/config/www/tapo_control

[dm82m]

Hey @JurajNyiri ,

Just a short question: as the named folder is exposed without any authentication I just want to know why tapo_control integration is having files at this place?

best
Dirk

[JurajNyiri]

When viewing a recording through HA, the file itself needs to be accessible via browser, therefore it is put there. However, it is being considered a hot storage and there are a few security failsafes in place:

1. File is put there only when requested to be played, it is moved from cold storage which is not accessible from browser.
2. File is removed after 2 hours.
3. File name is random-ish and impossible to guess / bruteforce due to lacking data in order to generate the hash by attacker and length.
4. HA does not do directory listings on www folder.

[dm82m]

Thanks for clarification!

[dm82m]

Maybe an improvement idea: usage of media_source. So the tapo integration can register a media_source and access to it is only possible through already authorized session.

[JurajNyiri]

Interesting, would have to look into it. Not sure when, but feel free to open PR or feature request with details please.