            # Create proper objects from the data
+            new_obj: ProtectModelWithId | None = None
+            old_obj: ProtectModelWithId | None = None
+            update_id = item.get("id", "")
+
+            if action_type in ("add", "update"):
+                try:
+                    new_obj = cast(
+                        ProtectModelWithId, create_from_unifi_dict(item, api=self)
+                    )
+                except Exception:
+                    _LOGGER.debug(
+                        "Could not create object from public API data: %s", item
+                    )
+
+            msg_obj = WSSubscriptionMessage(
+                action=WSAction(action_type),
+                new_update_id=update_id,
+                changed_data=item,
+                new_obj=new_obj,
+                old_obj=old_obj,
+            )
+
+            self.emit_events_message(msg_obj)
+        except Exception as e:
+            _LOGGER.exception(
+                "Error processing public API events websocket message: %s", e
+            )
+
+    def _process_devices_ws_message(self, msg: aiohttp.WSMessage) -> None:
+        """Process devices websocket message (Public API - JSON format)."""
+        if msg.type != aiohttp.WSMsgType.TEXT:
+            _LOGGER.debug("Ignoring non-text websocket message: %s", msg.type)
+            return
+
+        try:
+            data = orjson.loads(msg.data)
+            action_type = data.get("type")  # "update", "add", "remove"
+            item = data.get("item", {})
+            model_key = item.get("modelKey")
+
+            if not action_type or not model_key:
+                _LOGGER.debug("Invalid public API websocket message: %s", data)
+                return
+
+            # Create a WSSubscriptionMessage similar to private WS
+            model_type = ModelType.from_string(model_key)
+
+            if model_type is ModelType.UNKNOWN:
+                _LOGGER.debug("Unknown model type in public API message: %s", model_key)
+                return
+
+            # Create proper objects from the data
+            new_obj: ProtectModelWithId | None = None
+            old_obj: ProtectModelWithId | None = None
+            update_id = item.get("id", "")
+
+            if action_type in ("add", "update"):
+                try:
+                    new_obj = cast(
+                        ProtectModelWithId, create_from_unifi_dict(item, api=self)
+                    )
+                except Exception:
+                    _LOGGER.debug(
+                        "Could not create object from public API data: %s", item
+                    )
+
+            msg_obj = WSSubscriptionMessage(
+                action=WSAction(action_type),
+                new_update_id=update_id,
+                changed_data=item,
+                new_obj=new_obj,
+                old_obj=old_obj,
+            )
+
+            self.emit_devices_message(msg_obj)
+        except Exception as e:
+            _LOGGER.exception(
+                "Error processing public API devices websocket message: %s", e
+            )
+
+    async def _get_event_paginate(  # noqa: PLR0912
         self,
         params: dict[str, Any],
         *,
@@ -963,7 +1450,7 @@ class ProtectApiClient(BaseApiClient):
 
         return events
 
-    async def get_events_raw(
+    async def get_events_raw(  # noqa: PLR0912
         self,
         *,
         start: datetime | None = None,
@@ -1150,6 +1637,34 @@ class ProtectApiClient(BaseApiClient):
         self._get_websocket().start()
         return partial(self._unsubscribe_websocket, ws_callback)
 
+    def subscribe_events_websocket(
+        self,
+        ws_callback: Callable[[WSSubscriptionMessage], None],
+    ) -> Callable[[], None]:
+        """
+        Subscribe to events websocket events.
+
+        Returns a callback that will unsubscribe.
+        """
+        _LOGGER.debug("Adding events subscription: %s", ws_callback)
+        self._events_ws_subscriptions.append(ws_callback)
+        self._get_events_websocket().start()
+        return partial(self._unsubscribe_events_websocket, ws_callback)
+
+    def subscribe_devices_websocket(
+        self,
+        ws_callback: Callable[[WSSubscriptionMessage], None],
+    ) -> Callable[[], None]:
+        """
+        Subscribe to devices websocket events.
+
+        Returns a callback that will unsubscribe.
+        """
+        _LOGGER.debug("Adding devices subscription: %s", ws_callback)
+        self._devices_ws_subscriptions.append(ws_callback)
+        self._get_devices_websocket().start()
+        return partial(self._unsubscribe_devices_websocket, ws_callback)
+
     def _unsubscribe_websocket(
         self,
         ws_callback: Callable[[WSSubscriptionMessage], None],
@@ -1160,6 +1675,26 @@ class ProtectApiClient(BaseApiClient):
         if not self._ws_subscriptions:
             self._get_websocket().stop()
 
+    def _unsubscribe_events_websocket(
+        self,
+        ws_callback: Callable[[WSSubscriptionMessage], None],
+    ) -> None:
+        """Unsubscribe to events websocket events."""
+        _LOGGER.debug("Removing events subscription: %s", ws_callback)
+        self._events_ws_subscriptions.remove(ws_callback)
+        if not self._events_ws_subscriptions:
+            self._get_events_websocket().stop()
+
+    def _unsubscribe_devices_websocket(
+        self,
+        ws_callback: Callable[[WSSubscriptionMessage], None],
+    ) -> None:
+        """Unsubscribe to devices websocket events."""
+        _LOGGER.debug("Removing devices subscription: %s", ws_callback)
+        self._devices_ws_subscriptions.remove(ws_callback)
+        if not self._devices_ws_subscriptions:
+            self._get_devices_websocket().stop()
+
     def subscribe_websocket_state(
         self,
         ws_callback: Callable[[WebsocketState], None],
@@ -1172,6 +1707,30 @@ class ProtectApiClient(BaseApiClient):
         self._ws_state_subscriptions.append(ws_callback)
         return partial(self._unsubscribe_websocket_state, ws_callback)
 
+    def subscribe_events_websocket_state(
+        self,
+        ws_callback: Callable[[WebsocketState], None],
+    ) -> Callable[[], None]:
+        """
+        Subscribe to events websocket state changes.
+
+        Returns a callback that will unsubscribe.
+        """
+        self._events_ws_state_subscriptions.append(ws_callback)
+        return partial(self._unsubscribe_events_websocket_state, ws_callback)
+
+    def subscribe_devices_websocket_state(
+        self,
+        ws_callback: Callable[[WebsocketState], None],
+    ) -> Callable[[], None]:
+        """
+        Subscribe to devices websocket state changes.
+
+        Returns a callback that will unsubscribe.
+        """
+        self._devices_ws_state_subscriptions.append(ws_callback)
+        return partial(self._unsubscribe_devices_websocket_state, ws_callback)
+
     def _unsubscribe_websocket_state(
         self,
         ws_callback: Callable[[WebsocketState], None],
@@ -1179,6 +1738,20 @@ class ProtectApiClient(BaseApiClient):
         """Unsubscribe to websocket state changes."""
         self._ws_state_subscriptions.remove(ws_callback)
 
+    def _unsubscribe_events_websocket_state(
+        self,
+        ws_callback: Callable[[WebsocketState], None],
+    ) -> None:
+        """Unsubscribe to events websocket state changes."""
+        self._events_ws_state_subscriptions.remove(ws_callback)
+
+    def _unsubscribe_devices_websocket_state(
+        self,
+        ws_callback: Callable[[WebsocketState], None],
+    ) -> None:
+        """Unsubscribe to devices websocket state changes."""
+        self._devices_ws_state_subscriptions.remove(ws_callback)
+
     def _on_websocket_state_change(self, state: WebsocketState) -> None:
         """Websocket state changed."""
         super()._on_websocket_state_change(state)
@@ -1188,6 +1761,26 @@ class ProtectApiClient(BaseApiClient):
             except Exception:
                 _LOGGER.exception("Exception while running websocket state handler")
 
+    def _on_events_websocket_state_change(self, state: WebsocketState) -> None:
+        """Events Websocket state changed."""
+        for sub in self._events_ws_state_subscriptions:
+            try:
+                sub(state)
+            except Exception:
+                _LOGGER.exception(
+                    "Exception while running events websocket state handler"
+                )
+
+    def _on_devices_websocket_state_change(self, state: WebsocketState) -> None:
+        """Devices Websocket state changed."""
+        for sub in self._devices_ws_state_subscriptions:
+            try:
+                sub(state)
+            except Exception:
+                _LOGGER.exception(
+                    "Exception while running devices websocket state handler"
+                )
+
     async def get_bootstrap(self) -> Bootstrap:
         """
         Gets bootstrap object from UFP instance
@@ -1238,6 +1831,10 @@ class ProtectApiClient(BaseApiClient):
         Gets the list of lights straight from the NVR.
 
         The websocket is connected and running, you likely just want to use `self.bootstrap.lights`
+
+        .. deprecated::
+            Use :meth:`get_lights_public` instead. This method uses the private API
+            and will be removed in a future version.
         """
         return cast(list[Light], await self.get_devices(ModelType.LIGHT, Light))
 
@@ -1364,6 +1961,10 @@ class ProtectApiClient(BaseApiClient):
         Gets a light straight from the NVR.
 
         The websocket is connected and running, you likely just want to use `self.bootstrap.lights[device_id]`
+
+        .. deprecated::
+            Use :meth:`get_light_public` instead. This method uses the private API
+            and will be removed in a future version.
         """
         return cast(Light, await self.get_device(ModelType.LIGHT, device_id, Light))
 
@@ -1465,6 +2066,96 @@ class ProtectApiClient(BaseApiClient):
             raise_exception=False,
         )
 
+    async def get_public_api_camera_snapshot(
+        self,
+        camera_id: str,
+        high_quality: bool = False,
+    ) -> bytes | None:
+        """Gets snapshot for a camera using public api."""
+        return await self.api_request_raw(
+            public_api=True,
+            raise_exception=False,
+            url=f"/v1/cameras/{camera_id}/snapshot",
+            params={"highQuality": pybool_to_json_bool(high_quality)},
+        )
+
+    async def create_camera_rtsps_streams(
+        self,
+        camera_id: str,
+        qualities: list[str] | str,
+    ) -> RTSPSStreams | None:
+        """Creates RTSPS streams for a camera using public API."""
+        if isinstance(qualities, str):
+            qualities = [qualities]
+
+        data = {"qualities": qualities}
+        response = await self.api_request_raw(
+            public_api=True,
+            url=f"/v1/cameras/{camera_id}/rtsps-stream",
+            method="POST",
+            json=data,
+        )
+
+        if response is None:
+            return None
+
+        try:
+            response_json = orjson.loads(response)
+            return RTSPSStreams(**response_json)
+        except (orjson.JSONDecodeError, TypeError) as ex:
+            _LOGGER.error(
+                "Could not decode JSON response for create RTSPS streams (camera %s): %s",
+                camera_id,
+                ex,
+            )
+            return None
+
+    async def get_camera_rtsps_streams(
+        self,
+        camera_id: str,
+    ) -> RTSPSStreams | None:
+        """Gets existing RTSPS streams for a camera using public API."""
+        response = await self.api_request_raw(
+            public_api=True,
+            url=f"/v1/cameras/{camera_id}/rtsps-stream",
+            method="GET",
+        )
+
+        if response is None:
+            return None
+
+        try:
+            response_json = orjson.loads(response)
+            return RTSPSStreams(**response_json)
+        except (orjson.JSONDecodeError, TypeError) as ex:
+            _LOGGER.error(
+                "Could not decode JSON response for get RTSPS streams (camera %s): %s",
+                camera_id,
+                ex,
+            )
+            return None
+
+    async def delete_camera_rtsps_streams(
+        self,
+        camera_id: str,
+        qualities: list[str] | str,
+    ) -> bool:
+        """Deletes RTSPS streams for a camera using public API."""
+        if isinstance(qualities, str):
+            qualities = [qualities]
+
+        # Build query parameters for qualities
+        params = [("qualities", quality) for quality in qualities]
+
+        response = await self.api_request_raw(
+            public_api=True,
+            url=f"/v1/cameras/{camera_id}/rtsps-stream",
+            method="DELETE",
+            params=params,
+        )
+
+        return response is not None
+
     async def get_package_camera_snapshot(
         self,
         camera_id: str,
@@ -1578,13 +2269,19 @@ class ProtectApiClient(BaseApiClient):
                 raise_exception=False,
             )
 
+        _LOGGER.debug(
+            "Requesting camera video: %s%s %s", self.private_api_path, path, params
+        )
         r = await self.request(
             "get",
-            f"{self.api_path}{path}",
+            f"{self.private_api_path}{path}",
             auto_close=False,
             timeout=0,
             params=params,
         )
+        if r.status != 200:
+            await self._raise_for_status(r, True)
+
         if output_file is not None:
             async with aiofiles.open(output_file, "wb") as output:
 
@@ -1838,7 +2535,13 @@ class ProtectApiClient(BaseApiClient):
     async def set_light_is_led_force_on(
         self, device_id: str, is_led_force_on: bool
     ) -> None:
-        """Sets isLedForceOn for light."""  # workaround because forceOn doesnt work via websocket
+        """
+        Sets isLedForceOn for light.
+
+        .. deprecated::
+            Use :meth:`update_light_public` instead. This method uses the private API
+            and will be removed in a future version.
+        """
         await self.api_request(
             f"lights/{device_id}",
             method="patch",
@@ -1878,17 +2581,6 @@ class ProtectApiClient(BaseApiClient):
 
         return versions
 
-    async def get_release_versions(self) -> set[Version]:
-        """Get all release versions for UniFi Protect"""
-        versions: set[Version] = set()
-        for url in PROTECT_APT_URLS:
-            try:
-                versions |= await self._get_versions_from_api(url)
-            except NvrError:
-                _LOGGER.warning("Failed to retrieve release versions from online.")
-
-        return versions
-
     async def relative_move_ptz_camera(
         self,
         device_id: str,
@@ -2034,3 +2726,138 @@ class ProtectApiClient(BaseApiClient):
             method="post",
         )
         return PTZPreset(**preset)
+
+    async def create_api_key(self, name: str) -> str:
+        """Create an API key with the given name and return the full API key."""
+        if not name:
+            raise BadRequest("API key name cannot be empty")
+
+        response = await self.api_request(
+            api_path="/proxy/users/api/v2",
+            url="/user/self/keys",
+            method="post",
+            json={"name": name},
+        )
+
+        if (
+            not isinstance(response, dict)
+            or "data" not in response
+            or not isinstance(response["data"], dict)
+            or "full_api_key" not in response["data"]
+        ):
+            raise BadRequest("Failed to create API key")
+
+        return response["data"]["full_api_key"]
+
+    def set_api_key(self, api_key: str) -> None:
+        """Set the API key for the NVR."""
+        if not api_key:
+            raise BadRequest("API key cannot be empty")
+
+        self._api_key = api_key
+
+    def is_api_key_set(self) -> bool:
+        """Check if the API key is set."""
+        return bool(self._api_key)
+
+    async def get_meta_info(self) -> MetaInfo:
+        """Get metadata about the NVR."""
+        data = await self.api_request(
+            url="/v1/meta/info",
+            public_api=True,
+        )
+        if not isinstance(data, dict):
+            raise NvrError("Failed to retrieve meta info from public API")
+        return MetaInfo(**data)
+
+    # Public API Methods
+
+    async def get_nvr_public(self) -> NVR:
+        """Get NVR information using public API."""
+        data = await self.api_request_obj(url="/v1/nvrs", public_api=True)
+        return NVR.from_unifi_dict(**data, api=self)
+
+    async def get_lights_public(self) -> list[Light]:
+        """Get all lights using public API."""
+        data = await self.api_request_list(url="/v1/lights", public_api=True)
+        return [Light.from_unifi_dict(**light_data, api=self) for light_data in data]
+
+    async def get_light_public(self, light_id: str) -> Light:
+        """Get a specific light using public API."""
+        data = await self.api_request_obj(url=f"/v1/lights/{light_id}", public_api=True)
+        return Light.from_unifi_dict(**data, api=self)
+
+    async def update_light_public(
+        self,
+        light_id: str,
+        *,
+        name: str | None = None,
+        is_light_force_enabled: bool | None = None,
+        light_mode_settings: LightModeSettings | None = None,
+        light_device_settings: LightDeviceSettings | None = None,
+    ) -> Light:
+        """
+        Update light settings using public API.
+
+        Args:
+        ----
+            light_id: The light's ID
+            name: Light name
+            is_light_force_enabled: Force enable the light
+            light_mode_settings: Light mode settings (mode, enable_at)
+            light_device_settings: Light device settings (LED level, PIR settings, etc.)
+
+        Returns:
+        -------
+            Updated Light object
+
+        Raises:
+        ------
+            BadRequest: If no parameters are provided
+
+        """
+        data: LightPatchRequest = {}
+        if name is not None:
+            data["name"] = name
+        if is_light_force_enabled is not None:
+            data["isLightForceEnabled"] = is_light_force_enabled
+        if light_mode_settings is not None:
+            data["lightModeSettings"] = light_mode_settings.unifi_dict()
+        if light_device_settings is not None:
+            # luxSensitivity may come from Private API but is not settable - filter it out
+            device_dict = light_device_settings.unifi_dict()
+            device_dict.pop("luxSensitivity", None)
+            data["lightDeviceSettings"] = device_dict
+
+        if not data:
+            raise BadRequest("At least one parameter must be provided")
+
+        result = await self.api_request_obj(
+            url=f"/v1/lights/{light_id}",
+            method="patch",
+            json=data,
+            public_api=True,
+        )
+        return Light.from_unifi_dict(**result, api=self)
+
+    async def get_cameras_public(self) -> list[Camera]:
+        """Get all cameras using public API."""
+        data = await self.api_request_list(url="/v1/cameras", public_api=True)
+        return [Camera.from_unifi_dict(**camera_data, api=self) for camera_data in data]
+
+    async def get_camera_public(self, camera_id: str) -> Camera:
+        """Get a specific camera using public API."""
+        data = await self.api_request_obj(
+            url=f"/v1/cameras/{camera_id}", public_api=True
+        )
+        return Camera.from_unifi_dict(**data, api=self)
+
+    async def get_chimes_public(self) -> list[Chime]:
+        """Get all chimes using public API."""
+        data = await self.api_request_list(url="/v1/chimes", public_api=True)
+        return [Chime.from_unifi_dict(**chime_data, api=self) for chime_data in data]
+
+    async def get_chime_public(self, chime_id: str) -> Chime:
+        """Get a specific chime using public API."""
+        data = await self.api_request_obj(url=f"/v1/chimes/{chime_id}", public_api=True)
+        return Chime.from_unifi_dict(**data, api=self)